Play interactive tour

Edit tour

Analysis Report PO98765.exe

Overview

General Information

Sample Name:	PO98765.exe
Analysis ID:	323082
MD5:	137ec800f9c49390f2f225ab22774443
SHA1:	2f3f1a1615b625cb1daf8d1e4a3eba208a89e30d
SHA256:	60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

PO98765.exe (PID: 484 cmdline: 'C:\Users\user\Desktop\PO98765.exe' MD5: 137EC800F9C49390F2F225AB22774443)

PO98765.exe (PID: 2440 cmdline: C:\Users\user\Desktop\PO98765.exe MD5: 137EC800F9C49390F2F225AB22774443)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

mstsc.exe (PID: 6024 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)

cmd.exe (PID: 5068 cmdline: /c del 'C:\Users\user\Desktop\PO98765.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x36bec0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x36c12a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3986e0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x39894a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x377c4d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3a446d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x377739:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3a3f59:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x377d4f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3a456f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x377ec7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3a46e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x36cb42:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x399362:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3769b4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x3a31d4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x36d83b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x39a05b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x37dabf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x3aa2df:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x37eac2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x37a9e1:$sqlite3step: 68 34 1C 7B E1 0x37aaf4:$sqlite3step: 68 34 1C 7B E1 0x3a7201:$sqlite3step: 68 34 1C 7B E1 0x3a7314:$sqlite3step: 68 34 1C 7B E1 0x37aa10:$sqlite3text: 68 38 2A 90 C5 0x37ab35:$sqlite3text: 68 38 2A 90 C5 0x3a7230:$sqlite3text: 68 38 2A 90 C5 0x3a7355:$sqlite3text: 68 38 2A 90 C5 0x37aa23:$sqlite3blob: 68 53 D8 7F 8C 0x37ab4b:$sqlite3blob: 68 53 D8 7F 8C 0x3a7243:$sqlite3blob: 68 53 D8 7F 8C 0x3a736b:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: PO98765.exe PID: 484	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.PO98765.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO98765.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO98765.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
1.2.PO98765.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO98765.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO98765.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: PO98765.exe	Virustotal: Detection: 14%			Perma Link
Source: PO98765.exe	ReversingLabs: Detection: 10%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE

Source: 1.2.PO98765.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\PO98765.exe	Code function: 4x nop then jmp 05BA779Ch	0_2_05BA76F2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_05BA85F9
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_05BA8608

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49709
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.74:80 -> 192.168.2.4:49712

Source: global traffic	HTTP traffic detected: GET /sbmh/?4hLtM4=7c1Yf2hXTdqRFKk5H17xFHcZtn6ZaViryhouZ8x83IEcsjPhhroi25cpiHSX6hk8gWCa&n0DXRn=xPJxZNG0xPz HTTP/1.1Host: www.westhighlandwaytours.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?4hLtM4=skYwVssfaMrhlhDh0By1+2yNFudwvP+0WfyEru4f7dWeU3QH+Wh99HLFJYHhc5Wxp3Js&n0DXRn=xPJxZNG0xPz HTTP/1.1Host: www.bloochy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /sbmh/?4hLtM4=7c1Yf2hXTdqRFKk5H17xFHcZtn6ZaViryhouZ8x83IEcsjPhhroi25cpiHSX6hk8gWCa&n0DXRn=xPJxZNG0xPz HTTP/1.1Host: www.westhighlandwaytours.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?4hLtM4=skYwVssfaMrhlhDh0By1+2yNFudwvP+0WfyEru4f7dWeU3QH+Wh99HLFJYHhc5Wxp3Js&n0DXRn=xPJxZNG0xPz HTTP/1.1Host: www.bloochy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.westhighlandwaytours.com

Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000002.00000002.924230430.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041A050 NtClose,	1_2_0041A050
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041A100 NtAllocateVirtualMemory,	1_2_0041A100
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00419F20 NtCreateFile,	1_2_00419F20
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00419FD0 NtReadFile,	1_2_00419FD0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00419FCA NtReadFile,	1_2_00419FCA
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01519910
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015199A0 NtCreateSection,LdrInitializeThunk,	1_2_015199A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519840 NtDelayExecution,LdrInitializeThunk,	1_2_01519840
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01519860
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015198F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_015198F0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519A50 NtCreateFile,LdrInitializeThunk,	1_2_01519A50
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01519A00
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519A20 NtResumeThread,LdrInitializeThunk,	1_2_01519A20
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519540 NtReadFile,LdrInitializeThunk,	1_2_01519540
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015195D0 NtClose,LdrInitializeThunk,	1_2_015195D0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01519710
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01519780
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015197A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_015197A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01519660
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015196E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_015196E0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519950 NtQueueApcThread,	1_2_01519950
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015199D0 NtCreateProcessEx,	1_2_015199D0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0151B040 NtSuspendThread,	1_2_0151B040
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519820 NtEnumerateKey,	1_2_01519820
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015198A0 NtWriteVirtualMemory,	1_2_015198A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519B00 NtSetValueKey,	1_2_01519B00
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0151A3B0 NtGetContextThread,	1_2_0151A3B0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519A10 NtQuerySection,	1_2_01519A10
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519A80 NtOpenDirectoryObject,	1_2_01519A80
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519560 NtWriteFile,	1_2_01519560
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0151AD30 NtSetContextThread,	1_2_0151AD30
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519520 NtWaitForSingleObject,	1_2_01519520
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015195F0 NtQueryInformationFile,	1_2_015195F0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0151A770 NtOpenThread,	1_2_0151A770
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519770 NtSetInformationFile,	1_2_01519770
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519760 NtOpenProcess,	1_2_01519760
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0151A710 NtOpenProcessToken,	1_2_0151A710
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519730 NtQueryVirtualMemory,	1_2_01519730
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519FE0 NtCreateMutant,	1_2_01519FE0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519650 NtQueryValueKey,	1_2_01519650
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519670 NtQueryInformationProcess,	1_2_01519670
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01519610 NtEnumerateValueKey,	1_2_01519610
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015196D0 NtCreateKey,	1_2_015196D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149540 NtReadFile,LdrInitializeThunk,	3_2_05149540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051495D0 NtClose,LdrInitializeThunk,	3_2_051495D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149710 NtQueryInformationToken,LdrInitializeThunk,	3_2_05149710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149780 NtMapViewOfSection,LdrInitializeThunk,	3_2_05149780
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149FE0 NtCreateMutant,LdrInitializeThunk,	3_2_05149FE0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149650 NtQueryValueKey,LdrInitializeThunk,	3_2_05149650
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_05149660
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051496D0 NtCreateKey,LdrInitializeThunk,	3_2_051496D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051496E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_051496E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_05149910
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051499A0 NtCreateSection,LdrInitializeThunk,	3_2_051499A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149840 NtDelayExecution,LdrInitializeThunk,	3_2_05149840
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_05149860
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149A50 NtCreateFile,LdrInitializeThunk,	3_2_05149A50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0514AD30 NtSetContextThread,	3_2_0514AD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149520 NtWaitForSingleObject,	3_2_05149520
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149560 NtWriteFile,	3_2_05149560
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051495F0 NtQueryInformationFile,	3_2_051495F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0514A710 NtOpenProcessToken,	3_2_0514A710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149730 NtQueryVirtualMemory,	3_2_05149730
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0514A770 NtOpenThread,	3_2_0514A770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149770 NtSetInformationFile,	3_2_05149770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149760 NtOpenProcess,	3_2_05149760
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051497A0 NtUnmapViewOfSection,	3_2_051497A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149610 NtEnumerateValueKey,	3_2_05149610
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149670 NtQueryInformationProcess,	3_2_05149670
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149950 NtQueueApcThread,	3_2_05149950
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051499D0 NtCreateProcessEx,	3_2_051499D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149820 NtEnumerateKey,	3_2_05149820
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0514B040 NtSuspendThread,	3_2_0514B040
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051498A0 NtWriteVirtualMemory,	3_2_051498A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051498F0 NtReadVirtualMemory,	3_2_051498F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149B00 NtSetValueKey,	3_2_05149B00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0514A3B0 NtGetContextThread,	3_2_0514A3B0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149A10 NtQuerySection,	3_2_05149A10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149A00 NtProtectVirtualMemory,	3_2_05149A00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149A20 NtResumeThread,	3_2_05149A20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05149A80 NtOpenDirectoryObject,	3_2_05149A80
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8A050 NtClose,	3_2_00C8A050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8A100 NtAllocateVirtualMemory,	3_2_00C8A100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C89FD0 NtReadFile,	3_2_00C89FD0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C89F20 NtCreateFile,	3_2_00C89F20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C89FCA NtReadFile,	3_2_00C89FCA

Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_0266B264	0_2_0266B264
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_0266C2B0	0_2_0266C2B0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_02669998	0_2_02669998
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_0266DF73	0_2_0266DF73
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BA17B0	0_2_05BA17B0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BA3798	0_2_05BA3798
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BA8EF8	0_2_05BA8EF8
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BA2080	0_2_05BA2080
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BA1468	0_2_05BA1468
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BBBF38	0_2_05BBBF38
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BBB530	0_2_05BBB530
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_003567E9	0_2_003567E9
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041D853	1_2_0041D853
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041D38E	1_2_0041D38E
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00402D88	1_2_00402D88
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00409E30	1_2_00409E30
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041E73A	1_2_0041E73A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DF900	1_2_014DF900
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F4120	1_2_014F4120
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591002	1_2_01591002
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015AE824	1_2_015AE824
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A28EC	1_2_015A28EC
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014EB090	1_2_014EB090
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015020A0	1_2_015020A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A20A8	1_2_015A20A8
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A2B28	1_2_015A2B28
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015903DA	1_2_015903DA
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159DBD2	1_2_0159DBD2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150EBB0	1_2_0150EBB0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A22AE	1_2_015A22AE
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A1D55	1_2_015A1D55
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A2D07	1_2_015A2D07
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D0D20	1_2_014D0D20
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A25DD	1_2_015A25DD
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014ED5E0	1_2_014ED5E0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01502581	1_2_01502581
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159D466	1_2_0159D466
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E841F	1_2_014E841F
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015ADFCE	1_2_015ADFCE
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A1FF1	1_2_015A1FF1
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159D616	1_2_0159D616
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F6E30	1_2_014F6E30
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A2EF7	1_2_015A2EF7
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00AB67E9	1_2_00AB67E9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D2D07	3_2_051D2D07
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05100D20	3_2_05100D20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D1D55	3_2_051D1D55
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05132581	3_2_05132581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D25DD	3_2_051D25DD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511D5E0	3_2_0511D5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511841F	3_2_0511841F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CD466	3_2_051CD466
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D1FF1	3_2_051D1FF1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CD616	3_2_051CD616
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05126E30	3_2_05126E30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D2EF7	3_2_051D2EF7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510F900	3_2_0510F900
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05124120	3_2_05124120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1002	3_2_051C1002
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511B090	3_2_0511B090
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051320A0	3_2_051320A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D20A8	3_2_051D20A8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D28EC	3_2_051D28EC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D2B28	3_2_051D2B28
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513EBB0	3_2_0513EBB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CDBD2	3_2_051CDBD2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D22AE	3_2_051D22AE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8D853	3_2_00C8D853
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8D816	3_2_00C8D816
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8D38E	3_2_00C8D38E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C72D88	3_2_00C72D88
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C72D90	3_2_00C72D90
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C79E30	3_2_00C79E30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C72FB0	3_2_00C72FB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8E73A	3_2_00C8E73A

Source: C:\Users\user\Desktop\PO98765.exe	Code function: String function: 014DB150 appears 45 times
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: String function: 0510B150 appears 35 times

Source: PO98765.exe	Binary or memory string: OriginalFilename vs PO98765.exe
Source: PO98765.exe, 00000000.00000002.677683735.0000000000352000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBfRf.exe@ vs PO98765.exe
Source: PO98765.exe, 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs PO98765.exe
Source: PO98765.exe	Binary or memory string: OriginalFilename vs PO98765.exe
Source: PO98765.exe, 00000001.00000002.715044726.0000000000AB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBfRf.exe@ vs PO98765.exe
Source: PO98765.exe, 00000001.00000002.717371551.0000000003263000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemstsc.exej% vs PO98765.exe
Source: PO98765.exe, 00000001.00000002.716576209.00000000015CF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO98765.exe
Source: PO98765.exe	Binary or memory string: OriginalFilenameBfRf.exe@ vs PO98765.exe

Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: PO98765.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@5/3

Source: C:\Users\user\Desktop\PO98765.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO98765.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01

Source: PO98765.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO98765.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO98765.exe	Virustotal: Detection: 14%
Source: PO98765.exe	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\PO98765.exe 'C:\Users\user\Desktop\PO98765.exe'
Source: unknown	Process created: C:\Users\user\Desktop\PO98765.exe C:\Users\user\Desktop\PO98765.exe
Source: unknown	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO98765.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO98765.exe	Process created: C:\Users\user\Desktop\PO98765.exe C:\Users\user\Desktop\PO98765.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO98765.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO98765.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO98765.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.933997672.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO98765.exe, 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, mstsc.exe, 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO98765.exe, mstsc.exe
Source:	Binary string: mstsc.pdbGCTL source: PO98765.exe, 00000001.00000002.717167933.0000000003140000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: PO98765.exe, 00000001.00000002.717167933.0000000003140000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.933997672.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: PO98765.exe, erSe.cs	.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.PO98765.exe.350000.0.unpack, erSe.cs	.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.PO98765.exe.350000.0.unpack, erSe.cs	.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.PO98765.exe.ab0000.1.unpack, erSe.cs	.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.PO98765.exe.ab0000.0.unpack, erSe.cs	.Net Code: x1 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_02666408 push 8B5500CBh; retf	0_2_02666416
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_02666550 pushad ; retf	0_2_0266655D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BB6DDC pushad ; ret	0_2_05BB6DDD
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BB4C0F pushfd ; retf	0_2_05BB4C10
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 0_2_05BB4BC7 push es; retf	0_2_05BB4BC8
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041D075 push eax; ret	1_2_0041D0C8
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041C802 push esi; iretd	1_2_0041C803
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041D0C2 push eax; ret	1_2_0041D0C8
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041D0CB push eax; ret	1_2_0041D132
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041E172 pushfd ; ret	1_2_0041E174
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041D12C push eax; ret	1_2_0041D132
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_004182CC push cs; retf	1_2_004182CE
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041E4F5 push dword ptr [537421FAh]; ret	1_2_0041E515
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_00419C92 pushfd ; iretd	1_2_00419C98
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0041674D push 8EAE14C8h; iretd	1_2_00416753
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_004167AE push C6E9D42Ah; ret	1_2_004167C2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0152D0D1 push ecx; ret	1_2_0152D0E4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0515D0D1 push ecx; ret	3_2_0515D0E4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8D0CB push eax; ret	3_2_00C8D132
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8D0C2 push eax; ret	3_2_00C8D0C8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8D075 push eax; ret	3_2_00C8D0C8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8C802 push esi; iretd	3_2_00C8C803
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8E172 pushfd ; ret	3_2_00C8E174
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8D12C push eax; ret	3_2_00C8D132
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C882CC push cs; retf	3_2_00C882CE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8E4F5 push dword ptr [537421FAh]; ret	3_2_00C8E515
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C89C92 pushfd ; iretd	3_2_00C89C98
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C867AE push C6E9D42Ah; ret	3_2_00C867C2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_00C8674D push 8EAE14C8h; iretd	3_2_00C86753

Source: initial sample

Static PE information: section name: .text entropy: 7.32069962776

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE3

Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO98765.exe PID: 484, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\PO98765.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\PO98765.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO98765.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 0000000000C798E4 second address: 0000000000C798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 0000000000C79B4E second address: 0000000000C79B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PO98765.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe

Code function: 1_2_00409A80 rdtsc

1_2_00409A80

Source: C:\Users\user\Desktop\PO98765.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe TID: 2740	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe TID: 4868	Thread sleep time: -52388s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe TID: 6068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2016	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 4600	Thread sleep time: -48000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\mstsc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe	Last function: Thread delayed

Source: PO98765.exe, 00000000.00000002.682453988.0000000006220000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.696403684.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.700168754.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II\|update users set password = @password where user_id = @user_id
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.696931835.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.700168754.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000002.00000000.700882472.000000000A897000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAb
Source: explorer.exe, 00000002.00000002.931560810.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: PO98765.exe, 00000000.00000002.682453988.0000000006220000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareNC9EE2_AWin32_VideoController3K4TF8KSVideoController120060621000000.000000-000410.6620display.infMSBDAUK5GLFXWPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsD5XYEX9V
Source: explorer.exe, 00000002.00000000.696403684.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.700351269.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000002.00000000.696403684.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000002.00000000.700414904.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.696403684.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO98765.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe

Code function: 1_2_00409A80 rdtsc

1_2_00409A80

Source: C:\Users\user\Desktop\PO98765.exe

Code function: 1_2_0040ACC0 LdrLoadDll,

1_2_0040ACC0

Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FB944 mov eax, dword ptr fs:[00000030h]	1_2_014FB944
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FB944 mov eax, dword ptr fs:[00000030h]	1_2_014FB944
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DC962 mov eax, dword ptr fs:[00000030h]	1_2_014DC962
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DB171 mov eax, dword ptr fs:[00000030h]	1_2_014DB171
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DB171 mov eax, dword ptr fs:[00000030h]	1_2_014DB171
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D9100 mov eax, dword ptr fs:[00000030h]	1_2_014D9100
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D9100 mov eax, dword ptr fs:[00000030h]	1_2_014D9100
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D9100 mov eax, dword ptr fs:[00000030h]	1_2_014D9100
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150513A mov eax, dword ptr fs:[00000030h]	1_2_0150513A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150513A mov eax, dword ptr fs:[00000030h]	1_2_0150513A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F4120 mov eax, dword ptr fs:[00000030h]	1_2_014F4120
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F4120 mov eax, dword ptr fs:[00000030h]	1_2_014F4120
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F4120 mov eax, dword ptr fs:[00000030h]	1_2_014F4120
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F4120 mov eax, dword ptr fs:[00000030h]	1_2_014F4120
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F4120 mov ecx, dword ptr fs:[00000030h]	1_2_014F4120
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DB1E1 mov eax, dword ptr fs:[00000030h]	1_2_014DB1E1
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DB1E1 mov eax, dword ptr fs:[00000030h]	1_2_014DB1E1
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DB1E1 mov eax, dword ptr fs:[00000030h]	1_2_014DB1E1
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015641E8 mov eax, dword ptr fs:[00000030h]	1_2_015641E8
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01502990 mov eax, dword ptr fs:[00000030h]	1_2_01502990
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FC182 mov eax, dword ptr fs:[00000030h]	1_2_014FC182
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150A185 mov eax, dword ptr fs:[00000030h]	1_2_0150A185
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015551BE mov eax, dword ptr fs:[00000030h]	1_2_015551BE
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015551BE mov eax, dword ptr fs:[00000030h]	1_2_015551BE
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015551BE mov eax, dword ptr fs:[00000030h]	1_2_015551BE
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015551BE mov eax, dword ptr fs:[00000030h]	1_2_015551BE
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015061A0 mov eax, dword ptr fs:[00000030h]	1_2_015061A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015061A0 mov eax, dword ptr fs:[00000030h]	1_2_015061A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015569A6 mov eax, dword ptr fs:[00000030h]	1_2_015569A6
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015949A4 mov eax, dword ptr fs:[00000030h]	1_2_015949A4
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015949A4 mov eax, dword ptr fs:[00000030h]	1_2_015949A4
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015949A4 mov eax, dword ptr fs:[00000030h]	1_2_015949A4
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015949A4 mov eax, dword ptr fs:[00000030h]	1_2_015949A4
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F0050 mov eax, dword ptr fs:[00000030h]	1_2_014F0050
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F0050 mov eax, dword ptr fs:[00000030h]	1_2_014F0050
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01592073 mov eax, dword ptr fs:[00000030h]	1_2_01592073
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A1074 mov eax, dword ptr fs:[00000030h]	1_2_015A1074
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01557016 mov eax, dword ptr fs:[00000030h]	1_2_01557016
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01557016 mov eax, dword ptr fs:[00000030h]	1_2_01557016
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01557016 mov eax, dword ptr fs:[00000030h]	1_2_01557016
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A4015 mov eax, dword ptr fs:[00000030h]	1_2_015A4015
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A4015 mov eax, dword ptr fs:[00000030h]	1_2_015A4015
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014EB02A mov eax, dword ptr fs:[00000030h]	1_2_014EB02A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014EB02A mov eax, dword ptr fs:[00000030h]	1_2_014EB02A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014EB02A mov eax, dword ptr fs:[00000030h]	1_2_014EB02A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014EB02A mov eax, dword ptr fs:[00000030h]	1_2_014EB02A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]	1_2_0150002D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]	1_2_0150002D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]	1_2_0150002D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]	1_2_0150002D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150002D mov eax, dword ptr fs:[00000030h]	1_2_0150002D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0156B8D0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_0156B8D0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0156B8D0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0156B8D0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0156B8D0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0156B8D0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D58EC mov eax, dword ptr fs:[00000030h]	1_2_014D58EC
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D40E1 mov eax, dword ptr fs:[00000030h]	1_2_014D40E1
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D40E1 mov eax, dword ptr fs:[00000030h]	1_2_014D40E1
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D40E1 mov eax, dword ptr fs:[00000030h]	1_2_014D40E1
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D9080 mov eax, dword ptr fs:[00000030h]	1_2_014D9080
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01553884 mov eax, dword ptr fs:[00000030h]	1_2_01553884
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01553884 mov eax, dword ptr fs:[00000030h]	1_2_01553884
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0150F0BF
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150F0BF mov eax, dword ptr fs:[00000030h]	1_2_0150F0BF
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150F0BF mov eax, dword ptr fs:[00000030h]	1_2_0150F0BF
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]	1_2_015020A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]	1_2_015020A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]	1_2_015020A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]	1_2_015020A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]	1_2_015020A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015020A0 mov eax, dword ptr fs:[00000030h]	1_2_015020A0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015190AF mov eax, dword ptr fs:[00000030h]	1_2_015190AF
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A8B58 mov eax, dword ptr fs:[00000030h]	1_2_015A8B58
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DDB40 mov eax, dword ptr fs:[00000030h]	1_2_014DDB40
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DF358 mov eax, dword ptr fs:[00000030h]	1_2_014DF358
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01503B7A mov eax, dword ptr fs:[00000030h]	1_2_01503B7A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01503B7A mov eax, dword ptr fs:[00000030h]	1_2_01503B7A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DDB60 mov ecx, dword ptr fs:[00000030h]	1_2_014DDB60
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159131B mov eax, dword ptr fs:[00000030h]	1_2_0159131B
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015553CA mov eax, dword ptr fs:[00000030h]	1_2_015553CA
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015553CA mov eax, dword ptr fs:[00000030h]	1_2_015553CA
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FDBE9 mov eax, dword ptr fs:[00000030h]	1_2_014FDBE9
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]	1_2_015003E2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]	1_2_015003E2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]	1_2_015003E2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]	1_2_015003E2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]	1_2_015003E2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015003E2 mov eax, dword ptr fs:[00000030h]	1_2_015003E2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150B390 mov eax, dword ptr fs:[00000030h]	1_2_0150B390
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E1B8F mov eax, dword ptr fs:[00000030h]	1_2_014E1B8F
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E1B8F mov eax, dword ptr fs:[00000030h]	1_2_014E1B8F
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01502397 mov eax, dword ptr fs:[00000030h]	1_2_01502397
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159138A mov eax, dword ptr fs:[00000030h]	1_2_0159138A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0158D380 mov ecx, dword ptr fs:[00000030h]	1_2_0158D380
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01504BAD mov eax, dword ptr fs:[00000030h]	1_2_01504BAD
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01504BAD mov eax, dword ptr fs:[00000030h]	1_2_01504BAD
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01504BAD mov eax, dword ptr fs:[00000030h]	1_2_01504BAD
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A5BA5 mov eax, dword ptr fs:[00000030h]	1_2_015A5BA5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01564257 mov eax, dword ptr fs:[00000030h]	1_2_01564257
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159EA55 mov eax, dword ptr fs:[00000030h]	1_2_0159EA55
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D9240 mov eax, dword ptr fs:[00000030h]	1_2_014D9240
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D9240 mov eax, dword ptr fs:[00000030h]	1_2_014D9240
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D9240 mov eax, dword ptr fs:[00000030h]	1_2_014D9240
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D9240 mov eax, dword ptr fs:[00000030h]	1_2_014D9240
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0151927A mov eax, dword ptr fs:[00000030h]	1_2_0151927A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0158B260 mov eax, dword ptr fs:[00000030h]	1_2_0158B260
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0158B260 mov eax, dword ptr fs:[00000030h]	1_2_0158B260
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A8A62 mov eax, dword ptr fs:[00000030h]	1_2_015A8A62
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E8A0A mov eax, dword ptr fs:[00000030h]	1_2_014E8A0A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159AA16 mov eax, dword ptr fs:[00000030h]	1_2_0159AA16
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159AA16 mov eax, dword ptr fs:[00000030h]	1_2_0159AA16
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F3A1C mov eax, dword ptr fs:[00000030h]	1_2_014F3A1C
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DAA16 mov eax, dword ptr fs:[00000030h]	1_2_014DAA16
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DAA16 mov eax, dword ptr fs:[00000030h]	1_2_014DAA16
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D5210 mov eax, dword ptr fs:[00000030h]	1_2_014D5210
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D5210 mov ecx, dword ptr fs:[00000030h]	1_2_014D5210
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D5210 mov eax, dword ptr fs:[00000030h]	1_2_014D5210
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D5210 mov eax, dword ptr fs:[00000030h]	1_2_014D5210
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01514A2C mov eax, dword ptr fs:[00000030h]	1_2_01514A2C
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01514A2C mov eax, dword ptr fs:[00000030h]	1_2_01514A2C
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01502ACB mov eax, dword ptr fs:[00000030h]	1_2_01502ACB
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01502AE4 mov eax, dword ptr fs:[00000030h]	1_2_01502AE4
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150D294 mov eax, dword ptr fs:[00000030h]	1_2_0150D294
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150D294 mov eax, dword ptr fs:[00000030h]	1_2_0150D294
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0150FAB0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]	1_2_014D52A5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]	1_2_014D52A5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]	1_2_014D52A5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]	1_2_014D52A5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D52A5 mov eax, dword ptr fs:[00000030h]	1_2_014D52A5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014EAAB0 mov eax, dword ptr fs:[00000030h]	1_2_014EAAB0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014EAAB0 mov eax, dword ptr fs:[00000030h]	1_2_014EAAB0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01513D43 mov eax, dword ptr fs:[00000030h]	1_2_01513D43
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01553540 mov eax, dword ptr fs:[00000030h]	1_2_01553540
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01583D40 mov eax, dword ptr fs:[00000030h]	1_2_01583D40
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F7D50 mov eax, dword ptr fs:[00000030h]	1_2_014F7D50
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FC577 mov eax, dword ptr fs:[00000030h]	1_2_014FC577
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FC577 mov eax, dword ptr fs:[00000030h]	1_2_014FC577
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159E539 mov eax, dword ptr fs:[00000030h]	1_2_0159E539
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0155A537 mov eax, dword ptr fs:[00000030h]	1_2_0155A537
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01504D3B mov eax, dword ptr fs:[00000030h]	1_2_01504D3B
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01504D3B mov eax, dword ptr fs:[00000030h]	1_2_01504D3B
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01504D3B mov eax, dword ptr fs:[00000030h]	1_2_01504D3B
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A8D34 mov eax, dword ptr fs:[00000030h]	1_2_015A8D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E3D34 mov eax, dword ptr fs:[00000030h]	1_2_014E3D34
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DAD30 mov eax, dword ptr fs:[00000030h]	1_2_014DAD30
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]	1_2_01556DC9
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]	1_2_01556DC9
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]	1_2_01556DC9
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01556DC9
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]	1_2_01556DC9
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556DC9 mov eax, dword ptr fs:[00000030h]	1_2_01556DC9
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01588DF1 mov eax, dword ptr fs:[00000030h]	1_2_01588DF1
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014ED5E0 mov eax, dword ptr fs:[00000030h]	1_2_014ED5E0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014ED5E0 mov eax, dword ptr fs:[00000030h]	1_2_014ED5E0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0159FDE2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0159FDE2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0159FDE2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0159FDE2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]	1_2_014D2D8A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]	1_2_014D2D8A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]	1_2_014D2D8A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]	1_2_014D2D8A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D2D8A mov eax, dword ptr fs:[00000030h]	1_2_014D2D8A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150FD9B mov eax, dword ptr fs:[00000030h]	1_2_0150FD9B
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150FD9B mov eax, dword ptr fs:[00000030h]	1_2_0150FD9B
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01502581 mov eax, dword ptr fs:[00000030h]	1_2_01502581
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01502581 mov eax, dword ptr fs:[00000030h]	1_2_01502581
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01502581 mov eax, dword ptr fs:[00000030h]	1_2_01502581
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01502581 mov eax, dword ptr fs:[00000030h]	1_2_01502581
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01501DB5 mov eax, dword ptr fs:[00000030h]	1_2_01501DB5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01501DB5 mov eax, dword ptr fs:[00000030h]	1_2_01501DB5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01501DB5 mov eax, dword ptr fs:[00000030h]	1_2_01501DB5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015035A1 mov eax, dword ptr fs:[00000030h]	1_2_015035A1
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A05AC mov eax, dword ptr fs:[00000030h]	1_2_015A05AC
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A05AC mov eax, dword ptr fs:[00000030h]	1_2_015A05AC
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156C450 mov eax, dword ptr fs:[00000030h]	1_2_0156C450
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156C450 mov eax, dword ptr fs:[00000030h]	1_2_0156C450
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150A44B mov eax, dword ptr fs:[00000030h]	1_2_0150A44B
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014F746D mov eax, dword ptr fs:[00000030h]	1_2_014F746D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A740D mov eax, dword ptr fs:[00000030h]	1_2_015A740D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A740D mov eax, dword ptr fs:[00000030h]	1_2_015A740D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A740D mov eax, dword ptr fs:[00000030h]	1_2_015A740D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591C06 mov eax, dword ptr fs:[00000030h]	1_2_01591C06
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556C0A mov eax, dword ptr fs:[00000030h]	1_2_01556C0A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556C0A mov eax, dword ptr fs:[00000030h]	1_2_01556C0A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556C0A mov eax, dword ptr fs:[00000030h]	1_2_01556C0A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556C0A mov eax, dword ptr fs:[00000030h]	1_2_01556C0A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150BC2C mov eax, dword ptr fs:[00000030h]	1_2_0150BC2C
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A8CD6 mov eax, dword ptr fs:[00000030h]	1_2_015A8CD6
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015914FB mov eax, dword ptr fs:[00000030h]	1_2_015914FB
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556CF0 mov eax, dword ptr fs:[00000030h]	1_2_01556CF0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556CF0 mov eax, dword ptr fs:[00000030h]	1_2_01556CF0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01556CF0 mov eax, dword ptr fs:[00000030h]	1_2_01556CF0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E849B mov eax, dword ptr fs:[00000030h]	1_2_014E849B
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014EEF40 mov eax, dword ptr fs:[00000030h]	1_2_014EEF40
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014EFF60 mov eax, dword ptr fs:[00000030h]	1_2_014EFF60
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A8F6A mov eax, dword ptr fs:[00000030h]	1_2_015A8F6A
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156FF10 mov eax, dword ptr fs:[00000030h]	1_2_0156FF10
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156FF10 mov eax, dword ptr fs:[00000030h]	1_2_0156FF10
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A070D mov eax, dword ptr fs:[00000030h]	1_2_015A070D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A070D mov eax, dword ptr fs:[00000030h]	1_2_015A070D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FF716 mov eax, dword ptr fs:[00000030h]	1_2_014FF716
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150A70E mov eax, dword ptr fs:[00000030h]	1_2_0150A70E
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150A70E mov eax, dword ptr fs:[00000030h]	1_2_0150A70E
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150E730 mov eax, dword ptr fs:[00000030h]	1_2_0150E730
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D4F2E mov eax, dword ptr fs:[00000030h]	1_2_014D4F2E
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014D4F2E mov eax, dword ptr fs:[00000030h]	1_2_014D4F2E
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015137F5 mov eax, dword ptr fs:[00000030h]	1_2_015137F5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01557794 mov eax, dword ptr fs:[00000030h]	1_2_01557794
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01557794 mov eax, dword ptr fs:[00000030h]	1_2_01557794
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01557794 mov eax, dword ptr fs:[00000030h]	1_2_01557794
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E8794 mov eax, dword ptr fs:[00000030h]	1_2_014E8794
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]	1_2_014E7E41
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]	1_2_014E7E41
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]	1_2_014E7E41
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]	1_2_014E7E41
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]	1_2_014E7E41
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E7E41 mov eax, dword ptr fs:[00000030h]	1_2_014E7E41
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159AE44 mov eax, dword ptr fs:[00000030h]	1_2_0159AE44
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0159AE44 mov eax, dword ptr fs:[00000030h]	1_2_0159AE44
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E766D mov eax, dword ptr fs:[00000030h]	1_2_014E766D
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]	1_2_014FAE73
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]	1_2_014FAE73
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]	1_2_014FAE73
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]	1_2_014FAE73
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014FAE73 mov eax, dword ptr fs:[00000030h]	1_2_014FAE73
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150A61C mov eax, dword ptr fs:[00000030h]	1_2_0150A61C
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0150A61C mov eax, dword ptr fs:[00000030h]	1_2_0150A61C
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DC600 mov eax, dword ptr fs:[00000030h]	1_2_014DC600
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DC600 mov eax, dword ptr fs:[00000030h]	1_2_014DC600
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DC600 mov eax, dword ptr fs:[00000030h]	1_2_014DC600
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01508E00 mov eax, dword ptr fs:[00000030h]	1_2_01508E00
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01591608 mov eax, dword ptr fs:[00000030h]	1_2_01591608
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0158FE3F mov eax, dword ptr fs:[00000030h]	1_2_0158FE3F
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014DE620 mov eax, dword ptr fs:[00000030h]	1_2_014DE620
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A8ED6 mov eax, dword ptr fs:[00000030h]	1_2_015A8ED6
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_01518EC7 mov eax, dword ptr fs:[00000030h]	1_2_01518EC7
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0158FEC0 mov eax, dword ptr fs:[00000030h]	1_2_0158FEC0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015036CC mov eax, dword ptr fs:[00000030h]	1_2_015036CC
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_014E76E2 mov eax, dword ptr fs:[00000030h]	1_2_014E76E2
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015016E0 mov ecx, dword ptr fs:[00000030h]	1_2_015016E0
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_0156FE87 mov eax, dword ptr fs:[00000030h]	1_2_0156FE87
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015546A7 mov eax, dword ptr fs:[00000030h]	1_2_015546A7
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A0EA5 mov eax, dword ptr fs:[00000030h]	1_2_015A0EA5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A0EA5 mov eax, dword ptr fs:[00000030h]	1_2_015A0EA5
Source: C:\Users\user\Desktop\PO98765.exe	Code function: 1_2_015A0EA5 mov eax, dword ptr fs:[00000030h]	1_2_015A0EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510AD30 mov eax, dword ptr fs:[00000030h]	3_2_0510AD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05113D34 mov eax, dword ptr fs:[00000030h]	3_2_05113D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CE539 mov eax, dword ptr fs:[00000030h]	3_2_051CE539
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05134D3B mov eax, dword ptr fs:[00000030h]	3_2_05134D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05134D3B mov eax, dword ptr fs:[00000030h]	3_2_05134D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05134D3B mov eax, dword ptr fs:[00000030h]	3_2_05134D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D8D34 mov eax, dword ptr fs:[00000030h]	3_2_051D8D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0518A537 mov eax, dword ptr fs:[00000030h]	3_2_0518A537
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05127D50 mov eax, dword ptr fs:[00000030h]	3_2_05127D50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05143D43 mov eax, dword ptr fs:[00000030h]	3_2_05143D43
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05183540 mov eax, dword ptr fs:[00000030h]	3_2_05183540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512C577 mov eax, dword ptr fs:[00000030h]	3_2_0512C577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512C577 mov eax, dword ptr fs:[00000030h]	3_2_0512C577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513FD9B mov eax, dword ptr fs:[00000030h]	3_2_0513FD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513FD9B mov eax, dword ptr fs:[00000030h]	3_2_0513FD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05132581 mov eax, dword ptr fs:[00000030h]	3_2_05132581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05132581 mov eax, dword ptr fs:[00000030h]	3_2_05132581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05132581 mov eax, dword ptr fs:[00000030h]	3_2_05132581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05132581 mov eax, dword ptr fs:[00000030h]	3_2_05132581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]	3_2_05102D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]	3_2_05102D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]	3_2_05102D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]	3_2_05102D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05102D8A mov eax, dword ptr fs:[00000030h]	3_2_05102D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05131DB5 mov eax, dword ptr fs:[00000030h]	3_2_05131DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05131DB5 mov eax, dword ptr fs:[00000030h]	3_2_05131DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05131DB5 mov eax, dword ptr fs:[00000030h]	3_2_05131DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D05AC mov eax, dword ptr fs:[00000030h]	3_2_051D05AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D05AC mov eax, dword ptr fs:[00000030h]	3_2_051D05AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051335A1 mov eax, dword ptr fs:[00000030h]	3_2_051335A1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]	3_2_05186DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]	3_2_05186DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]	3_2_05186DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186DC9 mov ecx, dword ptr fs:[00000030h]	3_2_05186DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]	3_2_05186DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186DC9 mov eax, dword ptr fs:[00000030h]	3_2_05186DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051B8DF1 mov eax, dword ptr fs:[00000030h]	3_2_051B8DF1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0511D5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0511D5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CFDE2 mov eax, dword ptr fs:[00000030h]	3_2_051CFDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CFDE2 mov eax, dword ptr fs:[00000030h]	3_2_051CFDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CFDE2 mov eax, dword ptr fs:[00000030h]	3_2_051CFDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CFDE2 mov eax, dword ptr fs:[00000030h]	3_2_051CFDE2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D740D mov eax, dword ptr fs:[00000030h]	3_2_051D740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D740D mov eax, dword ptr fs:[00000030h]	3_2_051D740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D740D mov eax, dword ptr fs:[00000030h]	3_2_051D740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186C0A mov eax, dword ptr fs:[00000030h]	3_2_05186C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186C0A mov eax, dword ptr fs:[00000030h]	3_2_05186C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186C0A mov eax, dword ptr fs:[00000030h]	3_2_05186C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186C0A mov eax, dword ptr fs:[00000030h]	3_2_05186C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1C06 mov eax, dword ptr fs:[00000030h]	3_2_051C1C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513BC2C mov eax, dword ptr fs:[00000030h]	3_2_0513BC2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519C450 mov eax, dword ptr fs:[00000030h]	3_2_0519C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519C450 mov eax, dword ptr fs:[00000030h]	3_2_0519C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513A44B mov eax, dword ptr fs:[00000030h]	3_2_0513A44B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512746D mov eax, dword ptr fs:[00000030h]	3_2_0512746D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511849B mov eax, dword ptr fs:[00000030h]	3_2_0511849B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D8CD6 mov eax, dword ptr fs:[00000030h]	3_2_051D8CD6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C14FB mov eax, dword ptr fs:[00000030h]	3_2_051C14FB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186CF0 mov eax, dword ptr fs:[00000030h]	3_2_05186CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186CF0 mov eax, dword ptr fs:[00000030h]	3_2_05186CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05186CF0 mov eax, dword ptr fs:[00000030h]	3_2_05186CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512F716 mov eax, dword ptr fs:[00000030h]	3_2_0512F716
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519FF10 mov eax, dword ptr fs:[00000030h]	3_2_0519FF10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519FF10 mov eax, dword ptr fs:[00000030h]	3_2_0519FF10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D070D mov eax, dword ptr fs:[00000030h]	3_2_051D070D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D070D mov eax, dword ptr fs:[00000030h]	3_2_051D070D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513A70E mov eax, dword ptr fs:[00000030h]	3_2_0513A70E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513A70E mov eax, dword ptr fs:[00000030h]	3_2_0513A70E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513E730 mov eax, dword ptr fs:[00000030h]	3_2_0513E730
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05104F2E mov eax, dword ptr fs:[00000030h]	3_2_05104F2E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05104F2E mov eax, dword ptr fs:[00000030h]	3_2_05104F2E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511EF40 mov eax, dword ptr fs:[00000030h]	3_2_0511EF40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511FF60 mov eax, dword ptr fs:[00000030h]	3_2_0511FF60
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D8F6A mov eax, dword ptr fs:[00000030h]	3_2_051D8F6A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05118794 mov eax, dword ptr fs:[00000030h]	3_2_05118794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05187794 mov eax, dword ptr fs:[00000030h]	3_2_05187794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05187794 mov eax, dword ptr fs:[00000030h]	3_2_05187794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05187794 mov eax, dword ptr fs:[00000030h]	3_2_05187794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051437F5 mov eax, dword ptr fs:[00000030h]	3_2_051437F5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513A61C mov eax, dword ptr fs:[00000030h]	3_2_0513A61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513A61C mov eax, dword ptr fs:[00000030h]	3_2_0513A61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510C600 mov eax, dword ptr fs:[00000030h]	3_2_0510C600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510C600 mov eax, dword ptr fs:[00000030h]	3_2_0510C600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510C600 mov eax, dword ptr fs:[00000030h]	3_2_0510C600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05138E00 mov eax, dword ptr fs:[00000030h]	3_2_05138E00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C1608 mov eax, dword ptr fs:[00000030h]	3_2_051C1608
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051BFE3F mov eax, dword ptr fs:[00000030h]	3_2_051BFE3F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510E620 mov eax, dword ptr fs:[00000030h]	3_2_0510E620
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]	3_2_05117E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]	3_2_05117E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]	3_2_05117E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]	3_2_05117E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]	3_2_05117E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05117E41 mov eax, dword ptr fs:[00000030h]	3_2_05117E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CAE44 mov eax, dword ptr fs:[00000030h]	3_2_051CAE44
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051CAE44 mov eax, dword ptr fs:[00000030h]	3_2_051CAE44
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]	3_2_0512AE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]	3_2_0512AE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]	3_2_0512AE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]	3_2_0512AE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512AE73 mov eax, dword ptr fs:[00000030h]	3_2_0512AE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511766D mov eax, dword ptr fs:[00000030h]	3_2_0511766D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519FE87 mov eax, dword ptr fs:[00000030h]	3_2_0519FE87
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D0EA5 mov eax, dword ptr fs:[00000030h]	3_2_051D0EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D0EA5 mov eax, dword ptr fs:[00000030h]	3_2_051D0EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D0EA5 mov eax, dword ptr fs:[00000030h]	3_2_051D0EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051846A7 mov eax, dword ptr fs:[00000030h]	3_2_051846A7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D8ED6 mov eax, dword ptr fs:[00000030h]	3_2_051D8ED6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05148EC7 mov eax, dword ptr fs:[00000030h]	3_2_05148EC7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051BFEC0 mov eax, dword ptr fs:[00000030h]	3_2_051BFEC0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051336CC mov eax, dword ptr fs:[00000030h]	3_2_051336CC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051316E0 mov ecx, dword ptr fs:[00000030h]	3_2_051316E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051176E2 mov eax, dword ptr fs:[00000030h]	3_2_051176E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05109100 mov eax, dword ptr fs:[00000030h]	3_2_05109100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05109100 mov eax, dword ptr fs:[00000030h]	3_2_05109100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05109100 mov eax, dword ptr fs:[00000030h]	3_2_05109100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513513A mov eax, dword ptr fs:[00000030h]	3_2_0513513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513513A mov eax, dword ptr fs:[00000030h]	3_2_0513513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05124120 mov eax, dword ptr fs:[00000030h]	3_2_05124120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05124120 mov eax, dword ptr fs:[00000030h]	3_2_05124120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05124120 mov eax, dword ptr fs:[00000030h]	3_2_05124120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05124120 mov eax, dword ptr fs:[00000030h]	3_2_05124120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05124120 mov ecx, dword ptr fs:[00000030h]	3_2_05124120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512B944 mov eax, dword ptr fs:[00000030h]	3_2_0512B944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512B944 mov eax, dword ptr fs:[00000030h]	3_2_0512B944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510B171 mov eax, dword ptr fs:[00000030h]	3_2_0510B171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510B171 mov eax, dword ptr fs:[00000030h]	3_2_0510B171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510C962 mov eax, dword ptr fs:[00000030h]	3_2_0510C962
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05132990 mov eax, dword ptr fs:[00000030h]	3_2_05132990
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0512C182 mov eax, dword ptr fs:[00000030h]	3_2_0512C182
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513A185 mov eax, dword ptr fs:[00000030h]	3_2_0513A185
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051851BE mov eax, dword ptr fs:[00000030h]	3_2_051851BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051851BE mov eax, dword ptr fs:[00000030h]	3_2_051851BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051851BE mov eax, dword ptr fs:[00000030h]	3_2_051851BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051851BE mov eax, dword ptr fs:[00000030h]	3_2_051851BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051361A0 mov eax, dword ptr fs:[00000030h]	3_2_051361A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051361A0 mov eax, dword ptr fs:[00000030h]	3_2_051361A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051869A6 mov eax, dword ptr fs:[00000030h]	3_2_051869A6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051941E8 mov eax, dword ptr fs:[00000030h]	3_2_051941E8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0510B1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0510B1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0510B1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D4015 mov eax, dword ptr fs:[00000030h]	3_2_051D4015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D4015 mov eax, dword ptr fs:[00000030h]	3_2_051D4015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05187016 mov eax, dword ptr fs:[00000030h]	3_2_05187016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05187016 mov eax, dword ptr fs:[00000030h]	3_2_05187016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05187016 mov eax, dword ptr fs:[00000030h]	3_2_05187016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511B02A mov eax, dword ptr fs:[00000030h]	3_2_0511B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511B02A mov eax, dword ptr fs:[00000030h]	3_2_0511B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511B02A mov eax, dword ptr fs:[00000030h]	3_2_0511B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0511B02A mov eax, dword ptr fs:[00000030h]	3_2_0511B02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]	3_2_0513002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]	3_2_0513002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]	3_2_0513002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]	3_2_0513002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513002D mov eax, dword ptr fs:[00000030h]	3_2_0513002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05120050 mov eax, dword ptr fs:[00000030h]	3_2_05120050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05120050 mov eax, dword ptr fs:[00000030h]	3_2_05120050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D1074 mov eax, dword ptr fs:[00000030h]	3_2_051D1074
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C2073 mov eax, dword ptr fs:[00000030h]	3_2_051C2073
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05109080 mov eax, dword ptr fs:[00000030h]	3_2_05109080
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05183884 mov eax, dword ptr fs:[00000030h]	3_2_05183884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05183884 mov eax, dword ptr fs:[00000030h]	3_2_05183884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513F0BF mov ecx, dword ptr fs:[00000030h]	3_2_0513F0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513F0BF mov eax, dword ptr fs:[00000030h]	3_2_0513F0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513F0BF mov eax, dword ptr fs:[00000030h]	3_2_0513F0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]	3_2_051320A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]	3_2_051320A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]	3_2_051320A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]	3_2_051320A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]	3_2_051320A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051320A0 mov eax, dword ptr fs:[00000030h]	3_2_051320A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051490AF mov eax, dword ptr fs:[00000030h]	3_2_051490AF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0519B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519B8D0 mov ecx, dword ptr fs:[00000030h]	3_2_0519B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0519B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0519B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0519B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0519B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0519B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051058EC mov eax, dword ptr fs:[00000030h]	3_2_051058EC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C131B mov eax, dword ptr fs:[00000030h]	3_2_051C131B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D8B58 mov eax, dword ptr fs:[00000030h]	3_2_051D8B58
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510F358 mov eax, dword ptr fs:[00000030h]	3_2_0510F358
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510DB40 mov eax, dword ptr fs:[00000030h]	3_2_0510DB40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05133B7A mov eax, dword ptr fs:[00000030h]	3_2_05133B7A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05133B7A mov eax, dword ptr fs:[00000030h]	3_2_05133B7A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0510DB60 mov ecx, dword ptr fs:[00000030h]	3_2_0510DB60
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_0513B390 mov eax, dword ptr fs:[00000030h]	3_2_0513B390
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05132397 mov eax, dword ptr fs:[00000030h]	3_2_05132397
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051C138A mov eax, dword ptr fs:[00000030h]	3_2_051C138A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051BD380 mov ecx, dword ptr fs:[00000030h]	3_2_051BD380
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05111B8F mov eax, dword ptr fs:[00000030h]	3_2_05111B8F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05111B8F mov eax, dword ptr fs:[00000030h]	3_2_05111B8F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051D5BA5 mov eax, dword ptr fs:[00000030h]	3_2_051D5BA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05134BAD mov eax, dword ptr fs:[00000030h]	3_2_05134BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05134BAD mov eax, dword ptr fs:[00000030h]	3_2_05134BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_05134BAD mov eax, dword ptr fs:[00000030h]	3_2_05134BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051853CA mov eax, dword ptr fs:[00000030h]	3_2_051853CA
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051853CA mov eax, dword ptr fs:[00000030h]	3_2_051853CA
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 3_2_051303E2 mov eax, dword ptr fs:[00000030h]	3_2_051303E2

Source: C:\Users\user\Desktop\PO98765.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 160.122.150.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PO98765.exe

Memory written: C:\Users\user\Desktop\PO98765.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PO98765.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO98765.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO98765.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\PO98765.exe

Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 1070000

Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe	Process created: C:\Users\user\Desktop\PO98765.exe C:\Users\user\Desktop\PO98765.exe			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO98765.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.682188809.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000002.00000000.682566937.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.923963210.0000000003990000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.696913420.0000000005E50000.00000004.00000001.sdmp, mstsc.exe, 00000003.00000002.923963210.0000000003990000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.682566937.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.923963210.0000000003990000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.682566937.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000003.00000002.923963210.0000000003990000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.700351269.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\PO98765.exe	Queries volume information: C:\Users\user\Desktop\PO98765.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO98765.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO98765.exe

Code function: 0_2_05BA62D8 GetUserNameA,

0_2_05BA62D8

Source: C:\Users\user\Desktop\PO98765.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO98765.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO98765.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery331	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Virtualization/Sandbox Evasion14	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion14	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO98765.exe	14%	Virustotal		Browse
PO98765.exe	10%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.PO98765.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.edlasyarns.com	160.122.150.218	true	true	unknown
punebites.com	81.19.215.15	true	false	unknown
westhighlandwaytours.com	34.102.136.180	true	true	unknown
shops.myshopify.com	23.227.38.74	true	true	unknown
www.bloochy.com	unknown	unknown	true	unknown
www.westhighlandwaytours.com	unknown	unknown	true	unknown
www.punebites.com	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000002.00000002.924230430.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO98765.exe, 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000002.00000000.701874161.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
160.122.150.218	unknown	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
23.227.38.74	unknown	Canada	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323082
Start date:	26.11.2020
Start time:	09:55:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO98765.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@5/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.7% (good quality ratio 14.7%) Quality average: 72% Quality standard deviation: 32.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 114 Number of non-executed functions: 157
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.42.151.234, 168.61.161.212, 52.147.198.201 Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, watson.telemetry.microsoft.com, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:56:26	API Interceptor	1x Sleep call for process: PO98765.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
34.102.136.180	Booking Confirmation.xlsx	Get hash	malicious	Browse	www.setyourhead.com/kgw/?YPxdA=qxnbG0TgnGHGw+QslghqCPaDw7mfFbPu6Z/l2x9tLypy5Il4TL/Oe56TI1g3tXVevJbT7w==&FN=-ZD4lhJxcp08lll
	PI202009255687.xlsx	Get hash	malicious	Browse	www.lygosfilms.info/ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2
	VOMAXTRADING.doc	Get hash	malicious	Browse	www.mycapecrusade.com/bu43/?OBZPd=k6AhchXHBB&Yzrx=5Lfh6qcZO6QCpL41ah3mk8LUL3OJ/OZx9c26bzra2u0GgF5XtbJN8WKHQCrI7u2LEBkhnA==
	purchase order.exe	Get hash	malicious	Browse	www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp
	inv.exe	Get hash	malicious	Browse	www.nextgenmemorabilia.com/hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4
	anthon.exe	Get hash	malicious	Browse	www.stlmache.com/94sb/?D8c=zlihirZ0hdZXaD&8pdPSNhX=oHhCnRhAqLFON9zTJDssyW7Qcc6qw5o0Z4654po5P9rAmpqiU8ijSaSHb7UixrcmwTy4
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	www.messianicentertainment.com/mkv/
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	www.youarecoveredamerica.com/cxs/?wR=30eviFukjpDMKdZAPLSN5kaysTzlcADcsOyOixR0/60FoTO0nFa3+4ZYvhmf8uIzSvTf&V4=inHXwbhx
	PO EME39134.xlsx	Get hash	malicious	Browse	www.pethgroup.com/mfg6/?NL08b=wzYKSVBwuJMkKFzZssaTzgW2Vk9zJFgyObnh9ous05GVmO8iDcl865kQdMMIGiQlXQz3Bg==&Ab=JpApTx
	PRODUCT INQUIRY BNQ1.xlsx	Get hash	malicious	Browse	www.d2cbox.com/coz3/?RFN4=Db4oM/0ZSLcS2WrsSk0EAPitYAH7G5kPXSBsu1Ti9XYpj/EUmwYzXG6I+6XEGkDvXHlCmg==&RB=NL00JzKhBv9HkNRp
	Document Required.xlsx	Get hash	malicious	Browse	www.vegbydesign.net/et2d/?LDHDp=V0L4Gg8XEG33noZ7KcimyECCbO7JKaiXnbIiZHmOm/4B4fbkqB2G6gSUl7eOq1VGLYG7cQ==&1bY8l=ktg8tf6PjX7
	Payment - Swift Copy.exe	Get hash	malicious	Browse	www.meetyourwish.com/mnc/?Mdkdxdax=WY4KUSY8ftRWBzX7AqE30jxuDiwNulyYTSspkj6O426HLT41/FrvTZzWmkvAdUuy3I6l&ZVj0=YN6tXn0HZ8X
	Shipment Document BLINV And Packing List Attached.exe	Get hash	malicious	Browse	www.kanmra.com/bg8v/?DXIXO=bN+sZwdqksHEVUXNrgv1qWKxxuRS+qOVBUFqNGSJvK31ERFsrbT8+Ywa/qntJ641tecm&Jt7=XPv4nH2h
	SR7UzD8vSg.exe	Get hash	malicious	Browse	www.seatoskyphotos.com/g65/?7nwhJ4l=TXJeSLolb01vansOrhIgOMhNYUnQdj/rfF4amJcBrUYE+yYYkSMe6xNPoYCNXAECPfCM&PpJ=2dGHUZtH1RcT9x
	fSBya4AvVj.exe	Get hash	malicious	Browse	www.crdtchef.com/coz3/?uVg8S=yVCTVPM0BpPlbRn&Cb=6KJmJcklo30WnY6vewxcXLig2KFmxMKN3/pat9BWRdDInxGr1qf1MmoT0+9/86rmVbJja+uPDg==
	7OKYiP6gHy.exe	Get hash	malicious	Browse	www.space-ghost.com/mz59/?DxlpdH=bx7WlvEZr3O5XBwInsT/p4C3h10gePk/QJkiFTbVYZMx/qNyufU701Fr8sAaS9DQf7SJ&k2Jxtb=fDHHbT_hY
	ptFIhqUe89.exe	Get hash	malicious	Browse	www.pethgroup.com/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSepgeCyUWcTuH
	G1K3UzwJBx.exe	Get hash	malicious	Browse	www.softdevteams.com/wsu/?JfBpEB4H=UDFlvLrb363Z/K3+q9OjWueixmKoOm8xQw3Yd3ofqrJMoI6bXqsuqW1H0uReyIz+CvJE&odqddr=RzuhPD
	ARRIVAL NOTICE.xlsx	Get hash	malicious	Browse	www.befitptstudio.com/ogg/?oN9xX=4mwbOnk+WEse1PEPUI+9OE7CuRKrYpR8Uy9t/eBM2SPWQ9N1Pm1uQBQ852Ah+FLlD8dO/Q==&r8=-ZoxsbmheH5H_0_
	Confectionary and choco.xlsx	Get hash	malicious	Browse	www.thesiromiel.com/kgw/?qDH4D=f8c0xBrPYPKd&ML30a=2i2TlC6nSGv7nfRnhje0HOiHksQfPDJcIBIB+Miyp4ApD+T5OEbWO8tIEn4OYJPJCmlhDQ==
23.227.38.74	inv.exe	Get hash	malicious	Browse	www.nairobi-paris.com/hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB4
	EME_PO.39134.xlsx	Get hash	malicious	Browse	www.smartropeofficial.com/mz59/?VrGd-0=igsD6CIxfIdP/BmaDcqJRhdi7opbp9JZE0pffGSxnJfYzYphWR5FxPFRxokm8KQT47JnMg==&MDKtU=Jxotsl4pOvw
	Shipment Document BLINV And Packing List Attached.exe	Get hash	malicious	Browse	www.veryinteresthing.com/bg8v/?DXIXO=Ci+8b5yVi0HjeRDPketSQzJsjy9TvJsNh1v2CR5lKm1ZvVcQvafggDw5DTXIkkN2hOV2&Jt7=XPv4nH2h

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.edlasyarns.com	PO987556.exe	Get hash	malicious	Browse	160.122.150.218
shops.myshopify.com	inv.exe	Get hash	malicious	Browse	23.227.38.74
	EME_PO.39134.xlsx	Get hash	malicious	Browse	23.227.38.74
	Shipment Document BLINV And Packing List Attached.exe	Get hash	malicious	Browse	23.227.38.74
	Swift Copy.exe	Get hash	malicious	Browse	23.227.38.74
	Inv.exe	Get hash	malicious	Browse	23.227.38.64
	CSq58hA6nO.exe	Get hash	malicious	Browse	23.227.38.64
	New Order .xlsx	Get hash	malicious	Browse	23.227.38.64
	NQQWym075C.exe	Get hash	malicious	Browse	23.227.38.64
	Order specs19.11.20.exe	Get hash	malicious	Browse	23.227.38.64
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	23.227.38.64
	SWIFT_HSBC Bank.exe	Get hash	malicious	Browse	23.227.38.64
	ORDER SPECIFITIONS.exe	Get hash	malicious	Browse	23.227.38.64
	anthony.exe	Get hash	malicious	Browse	23.227.38.64
	udtiZ6qM4s.exe	Get hash	malicious	Browse	23.227.38.64
	qAOaubZNjB.exe	Get hash	malicious	Browse	23.227.38.64
	uM0FDMSqE2.exe	Get hash	malicious	Browse	23.227.38.64
	new file.exe.exe	Get hash	malicious	Browse	23.227.38.64
	jrzlwOa0UC.exe	Get hash	malicious	Browse	23.227.38.64
	PDF ICITIUS33BUD10307051120003475.exe	Get hash	malicious	Browse	23.227.38.64
	HN1YzQ2L5v.exe	Get hash	malicious	Browse	23.227.38.64

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLAYERLIMITED-AS-APClayerLimitedHK	https://www.zhongguohnks.com	Get hash	malicious	Browse	155.159.255.154
	CSq58hA6nO.exe	Get hash	malicious	Browse	160.122.148.234
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	168.206.180.179
	NQQWym075C.exe	Get hash	malicious	Browse	160.122.148.234
	ant.exe	Get hash	malicious	Browse	160.122.149.206
	nass.exe	Get hash	malicious	Browse	164.88.89.9
	new file.exe.exe	Get hash	malicious	Browse	168.206.237.116
	Zahlung-06.11.20.exe	Get hash	malicious	Browse	155.159.204.214
	7x7HROymud.exe	Get hash	malicious	Browse	160.121.58.239
	PLAN ORDER DURAN.exe	Get hash	malicious	Browse	160.121.180.19
	BANK TRANSFER SLIP.exe	Get hash	malicious	Browse	155.159.33.54
	PO_7801.exe	Get hash	malicious	Browse	164.88.101.212
	Payment Advice - Advice Ref[GLV824593835].exe	Get hash	malicious	Browse	164.88.81.242
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	168.206.49.204
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	164.88.89.161
	New Purchase Order 50,689$.exe	Get hash	malicious	Browse	164.88.89.161
	New Purchase Order 50,689$.exe	Get hash	malicious	Browse	160.121.14.148
	New Purchase Order 50,689$.exe	Get hash	malicious	Browse	164.88.89.161
	SecuriteInfo.com.Exploit.Siggen2.47709.12233.rtf	Get hash	malicious	Browse	160.121.132.40
	mp0nMsMroT.exe	Get hash	malicious	Browse	155.159.203.193
GOOGLEUS	Booking Confirmation.xlsx	Get hash	malicious	Browse	34.102.136.180
	PI202009255687.xlsx	Get hash	malicious	Browse	34.102.136.180
	VOMAXTRADING.doc	Get hash	malicious	Browse	34.102.136.180
	ACCOUNT TEAM.ppt	Get hash	malicious	Browse	172.217.168.1
	purchase order.exe	Get hash	malicious	Browse	34.102.136.180
	inv.exe	Get hash	malicious	Browse	34.102.136.180
	http://email.balluun.com/ls/click?upn=0tHwWGqJA7fIfwq261XQPoa-2Bm5KwDIa4k7cEZI4W-2FdMZ1Q80M51jA5s51EdYNFwUO080OaXBwsUkIwQ6bL8cCo1cNcDJzlw2uVCKEfhUzZ7Fudhp6bkdbJB13EqLH9-2B4kEnaIsd7WRusADisZIU-2FqT0gWvSPQ-2BUMBeGniMV23Qog3fOaT300-2Fv2T0mA5uuaLf6MwKyAEEDv4vRU3MHAWtQ-3D-3DaUdf_BEBGVEU6IBswk46BP-2FJGpTLX-2FIf4Ner2WBFJyc5PmXI5kSwVWq-2FIninIJmDnNhUsSuO8YJPXc32diFLFly8-2FlazGQr8nbzBIO-2BSvdfUqJySNySwNZh5-2F7tiFSU4CooXZWp-2FjpdCX-2Fz89pGPVGN3nhMItFmIBBYMcjwlGWZ8vS3fpyiPHr-2BxekPNfR4Lq-2Baznil07vpcMoEZofdPQTnqnmg-3D-3D	Get hash	malicious	Browse	172.217.168.84
	2020112395387_pdf.exe	Get hash	malicious	Browse	35.246.6.109
	anthon.exe	Get hash	malicious	Browse	34.102.136.180
	http://searchlf.com	Get hash	malicious	Browse	74.125.128.154
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	34.102.136.180
	https://www.canva.com/design/DAEOhhihuRE/ilbmdiYYv4SZabsnRUeaIQ/view?utm_content=DAEOhhihuRE&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	74.125.128.157
	https://www.canva.com/design/DAEOiuhLwDM/BOj9WYGqioxJf6uGii9b8Q/view?utm_content=DAEOiuhLwDM&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	172.217.168.34
	https://docs.google.com/document/d/e/2PACX-1vTkklFHE_qZt5bggVyzSlPIJpfBM78UhR9h5giojoPSOo0J_kMb27pVCxF_eQESVaFWkRLwKQoIVpE-/pub	Get hash	malicious	Browse	74.125.128.155
	https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewform	Get hash	malicious	Browse	216.58.215.225
	https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewform	Get hash	malicious	Browse	172.217.168.34
	https://Index.potentialissue.xyz/?e=fake@fake.com	Get hash	malicious	Browse	74.125.128.155
	https://omgzone.co.uk/	Get hash	malicious	Browse	35.190.25.25
	http://yjjv.midlidl.com/index	Get hash	malicious	Browse	172.217.168.1
CLOUDFLARENETUS	AsyncClient.exe	Get hash	malicious	Browse	104.24.126.89
	https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at	Get hash	malicious	Browse	104.16.18.94
	inv.exe	Get hash	malicious	Browse	23.227.38.74
	doc-6954.xls	Get hash	malicious	Browse	104.18.62.178
	CO R94-04________PDF.jar	Get hash	malicious	Browse	104.20.23.46
	QQWUO898519.xls	Get hash	malicious	Browse	104.18.48.20
	2020112395387_pdf.exe	Get hash	malicious	Browse	104.18.32.47
	CO R94-04________PDF.jar	Get hash	malicious	Browse	104.20.23.46
	QQWUO898519.xls	Get hash	malicious	Browse	104.18.48.20
	anthon.exe	Get hash	malicious	Browse	172.67.209.143
	Statement Of Account.exe	Get hash	malicious	Browse	104.23.98.190
	http://searchlf.com	Get hash	malicious	Browse	104.18.226.52
	instrument indenture_11.25.2020.doc	Get hash	malicious	Browse	104.27.140.32
	SecuriteInfo.com.Heur.18406.xls	Get hash	malicious	Browse	172.67.159.187
	SecuriteInfo.com.Heur.18406.xls	Get hash	malicious	Browse	104.28.23.244
	instrument indenture_11.25.2020.doc	Get hash	malicious	Browse	104.27.141.32
	Vessel details.doc	Get hash	malicious	Browse	162.159.135.233
	instrument indenture_11.25.2020.doc	Get hash	malicious	Browse	104.27.140.32
	adjure-11.20.doc	Get hash	malicious	Browse	104.27.145.245
	adjure.11.25.2020.doc	Get hash	malicious	Browse	104.24.123.45

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO98765.exe.log Download File
Process:	C:\Users\user\Desktop\PO98765.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	5.341099307467139
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
MD5:	E5FA1A53BA6D70E18192AF6AF7CFDBFA
SHA1:	1C076481F11366751B8DA795C98A54DE8D1D82D5
SHA-256:	1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
SHA-512:	77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3134929233666135
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO98765.exe
File size:	688128
MD5:	137ec800f9c49390f2f225ab22774443
SHA1:	2f3f1a1615b625cb1daf8d1e4a3eba208a89e30d
SHA256:	60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96
SHA512:	41b84ea68ec7c2b9fd5205a1ce00fcbfbe03d82efb4ae7ca9030f643aae341ff32b23974a23db5f8c0fbb423b569e838c10da56f185cbf4e70f1c634e8b570ec
SSDEEP:	12288:WTrUNQIc2+gkNmZh18NVxQ6Ssz2UAP85zPvE:jlc2BNP6NVGRsI85LvE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z._..............P..v..........N.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4a944e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FBF5AE3 [Thu Nov 26 07:36:03 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa93fc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x480	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7454	0xa7600	False	0.726912574683	data	7.32069962776	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x480	0x600	False	0.309244791667	data	2.62722465362	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xaa058	0x424	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Token Software 2014 - 2020 (GNU GPL)
Assembly Version	1.0.0.0
InternalName	BfRf.exe
FileVersion	1.0.0.0
CompanyName	Token Softwares
LegalTrademarks
Comments	Manages the creation and activation of profiles in the X3 games created by Egosoft.
ProductName	Profile Manager
ProductVersion	1.0.0.0
FileDescription	Profile Manager
OriginalFilename	BfRf.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/26/20-09:57:21.714305	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49709	34.102.136.180	192.168.2.4
11/26/20-09:57:42.153271	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49712	23.227.38.74	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 09:57:21.582588911 CET	49709	80	192.168.2.4	34.102.136.180
Nov 26, 2020 09:57:21.598923922 CET	80	49709	34.102.136.180	192.168.2.4
Nov 26, 2020 09:57:21.599069118 CET	49709	80	192.168.2.4	34.102.136.180
Nov 26, 2020 09:57:21.599386930 CET	49709	80	192.168.2.4	34.102.136.180
Nov 26, 2020 09:57:21.615598917 CET	80	49709	34.102.136.180	192.168.2.4
Nov 26, 2020 09:57:21.714304924 CET	80	49709	34.102.136.180	192.168.2.4
Nov 26, 2020 09:57:21.714354992 CET	80	49709	34.102.136.180	192.168.2.4
Nov 26, 2020 09:57:21.714684963 CET	49709	80	192.168.2.4	34.102.136.180
Nov 26, 2020 09:57:21.714863062 CET	49709	80	192.168.2.4	34.102.136.180
Nov 26, 2020 09:57:21.731035948 CET	80	49709	34.102.136.180	192.168.2.4
Nov 26, 2020 09:57:41.965548038 CET	49712	80	192.168.2.4	23.227.38.74
Nov 26, 2020 09:57:41.981944084 CET	80	49712	23.227.38.74	192.168.2.4
Nov 26, 2020 09:57:41.985135078 CET	49712	80	192.168.2.4	23.227.38.74
Nov 26, 2020 09:57:41.985487938 CET	49712	80	192.168.2.4	23.227.38.74
Nov 26, 2020 09:57:42.001837969 CET	80	49712	23.227.38.74	192.168.2.4
Nov 26, 2020 09:57:42.153270960 CET	80	49712	23.227.38.74	192.168.2.4
Nov 26, 2020 09:57:42.153326035 CET	80	49712	23.227.38.74	192.168.2.4
Nov 26, 2020 09:57:42.153441906 CET	80	49712	23.227.38.74	192.168.2.4
Nov 26, 2020 09:57:42.153491974 CET	80	49712	23.227.38.74	192.168.2.4
Nov 26, 2020 09:57:42.153522015 CET	80	49712	23.227.38.74	192.168.2.4
Nov 26, 2020 09:57:42.153549910 CET	80	49712	23.227.38.74	192.168.2.4
Nov 26, 2020 09:57:42.153578997 CET	80	49712	23.227.38.74	192.168.2.4
Nov 26, 2020 09:57:42.153582096 CET	49712	80	192.168.2.4	23.227.38.74
Nov 26, 2020 09:57:42.153647900 CET	49712	80	192.168.2.4	23.227.38.74
Nov 26, 2020 09:57:42.153775930 CET	49712	80	192.168.2.4	23.227.38.74
Nov 26, 2020 09:57:42.154025078 CET	49712	80	192.168.2.4	23.227.38.74
Nov 26, 2020 09:58:02.675896883 CET	49715	80	192.168.2.4	160.122.150.218
Nov 26, 2020 09:58:05.676021099 CET	49715	80	192.168.2.4	160.122.150.218
Nov 26, 2020 09:58:11.676599026 CET	49715	80	192.168.2.4	160.122.150.218
Nov 26, 2020 09:58:24.791840076 CET	49718	80	192.168.2.4	160.122.150.218
Nov 26, 2020 09:58:27.803355932 CET	49718	80	192.168.2.4	160.122.150.218

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 09:56:46.876534939 CET	49182	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:56:46.903584957 CET	53	49182	8.8.8.8	192.168.2.4
Nov 26, 2020 09:56:53.255492926 CET	59920	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:56:53.282816887 CET	53	59920	8.8.8.8	192.168.2.4
Nov 26, 2020 09:57:21.534744024 CET	57458	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:57:21.574743986 CET	53	57458	8.8.8.8	192.168.2.4
Nov 26, 2020 09:57:22.688765049 CET	50579	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:57:22.715966940 CET	53	50579	8.8.8.8	192.168.2.4
Nov 26, 2020 09:57:24.885966063 CET	51703	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:57:24.912981987 CET	53	51703	8.8.8.8	192.168.2.4
Nov 26, 2020 09:57:41.923377037 CET	65248	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:57:41.963454962 CET	53	65248	8.8.8.8	192.168.2.4
Nov 26, 2020 09:57:51.821472883 CET	53723	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:57:51.848748922 CET	53	53723	8.8.8.8	192.168.2.4
Nov 26, 2020 09:57:52.637336016 CET	64646	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:57:52.664422989 CET	53	64646	8.8.8.8	192.168.2.4
Nov 26, 2020 09:58:02.332180977 CET	65298	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:58:02.674093962 CET	53	65298	8.8.8.8	192.168.2.4
Nov 26, 2020 09:58:05.489701033 CET	59123	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:58:05.516762972 CET	53	59123	8.8.8.8	192.168.2.4
Nov 26, 2020 09:58:18.561975956 CET	54531	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:58:18.589188099 CET	53	54531	8.8.8.8	192.168.2.4
Nov 26, 2020 09:58:24.445055008 CET	49714	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:58:24.787240982 CET	53	49714	8.8.8.8	192.168.2.4
Nov 26, 2020 09:58:25.697844028 CET	58028	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:58:25.753426075 CET	53	58028	8.8.8.8	192.168.2.4
Nov 26, 2020 09:58:30.835995913 CET	53097	53	192.168.2.4	8.8.8.8
Nov 26, 2020 09:58:30.863044977 CET	53	53097	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 26, 2020 09:57:21.534744024 CET	192.168.2.4	8.8.8.8	0x6df1	Standard query (0)	www.westhighlandwaytours.com	A (IP address)	IN (0x0001)
Nov 26, 2020 09:57:41.923377037 CET	192.168.2.4	8.8.8.8	0xed31	Standard query (0)	www.bloochy.com	A (IP address)	IN (0x0001)
Nov 26, 2020 09:58:02.332180977 CET	192.168.2.4	8.8.8.8	0x4f61	Standard query (0)	www.edlasyarns.com	A (IP address)	IN (0x0001)
Nov 26, 2020 09:58:24.445055008 CET	192.168.2.4	8.8.8.8	0x19c1	Standard query (0)	www.edlasyarns.com	A (IP address)	IN (0x0001)
Nov 26, 2020 09:58:25.697844028 CET	192.168.2.4	8.8.8.8	0x149a	Standard query (0)	www.punebites.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 26, 2020 09:57:21.574743986 CET	8.8.8.8	192.168.2.4	0x6df1	No error (0)	www.westhighlandwaytours.com	westhighlandwaytours.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 09:57:21.574743986 CET	8.8.8.8	192.168.2.4	0x6df1	No error (0)	westhighlandwaytours.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 26, 2020 09:57:41.963454962 CET	8.8.8.8	192.168.2.4	0xed31	No error (0)	www.bloochy.com	bloochy.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 09:57:41.963454962 CET	8.8.8.8	192.168.2.4	0xed31	No error (0)	bloochy.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 09:57:41.963454962 CET	8.8.8.8	192.168.2.4	0xed31	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Nov 26, 2020 09:58:02.674093962 CET	8.8.8.8	192.168.2.4	0x4f61	No error (0)	www.edlasyarns.com		160.122.150.218	A (IP address)	IN (0x0001)
Nov 26, 2020 09:58:24.787240982 CET	8.8.8.8	192.168.2.4	0x19c1	No error (0)	www.edlasyarns.com		160.122.150.218	A (IP address)	IN (0x0001)
Nov 26, 2020 09:58:25.753426075 CET	8.8.8.8	192.168.2.4	0x149a	No error (0)	www.punebites.com	punebites.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 09:58:25.753426075 CET	8.8.8.8	192.168.2.4	0x149a	No error (0)	punebites.com		81.19.215.15	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.westhighlandwaytours.com

www.bloochy.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49709	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 09:57:21.599386930 CET	24	OUT	GET /sbmh/?4hLtM4=7c1Yf2hXTdqRFKk5H17xFHcZtn6ZaViryhouZ8x83IEcsjPhhroi25cpiHSX6hk8gWCa&n0DXRn=xPJxZNG0xPz HTTP/1.1 Host: www.westhighlandwaytours.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 09:57:21.714304924 CET	24	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 26 Nov 2020 08:57:21 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c9ca-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49712	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 09:57:41.985487938 CET	50	OUT	GET /sbmh/?4hLtM4=skYwVssfaMrhlhDh0By1+2yNFudwvP+0WfyEru4f7dWeU3QH+Wh99HLFJYHhc5Wxp3Js&n0DXRn=xPJxZNG0xPz HTTP/1.1 Host: www.bloochy.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 09:57:42.153270960 CET	51	IN	HTTP/1.1 403 Forbidden Date: Thu, 26 Nov 2020 08:57:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 167 X-Sorting-Hat-ShopId: 45989331112 X-Dc: gcp-us-central1 X-Request-ID: f0326ea8-ce8b-479d-8dcb-cb43ea808d5c X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block CF-Cache-Status: DYNAMIC cf-request-id: 06a55edf67000032587c094000000001 Server: cloudflare CF-RAY: 5f826745793b3258-FRA Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-it
Nov 26, 2020 09:57:42.153326035 CET	52	IN	Data Raw: 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 65 6d 7d 2e 61 63 74 69 6f 6e 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 41 39 41 39 41 39 3b 70 61 64 64 69 6e 67 3a 31 2e 32 72 65 6d 20 32 2e 35 Data Ascii: ems:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transition:border-color 0.2s ease-in}.action:hover{border-colo
Nov 26, 2020 09:57:42.153441906 CET	54	IN	Data Raw: 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 73 6f 20 70 61 72 61 20 61 63 63 65 64 65 72 20 61 20 65 73 74 61 20 70 c3 a1 67 69 6e 61 20 77 65 62 22 0a 20 20 7d 2c 0a 20 20 22 6b 6f 22 3a 20 7b 0a 20 20 20 Data Ascii: ent-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": " " }, "da": { "title": "Adgang
Nov 26, 2020 09:57:42.153491974 CET	55	IN	Data Raw: 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0 a4 87 e0 a4 9f 20 e0 a4 a4 e0 a4 95 20 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 aa e0 a5 8d e0 a4 b0 e0 a4 be e0 a4 aa e0 a5 8d e0 a4 a4 20 e0 a4 95 Data Ascii: " }, "ja": { "title": "", "content-title": "
Nov 26, 2020 09:57:42.153522015 CET	55	IN	Data Raw: 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 5b 64 61 74 61 2d 69 31 38 6e 3d 22 20 2b 20 69 64 20 2b 20 22 5d 22 29 3b 0a 20 20 20 20 69 66 20 28 Data Ascii: lations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage document.title = translations["title"]; // Replace langua
Nov 26, 2020 09:57:42.153549910 CET	55	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE3
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE3
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE3
GetMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE3

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO98765.exe PID: 484 Parent PID: 5836

General

Start time:	09:56:19
Start date:	26/11/2020
Path:	C:\Users\user\Desktop\PO98765.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO98765.exe'
Imagebase:	0x350000
File size:	688128 bytes
MD5 hash:	137EC800F9C49390F2F225AB22774443
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.679040055.0000000003741000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.678398737.0000000002741000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: PO98765.exe PID: 2440 Parent PID: 484

General

Start time:	09:56:28
Start date:	26/11/2020
Path:	C:\Users\user\Desktop\PO98765.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO98765.exe
Imagebase:	0xab0000
File size:	688128 bytes
MD5 hash:	137EC800F9C49390F2F225AB22774443
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.715786451.0000000001040000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.715956692.00000000013F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3424 Parent PID: 2440

General

Start time:	09:56:30
Start date:	26/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mstsc.exe PID: 6024 Parent PID: 3424

General

Start time:	09:56:43
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mstsc.exe
Imagebase:	0x1070000
File size:	3444224 bytes
MD5 hash:	2412003BE253A515C620CE4890F3D8F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.923055372.0000000000F40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.923022023.0000000000F10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 5068 Parent PID: 6024

General

Start time:	09:56:47
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\PO98765.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4484 Parent PID: 5068

General

Start time:	09:56:47
Start date:	26/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: PO98765.exe PID: 484 Parent PID: 5836 PO98765.exeCOMMON

Executed Functions

Function 05BA76F2, Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

(, xrefs: 05BA6F68
', xrefs: 05BA6F6D

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID:
String ID: '$(
API String ID: 0-102678571
Opcode ID: c8fdb49aaea9c81a57fb1c1f7f84dbb6e17012b81756be57c130cbd6bedf1f07
Instruction ID: 3b8182fc28dc1525bff93ea3e56f6fe7b85f7624ec0ad660dad5db0cd1a13ea6
Opcode Fuzzy Hash: c8fdb49aaea9c81a57fb1c1f7f84dbb6e17012b81756be57c130cbd6bedf1f07
Instruction Fuzzy Hash: 8D31F2B1D4926CCBCB64DFA4C8457EDB7B2EB4A305F4051E9D40AA7241DB306E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05BA62D8, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000), ref: 05BA6424

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b1cd97c94767521716928350db0230974beb767927f3c31eed82bc33bab691e0
Instruction ID: 02542f0a7aaade590322436750fdb4726f1ff4eb2370d20a8f08fa28f07a2961
Opcode Fuzzy Hash: b1cd97c94767521716928350db0230974beb767927f3c31eed82bc33bab691e0
Instruction Fuzzy Hash: 4C5115B5D042488FDB14CFA9C595B9EBBF1FF48304F288069E816AB255CB78A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05BA3798, Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

<l, xrefs: 05BA39E5

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID:
String ID: <l
API String ID: 0-969013996
Opcode ID: 2a0e4346317927bd490c6dbe56a5b4afd6430661ae1f893b723115ed2479f4df
Instruction ID: 58867358f6c61c97e900d800a3226b748ab9e723a86762ec05ad289932b42f99
Opcode Fuzzy Hash: 2a0e4346317927bd490c6dbe56a5b4afd6430661ae1f893b723115ed2479f4df
Instruction Fuzzy Hash: 46D18B71E04209CFCB14DFA8C484AAEFBF2FF88314F15855AE515AB361DB34A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05BA8EF8, Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba0ef8d35b2184192a66b2f09bc72a294bfba8c32c87181696800a1635e3f8d
Instruction ID: ea03fa73eb9106654c203b0da1982c1af50c07bcb28e953b6710e83b546f0bcc
Opcode Fuzzy Hash: 6ba0ef8d35b2184192a66b2f09bc72a294bfba8c32c87181696800a1635e3f8d
Instruction Fuzzy Hash: C8E1DB727092449FEB25DB76C464BAEB7FBEF88700F1484ADD5468B690CB31E905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05BA17B0, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e087e83bdf29857d7d5a5f5c178b441b3916cd88ccf67e7a21246842663697f3
Instruction ID: ad540b93acfb6969b315a7402343d92717cad7d81394b029da9e3d2ddffe23ba
Opcode Fuzzy Hash: e087e83bdf29857d7d5a5f5c178b441b3916cd88ccf67e7a21246842663697f3
Instruction Fuzzy Hash: 3DB17F71E08209CFDB50CFA9C9857EEBBF2FF88314F148169D419A7294EB74A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05BA2080, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56811e315db897d1e63e935967e1c883f2b88c2e9b85c6f9a90b8d691797b5c0
Instruction ID: 1c4cb25c1f7e64138f64c8701b849d32c9abb3f2a31cac527a68b269f1aa747e
Opcode Fuzzy Hash: 56811e315db897d1e63e935967e1c883f2b88c2e9b85c6f9a90b8d691797b5c0
Instruction Fuzzy Hash: 7BB15D75E08209CFDB14CFA9C9857ADFBF2FF88314F248169D815A7294EB74A845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0266B264, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2b4fb2cd8d95ab935b66d5ba245b40870ca3296ec5117c45715c5b2a3ef647
Instruction ID: d5b6fc1b3cfc0d1203c5aa455e0e8b8a740ae457f618a082323b506677e39e54
Opcode Fuzzy Hash: 1c2b4fb2cd8d95ab935b66d5ba245b40870ca3296ec5117c45715c5b2a3ef647
Instruction Fuzzy Hash: EB918035E0031ADFCB04DBF0D8549ADB7BAFF89304F158615E416AB2A4EB74A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05BBBF38, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682334427.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfd037470f927bfe5406a633c26c09e8e51545bbed091d71b9de8927184412c
Instruction ID: b277c9f67d1058914f4d73a6d1bfa2bae3e9065dfb12cd89d011a5e85ba90095
Opcode Fuzzy Hash: cdfd037470f927bfe5406a633c26c09e8e51545bbed091d71b9de8927184412c
Instruction Fuzzy Hash: A191F174E082898BEB04DFA9C544AEEBBF2BF89314F24C1A9D405AB345D7B4AD41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0266DF73, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd153079814bf30d321efeafe45784a4e6978dc86321ae8bf091b535113b46aa
Instruction ID: 375251f895f855b1521aa418b7fefb224efda413751bb1facb18ce66b280e10a
Opcode Fuzzy Hash: bd153079814bf30d321efeafe45784a4e6978dc86321ae8bf091b535113b46aa
Instruction Fuzzy Hash: C5817F35E0031A9FCB04DBF0D8548EDBBBAFF89304F148615E416AB2A4EB70A985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05BA85F9, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a549c23dbb1098dbd97c4fb04f5fd8bace8488d65329dcbedffe9d4713f331f7
Instruction ID: adc629a873bedf69653f4c47980645ed5bf34251db346a8b6933e7c4bcb57474
Opcode Fuzzy Hash: a549c23dbb1098dbd97c4fb04f5fd8bace8488d65329dcbedffe9d4713f331f7
Instruction Fuzzy Hash: 2F115871C092588FDB148FA9C418BEDBBF1FB4E311F1491A9E082B7291D7389944DB65

Uniqueness

Uniqueness Score: -1.00%

Function 02666B80, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02666BF0
GetCurrentThread.KERNEL32 ref: 02666C2D
GetCurrentProcess.KERNEL32 ref: 02666C6A
GetCurrentThreadId.KERNEL32 ref: 02666CC3

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fbcf7df0ff7c4cf73aee447ac8cf8952b9bbfe5f9ea8fcb88e7f92384c8210c6
Instruction ID: 31343a25b4fb6bccee4c9916f3329159dd0258b417a1b3b44c93e647ccfde242
Opcode Fuzzy Hash: fbcf7df0ff7c4cf73aee447ac8cf8952b9bbfe5f9ea8fcb88e7f92384c8210c6
Instruction Fuzzy Hash: FD5165B4E00689CFDB10CFA9D688BEEBBF5EF48318F148459E509A7350DB385844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02666B90, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02666BF0
GetCurrentThread.KERNEL32 ref: 02666C2D
GetCurrentProcess.KERNEL32 ref: 02666C6A
GetCurrentThreadId.KERNEL32 ref: 02666CC3

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 31b0ba3c625245739c7e120250664bcd9f5e65ffb2fe54f942b2aede57c708d0
Instruction ID: 190f47695de1fe7e72d99999a4a6c43c81871679a3290bca17fec9b5b6e968c9
Opcode Fuzzy Hash: 31b0ba3c625245739c7e120250664bcd9f5e65ffb2fe54f942b2aede57c708d0
Instruction Fuzzy Hash: D35166B4E00649CFDB14CFA9D6887AEBBF5EF48318F148459E109A3350DB346844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05BBDC08, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05BBDE3E

Memory Dump Source

Source File: 00000000.00000002.682334427.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 416b9438128ccc7cd53c0e93cb2f01399e1b6d82693ea9a02650d63e491d3a02
Instruction ID: e922478eaca9d2c7c88a2d98f92464c74a704f43e89f1dff431d1ac27eeaa4b6
Opcode Fuzzy Hash: 416b9438128ccc7cd53c0e93cb2f01399e1b6d82693ea9a02650d63e491d3a02
Instruction Fuzzy Hash: 1E916B71D046199FEB10CF68C841BEDBBB2FF48304F1585A9E849A7250DBF8A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0266BBB8, Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acbcb9d97d3eca84d04081769a9be800292f18e0d19c328cd1354a14ad91f9c3
Instruction ID: 613ffe6741149180aaf34040729a037c333a6db62f17753d753743d2818dc354
Opcode Fuzzy Hash: acbcb9d97d3eca84d04081769a9be800292f18e0d19c328cd1354a14ad91f9c3
Instruction Fuzzy Hash: 5C812570A00B45CFDB24DF69D05576ABBF2BF88208F008A29D586E7B50DB75A906CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05BA6249, Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000), ref: 05BA6424

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: f34c0c8aaa821b10339e5378c498b47a8c85aa0ca0daad1e59784be74b9f2d23
Instruction ID: 77497e968b8704b01902b2075b332d4ec7cc3fab200d4905c007dfa2f9960360
Opcode Fuzzy Hash: f34c0c8aaa821b10339e5378c498b47a8c85aa0ca0daad1e59784be74b9f2d23
Instruction Fuzzy Hash: 62718CB2D082488FDB14CFA8C895B9DFBF1FF48304F2980A9D416AB395D774A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0266DC6D, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0266DD8A

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 08330a3057d07c4635f5555a9bd1c29c8a2852cd0db061b72abe83e79a7fa5d7
Instruction ID: 6e3f6e3709190d1b301ee85d7fb38eccf815879a26116331a96f57b4d8a620be
Opcode Fuzzy Hash: 08330a3057d07c4635f5555a9bd1c29c8a2852cd0db061b72abe83e79a7fa5d7
Instruction Fuzzy Hash: BE51E2B1D00349DFDF14DFA9D884ADDBBB6BF88314F24812AE819AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0266DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0266DD8A

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 980ee1cd0769993715d5812eccd3facac14a573d6baf7946bf5e4f1e87256f12
Instruction ID: c7377b4cd2d533af6cff93e36a6720f7d9b11d9d195c8251186f82e499f9319a
Opcode Fuzzy Hash: 980ee1cd0769993715d5812eccd3facac14a573d6baf7946bf5e4f1e87256f12
Instruction Fuzzy Hash: 2841C0B1D00349EFDB14DF99D884ADEBBB5BF88314F24812AE819AB250D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02666D41, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02666E3F

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 368d82d7bc56cdeef04e94663b4cebd9d442649bc1adee9c7967e71ffa7f4527
Instruction ID: 07587b77086e7f5d626ccf4a34634f22d286888f356046c12dac86afddb1598d
Opcode Fuzzy Hash: 368d82d7bc56cdeef04e94663b4cebd9d442649bc1adee9c7967e71ffa7f4527
Instruction Fuzzy Hash: 6F415B76900248AFCF11CFA9D984AEEBFF9EB49314F14805AE944A7360C7359915DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05BA64E4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?), ref: 05BA65C7

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 1ef012a2ab2c59ca1469f7746c8fe591df1b606995bc9d95ba2fa94a9fcd43ff
Instruction ID: 94362c42a6fb9acc8d7b95a8b93c2ab2cbac8b1386964043da5ede80dcc2187a
Opcode Fuzzy Hash: 1ef012a2ab2c59ca1469f7746c8fe591df1b606995bc9d95ba2fa94a9fcd43ff
Instruction Fuzzy Hash: 454187B2D04258CFDB10CFA9C8857DEBBF1FB48314F18856AE815A7254DB74A846CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05BA64F0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?), ref: 05BA65C7

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 41dfb10dca0200969a3038e7bc2f6fb0a53638937f38d69d3b3b63b88f163374
Instruction ID: 1114e02e77fbce985c45c6952d4905fd2776864991e1d4206befd1987be90db9
Opcode Fuzzy Hash: 41dfb10dca0200969a3038e7bc2f6fb0a53638937f38d69d3b3b63b88f163374
Instruction Fuzzy Hash: D63162B2D042588FDB10CFA9C885BDEBBF1FB48314F18856AE815A7254DB74A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05BBD8F0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05BBD980

Memory Dump Source

Source File: 00000000.00000002.682334427.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ecb0fcdb5ae160679adecfff69901eb5c0ff25356be2d825c18a933202fac4f5
Instruction ID: ffe86425f755cae259bb7987972d91f49b443a1843818373ddf7aae2c91aad29
Opcode Fuzzy Hash: ecb0fcdb5ae160679adecfff69901eb5c0ff25356be2d825c18a933202fac4f5
Instruction Fuzzy Hash: 9E212A719003599FDB10CFA9C8847EEBBF5FF48314F148429E959A7250C7B8A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02666DB0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02666E3F

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e86bbf6419910dea2e75b8283d2ce35e9e090bf5889b616b5144ae56e24cbef8
Instruction ID: 7407fad1140545a971b0ef2efe56840c118c104a006a445638d77c81910c0758
Opcode Fuzzy Hash: e86bbf6419910dea2e75b8283d2ce35e9e090bf5889b616b5144ae56e24cbef8
Instruction Fuzzy Hash: 6021F2B59002489FDB10CFA9D584BEEBBF8FF48324F14805AE954A3310C378A955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05BBDA10, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05BBDA90

Memory Dump Source

Source File: 00000000.00000002.682334427.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e917fbea26ec2e1bc2af3df7624db821bf22fad67cdb02ebd4db4ba8ecba65d6
Instruction ID: 7e1403a88d34b298b43e0c237b604b5fbdbf30f188c612855f4bf7d9d1ec50d3
Opcode Fuzzy Hash: e917fbea26ec2e1bc2af3df7624db821bf22fad67cdb02ebd4db4ba8ecba65d6
Instruction Fuzzy Hash: F12128B1D002599FDB10DFAAC880BEEBBF5FF48314F54842AE559A7250D7789940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BBD668, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05BBD6E6

Memory Dump Source

Source File: 00000000.00000002.682334427.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f5aa964ee6dea6e06d05ce74db4447b10b8b0d990f9bc60056f89200590c1152
Instruction ID: 92c6270055752c5020e298eeac016c12304f38d0dc736cb10ad4698fa4982ec3
Opcode Fuzzy Hash: f5aa964ee6dea6e06d05ce74db4447b10b8b0d990f9bc60056f89200590c1152
Instruction Fuzzy Hash: 11213A71D042498FDB10DFAAC4847EEBBF4EF48214F148429D559A7240DBB8A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02666DB8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02666E3F

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: be9e18592e0435b9f686ace0fdeda83ad4c1c83ac0608a8e422c902f2cd6fe5e
Instruction ID: 99a83db1d7470c9df796395b0dd7828a46f6863164bb7cb03e66b587a8cef716
Opcode Fuzzy Hash: be9e18592e0435b9f686ace0fdeda83ad4c1c83ac0608a8e422c902f2cd6fe5e
Instruction Fuzzy Hash: 9921C4B59002499FDB10CFA9D984BEEBBF8EB48324F14841AE954A3310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0266B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0266BE89,00000800,00000000,00000000), ref: 0266C09A

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 37cd7817f2e8146e220516af56ef4580fe5f063dbf5d7519ade777828e265b9c
Instruction ID: 77db16a5a60740a24d5c5a61e8fc4728e213cdfaf287ee3042489bc14de9e878
Opcode Fuzzy Hash: 37cd7817f2e8146e220516af56ef4580fe5f063dbf5d7519ade777828e265b9c
Instruction Fuzzy Hash: 301133B6D002498FDB10CF9AD548BEEFBF4AB48324F04842AE855B7200C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0266C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0266BE89,00000800,00000000,00000000), ref: 0266C09A

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 277c0b356d3533817a09471395850a8723830528c0731df9bbd44a68990f07c5
Instruction ID: 18f664846c70d098d4f297df5d2168548eed7e8c904dacb35a79515df6875dfa
Opcode Fuzzy Hash: 277c0b356d3533817a09471395850a8723830528c0731df9bbd44a68990f07c5
Instruction Fuzzy Hash: C71117B6D002498FDB10CFAAD548BEEFBF4AB48314F14852ED455B7610C375A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BBD800, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05BBD86E

Memory Dump Source

Source File: 00000000.00000002.682334427.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9454069317db21ce8ffdf96ba03c82ad39a8b39651269bfedf7024ebda7f6813
Instruction ID: ea306036ce9384ca9aec5bc516bcb432b38bcf2f0f35b96e1783600a2f29bfcd
Opcode Fuzzy Hash: 9454069317db21ce8ffdf96ba03c82ad39a8b39651269bfedf7024ebda7f6813
Instruction Fuzzy Hash: 09113772D002499FDB10DFAAC844BEFBBF5EF88324F148429E515A7250C7B9A950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BBD588, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05BBD5EA

Memory Dump Source

Source File: 00000000.00000002.682334427.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 113dbef768b58eba50ef7635ba46b8f3cc1b04302766e0f7612bc5f889cadda1
Instruction ID: b48979c13d5b38ea5a7284c04f228a936b53e7281ee09bd3a00643c5541628a3
Opcode Fuzzy Hash: 113dbef768b58eba50ef7635ba46b8f3cc1b04302766e0f7612bc5f889cadda1
Instruction Fuzzy Hash: A4113AB1D042498FDB10DFAAC4447EEFBF9AF88224F148429D519B7250C7B8A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0266BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0266BE0E

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bd85247afe40453b3b5caa7d0ffb6517b20295342f6ea9ab5f98af1a59266bb4
Instruction ID: cb60e55187c2f6a94a52c3bc363dd948c36c7421d3e43c08edf82c8cea1601f1
Opcode Fuzzy Hash: bd85247afe40453b3b5caa7d0ffb6517b20295342f6ea9ab5f98af1a59266bb4
Instruction Fuzzy Hash: 6911D2B5D006498FDB10CF9AD444BDEFBF8EB88228F14841AD959B7610C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BA40A8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05BA7F15

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7a91ac401db3ed4b9a85410521df046584230b2bbf5298e7b702bb01d0c82826
Instruction ID: 1983a853625afa37e497eb252433e007022904c852c2576ca7573cff14b2bfcc
Opcode Fuzzy Hash: 7a91ac401db3ed4b9a85410521df046584230b2bbf5298e7b702bb01d0c82826
Instruction Fuzzy Hash: 931133B68083899FDB10CF89C884BDFBBF8EB48320F10845AE915A3200C374A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BA98D8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05BA9930

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 25a653ff9d33adeefc467e3e287b65380bcfb32957302f718c0a5b752b495c20
Instruction ID: 311858651a8c27b9398e323de297501d3565ab3be53ae1c8831e4a1aef4b3ad7
Opcode Fuzzy Hash: 25a653ff9d33adeefc467e3e287b65380bcfb32957302f718c0a5b752b495c20
Instruction Fuzzy Hash: 8D1145B68002498FDB10CF9AC484BDEBBF4EF88320F14846AD959A7340C738A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BA98D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05BA9930

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 488665a891c69a6c18b8af3835618323325d4765770ca8c51907cea387d086c5
Instruction ID: d1c7aec75f501a2304f3dc0aa92a920574b1e65b944b39005f1a47e219e7e958
Opcode Fuzzy Hash: 488665a891c69a6c18b8af3835618323325d4765770ca8c51907cea387d086c5
Instruction Fuzzy Hash: EE1136B68042498FDB10CF99D5457EEBBF4EB48320F14846AD555A7240C338A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BA7EB7, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05BA7F15

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8e6168b5a4c56f335109f93943d3b7b2246598ed2465dc631620192a6f54cd60
Instruction ID: 344c26fbcc220095f077c4e00c2a7a58a413a54e78f4941f75b589a7c98dd151
Opcode Fuzzy Hash: 8e6168b5a4c56f335109f93943d3b7b2246598ed2465dc631620192a6f54cd60
Instruction Fuzzy Hash: 961112B68042499FDB10CF99C984BDEBBF8FB48324F14881AE959B3600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.678189511.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3340d96830547a6ebcf839aeb6468125cc4c11a1c146710f53c0b048c5de10
Instruction ID: 7ae46b02b502d80958384bd47bed30d3c4cad7c7017ece9c6a9e13d0f2b3e8f7
Opcode Fuzzy Hash: 6b3340d96830547a6ebcf839aeb6468125cc4c11a1c146710f53c0b048c5de10
Instruction Fuzzy Hash: 832167F1904241DFDB00CF00D8C4B26BBA5FB8832CF248669E9074B606C336D956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.678205013.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c133627f8a3bc2265d0673cc5c75bd37cbb4de458752319d55a8a6d95bfabe89
Instruction ID: c66fbd960523df04262bc2830ecd92aa55c7d70d9202f0f88ab4377fbab2596e
Opcode Fuzzy Hash: c133627f8a3bc2265d0673cc5c75bd37cbb4de458752319d55a8a6d95bfabe89
Instruction Fuzzy Hash: 08214971508340DFDB14EF14E4C0B56BB65FB84314F24C6A9D94A4B246D33AD807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.678205013.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3e63074e2f6215eb2ddd7883420c375976d452a7a485c8a0e0c6a935ef213a
Instruction ID: e8d69356ff11bb0cf5f4804faac85fdfe99dfa18dae4f1950268bb9974ed4a55
Opcode Fuzzy Hash: 0f3e63074e2f6215eb2ddd7883420c375976d452a7a485c8a0e0c6a935ef213a
Instruction Fuzzy Hash: 0D219F755093C08FDB02CF20D994B55BF71EB46314F28C5EBD8498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.678189511.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction ID: 22f7c886b85cd02215b4c173dbab3e073c41643a904e157ccc2af5ad75646fd2
Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction Fuzzy Hash: 8111E6B6804280DFDF11CF10D5C4B16BF71FB95328F24C6A9D8060B616C33AD956CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05BBB530, Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

, xrefs: 05BBB655

Memory Dump Source

Source File: 00000000.00000002.682334427.0000000005BB0000.00000040.00000001.sdmp, Offset: 05BB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 020ebfe673c6fd3915eeaf5c91849aed0ead70f946e63018264d01e1468edb8a
Instruction ID: 718039606fcc32ea7060d577a68f10395df0db684ba2700476bc7e3745b767ae
Opcode Fuzzy Hash: 020ebfe673c6fd3915eeaf5c91849aed0ead70f946e63018264d01e1468edb8a
Instruction Fuzzy Hash: 8312B274E042188FEB14CFA9D984BEDBBF2FF88314F1481A9D509A7255DBB4A946CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0266C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecec45c6258d997327e328656afcb43e9f4edbd7d3485d30d4b6f03425132ee5
Instruction ID: 6865d89205364c503d54f225029b39e911b7e7efdb6931c5ac06ee50b255ac87
Opcode Fuzzy Hash: ecec45c6258d997327e328656afcb43e9f4edbd7d3485d30d4b6f03425132ee5
Instruction Fuzzy Hash: 55527AB1D42B6A8BD710CF14E4885AD3BA1FB44318FD96A09D162DFE90D3B464AACF44

Uniqueness

Uniqueness Score: -1.00%

Function 02669998, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.678282091.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8268aa1f4af2c00e4b6b9d028019abe876582bdd24a5587145ef3ea2db375e
Instruction ID: bc71460ed41a829c1da672f5066c91268f5d3412b5925dedc2be407db5b8b4e3
Opcode Fuzzy Hash: 7c8268aa1f4af2c00e4b6b9d028019abe876582bdd24a5587145ef3ea2db375e
Instruction Fuzzy Hash: 68A13B32E00619CFCF05DFA5C8485AEB7B2FF85304F15856AE905BB225EB31A955CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05BA1468, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14117f51fc33c4ce17f47c810b31e456729034a171e688012ebe3d5745b2cf8d
Instruction ID: 75e19499b549010fdb5bd073582e60962d3cdd728f1e71bd4373c755415e911e
Opcode Fuzzy Hash: 14117f51fc33c4ce17f47c810b31e456729034a171e688012ebe3d5745b2cf8d
Instruction Fuzzy Hash: 42917CB1E082099FDB50CFADC9857EEBBF2FF88304F148169E405A7294DB74A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05BA8608, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682320110.0000000005BA0000.00000040.00000001.sdmp, Offset: 05BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b27a972b35e27e214f62ca1810e5f84ac1ba4f9328d7321fb8bf41f8bb29f8f
Instruction ID: a26347a406c6971e65ba540c2ea89e61b526e297ebd57f5a8de504b08f54d08c
Opcode Fuzzy Hash: 4b27a972b35e27e214f62ca1810e5f84ac1ba4f9328d7321fb8bf41f8bb29f8f
Instruction Fuzzy Hash: 65011A71D082588FDB18CFAAC418BEDFAF1BB8D311F1890A9E045B3291D7749944CB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO98765.exe PID: 2440 Parent PID: 484 PO98765.exeCOMMON

Executed Functions

Function 00419FCA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00419FCA(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t19;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;
				void* _t32;

				asm("fst dword [ebp-0x75]");
				_t14 = _a4;
				_t30 = _a4 + 0xc48;
				E0041AB20(_t28, _t14, _t30,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x2a, _t29);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t19 =  *((intOrPtr*)( *_t30))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t32); // executed
				return _t19;
			}

0x00419fcf
0x00419fd3
0x00419fdf
0x00419fe7
0x00419ff2
0x0041a00d
0x0041a015
0x0041a019

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 0041A015

Strings

2MA, xrefs: 00419FF2, 0041A000
2MA, xrefs: 0041A00D, 0041A014

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: 63589ec3e1e046129191fc5836d81b158da8997fc4b32e850e583c0b6458edae
Instruction ID: 98ae421c64e618cb2b09f520dca615dbc4e8add42dd12773a1101eeed08372ea
Opcode Fuzzy Hash: 63589ec3e1e046129191fc5836d81b158da8997fc4b32e850e583c0b6458edae
Instruction Fuzzy Hash: 54F0E2B2200108AFCB14DF99DC91EEB77A9AF8C354F158249BA4DA7241C630E812CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419FD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 0041A015

Strings

2MA, xrefs: 00419FF2, 0041A000
2MA, xrefs: 0041A00D, 0041A014

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 629a420ec24cda59f7740677f87fbeb895876e778ce4a2e4436109007655ca88
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 4BF0A4B2200208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630F851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F20, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419F6D

Strings

wKA, xrefs: 00419F59, 00419F64

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 918681b749d1ebc684007e4c1563b975095bc633172356dce6c62aeb4b4fe286
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 2DF0B2B2205208ABCB08CF89DC95EEB77ADAF8C754F158249BA0D97241C630F851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: f2ae6e5e7806921c9eae43ef0be609edf832a6aa20f0d9e7e2e66c408c20611a
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: E40152B5D4020DABDB10DAE1DC82FDEB7789B14308F0041AAA908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A100, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041ACF4,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 0041A139

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: b7acdae8d3035396bf3a6cabd8be047a375e4a620bd0b44aa6ca3e6eeb15d15e
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 35F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A050, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 0041A075

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: b02a98072ae76633dfac5978dec5414655e95fa3032167deae29744f36717898
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: B7D01776200214ABD710EB99DC85FE77BADEF48764F15449ABA189B242C530FA1087E0

Uniqueness

Uniqueness Score: -1.00%

Function 01519910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0151991A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76c524aee06d93c237d4efb1b41220c2c3c69f76d590b867500da5501d7d23a6
Instruction ID: f1d1ecc56bd682cfab321fe8e2969bc42a45cd14858bb1e80138e436609cd472
Opcode Fuzzy Hash: 76c524aee06d93c237d4efb1b41220c2c3c69f76d590b867500da5501d7d23a6
Instruction Fuzzy Hash: 7B9002B224101402D140719984047460055B7D1351F61C411E9055A58EC6998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 015199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015199AA

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4ac94c8bef32598044c275f84ec8f735c2a30dc71469cfa80d7401203022cfa
Instruction ID: acb4f3625047eb20586c15c3aab679cafd33406b844f96b3c13b8b4747a30f54
Opcode Fuzzy Hash: d4ac94c8bef32598044c275f84ec8f735c2a30dc71469cfa80d7401203022cfa
Instruction Fuzzy Hash: 6A9002A238101442D10061998414B060055F7E2351F61C415E5055A58DC659CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 01519840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0151984A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f8f3de3f9e557615d074446b4fe8a2671f773fbbd82e6270620a111ca7e4a52
Instruction ID: 5c3d2875aaa63e4adeb3aa71f5cc768c93f992f58077aee144e607ca6e2c78c3
Opcode Fuzzy Hash: 0f8f3de3f9e557615d074446b4fe8a2671f773fbbd82e6270620a111ca7e4a52
Instruction Fuzzy Hash: 17900262282051525545B19984045074056B7E12917A1C412E5405E54CC5669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 01519860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0151986A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef053700fd9bdd1e5ecc9b17ee3d5f6adb62c54f2f9612e46547949e6dea5553
Instruction ID: 2b21171576730c95ce153073b114188f4c567af798e9f9fd6c673f325cb35f4b
Opcode Fuzzy Hash: ef053700fd9bdd1e5ecc9b17ee3d5f6adb62c54f2f9612e46547949e6dea5553
Instruction Fuzzy Hash: 6A90027224101413D111619985047070059B7D1291FA1C812E4415A5CDD6968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 015198F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015198FA

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2cde287575da5cea033e6af8f2a93dceaac5b4a7c3c504f4d8bfa6d1f3bcc07c
Instruction ID: 0571fbc8eaabfce5551dd834cc0449cc7c054090e199c5a4a6e33088710dc6ca
Opcode Fuzzy Hash: 2cde287575da5cea033e6af8f2a93dceaac5b4a7c3c504f4d8bfa6d1f3bcc07c
Instruction Fuzzy Hash: B690026264101502D10171998404616005AB7D1291FA1C422E5015A59ECA658992B171

Uniqueness

Uniqueness Score: -1.00%

Function 01519A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01519A5A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e050ae3606d3d1281033e0e64e7a3d3399f05683dc2337114916763449a330a6
Instruction ID: cf293a19a21be857e82be057e5b5cd8a0994a15978a83d6512b6523f2da00dee
Opcode Fuzzy Hash: e050ae3606d3d1281033e0e64e7a3d3399f05683dc2337114916763449a330a6
Instruction Fuzzy Hash: 7C90026225181042D20065A98C14B070055B7D1353F61C515E4145A58CC95588616561

Uniqueness

Uniqueness Score: -1.00%

Function 01519A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01519A0A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aaa9e7a0c5953e2c8e60fc7bcb6184dd0220ad2c7c72a35455112e67b5e1830e
Instruction ID: bab1878554a5ab873440b1e8d4498adcb698e64de3525afb5282e86daf0f7a42
Opcode Fuzzy Hash: aaa9e7a0c5953e2c8e60fc7bcb6184dd0220ad2c7c72a35455112e67b5e1830e
Instruction Fuzzy Hash: 3790027224141402D1006199881470B0055B7D1352F61C411E5155A59DC665885175B1

Uniqueness

Uniqueness Score: -1.00%

Function 01519A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01519A2A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46944f73f9b956e1be3692bbd370f5d1abfed6b49daccb305520441c3450ff15
Instruction ID: cc200f07d919ed0a0851dae058b6a53adcd81bd8fbc83d3b64d48b1345057838
Opcode Fuzzy Hash: 46944f73f9b956e1be3692bbd370f5d1abfed6b49daccb305520441c3450ff15
Instruction Fuzzy Hash: 3390026264101042414071A9C8449064055BBE2261761C521E4989A54DC599886566A5

Uniqueness

Uniqueness Score: -1.00%

Function 01519540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0151954A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e3cd4adadd0ea6dab553b9536a6919b7e09f011d0770f5ffc6a0f05cf78734e
Instruction ID: 2ed416a2f83520187f9b74da4b2bdef22be17e337516099eb74ca63220932a90
Opcode Fuzzy Hash: 7e3cd4adadd0ea6dab553b9536a6919b7e09f011d0770f5ffc6a0f05cf78734e
Instruction Fuzzy Hash: 5B900266251010030105A59947045070096B7D63A1361C421F5006A54CD66188616161

Uniqueness

Uniqueness Score: -1.00%

Function 015195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015195DA

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d90cfcae44c0f32c62596323de7f2380c4a73f26638fd1dc6a28e798d5527df2
Instruction ID: 5f36981518b7652bf65fdcf3f84c953215ce22e3154ee583b12b5a22e2a9e871
Opcode Fuzzy Hash: d90cfcae44c0f32c62596323de7f2380c4a73f26638fd1dc6a28e798d5527df2
Instruction Fuzzy Hash: FD9002A224201003410571998414616405AB7E1251B61C421E5005A94DC56588917165

Uniqueness

Uniqueness Score: -1.00%

Function 01519710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0151971A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94789de24ed9a709c9051733d2563f4b875358365e93d7ccaf8e766cccaaf55e
Instruction ID: 19f3bf514105db3a2e37315cdc3cab89b9d7a93ac9bc21112cc20c523671a461
Opcode Fuzzy Hash: 94789de24ed9a709c9051733d2563f4b875358365e93d7ccaf8e766cccaaf55e
Instruction Fuzzy Hash: 8C90027224101402D10065D994086460055B7E1351F61D411E9015A59EC6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 01519780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0151978A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39623cb13753a924d5ee96336b04fd5d9772a8122283923f55423f9c54c2c757
Instruction ID: 4210e3b9e4c8bcaba400c465809426906ce2d1e64f3447786332c417aa1826e6
Opcode Fuzzy Hash: 39623cb13753a924d5ee96336b04fd5d9772a8122283923f55423f9c54c2c757
Instruction Fuzzy Hash: 5390026A25301002D1807199940860A0055B7D2252FA1D815E4006A5CCC95588696361

Uniqueness

Uniqueness Score: -1.00%

Function 015197A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015197AA

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b891688ba23b9930d5cf6819e3100239edb317b9484a066a34e597f0dc42461
Instruction ID: c146efdd1c98c6cb4ba31277c25d2f5bc2c208e1f69ef841d8b08eaa463174db
Opcode Fuzzy Hash: 2b891688ba23b9930d5cf6819e3100239edb317b9484a066a34e597f0dc42461
Instruction Fuzzy Hash: B190026234101003D140719994186064055F7E2351F61D411E4405A58CD95588566262

Uniqueness

Uniqueness Score: -1.00%

Function 01519660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0151966A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e787d76a0cf4aea2218e65eaa13d8555eb469af77efbabe69690af7085c5aaac
Instruction ID: 6d6f00465e483a2c166311f2481c38c40f8d92108541d80b32ad588408a9652b
Opcode Fuzzy Hash: e787d76a0cf4aea2218e65eaa13d8555eb469af77efbabe69690af7085c5aaac
Instruction Fuzzy Hash: 9F90027224101802D1807199840464A0055B7D2351FA1C415E4016B58DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 015196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015196EA

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9004a2a5e3da2d686113afc95cebc6710476ef211b4722e57e365643bcd8f994
Instruction ID: 2311735e68e834c5005489ff7dde8c63641954446e9dc397df41ac3de9937c92
Opcode Fuzzy Hash: 9004a2a5e3da2d686113afc95cebc6710476ef211b4722e57e365643bcd8f994
Instruction Fuzzy Hash: E090027224109802D1106199C40474A0055B7D1351F65C811E8415B5CDC6D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05080370210f75a5a3fe5c957c173717e9568a082d75643143bc41a952943554
Instruction ID: bf50d6615e3a851f47153e1852c589cd20b96e00f5eebf3b99f7dff6005f4db2
Opcode Fuzzy Hash: 05080370210f75a5a3fe5c957c173717e9568a082d75643143bc41a952943554
Instruction Fuzzy Hash: 6E213AB2D4020857CB15DA65AD42BEF73BCAB54304F04007FE949A7182F63CBE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A335, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0

Strings

AP, xrefs: 0041A35F, 0041A36B

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID: AP
API String ID: 3899507212-2793870665
Opcode ID: 4a8b0577b9b24301b696b4e5fa6d7d3144279ef015267881eef89f7b109f2476
Instruction ID: 1076840c15fafc18aa3bbe2f75d912114288870ddf56b1762e08443f1c6122f9
Opcode Fuzzy Hash: 4a8b0577b9b24301b696b4e5fa6d7d3144279ef015267881eef89f7b109f2476
Instruction Fuzzy Hash: 88115EB52002086BDB14DF99EC41EEB73AEEF88754F11855AFE0997241C634E9508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A21D

Strings

oLA, xrefs: 0041A20C, 0041A218

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 91a8afe93875cd4dd2c16ce4d21e80b139c6b658c845053945d21e38953d9919
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1200208ABDB14EF99DC41EA777ADAF88664F11855ABA085B242C630F910CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A264, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A21D

Strings

oLA, xrefs: 0041A20C, 0041A218

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 532eaa0608e0094473740c2dcb7c679230d9bc9f6f2aaf4c671adacc83c51c91
Instruction ID: bbe08171a93a16390c6bc0bda71e757294241d165aacd160c6bab85f2cd2fa2d
Opcode Fuzzy Hash: 532eaa0608e0094473740c2dcb7c679230d9bc9f6f2aaf4c671adacc83c51c91
Instruction Fuzzy Hash: 8CD012F52042449FD710EF64E8918DB7756AF88318730854AF95943702D739E92A9AB1

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e482b8d64fb8c1c2885c096074a8302312b0d7d1f6a39cad35b0b14d74912598
Instruction ID: 06882739f9a915772d5d2506c266d8e25effbd3bf91bc082d9d351e7da04a69a
Opcode Fuzzy Hash: e482b8d64fb8c1c2885c096074a8302312b0d7d1f6a39cad35b0b14d74912598
Instruction Fuzzy Hash: 7F014932A802247BE720A6A08D43FFE776C6F41B04F04401EFB04BA1C1D6A8690547E9

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0595ec560e788dbfdde41257eb2d5c19e7e4730fabfde42c32a3ab1d63c44655
Instruction ID: dfcb319d37f54b0a0ecf43278dd58f432490a67f975cf55f4cf339e9819450c2
Opcode Fuzzy Hash: 0595ec560e788dbfdde41257eb2d5c19e7e4730fabfde42c32a3ab1d63c44655
Instruction Fuzzy Hash: 1A01A731A803287BE720A6A59C43FFF776C6B40F54F05411EFF04BA1C1E6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1B6, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 21a8f2689580e755f7b757598a0f2aa8366664878adf19234cbfe86c2bd415a6
Instruction ID: 1445e5750056d55ac064b3170d804730853a9bb88503f1426e742f650417b34b
Opcode Fuzzy Hash: 21a8f2689580e755f7b757598a0f2aa8366664878adf19234cbfe86c2bd415a6
Instruction Fuzzy Hash: 26017CB62042146BDB14DF99DC85EEB77ADEF88760F00845AFA185B241C630FA10CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00408373, Relevance: 1.5, APIs: 1, Instructions: 46threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 5a9f374e846b13def46fd236402283cbce8c9179e96ee39bcc8b17d8c8c9dabc
Instruction ID: 340ef0dd0364ee288b267a102dcd17c54c3b4f6f066a6f6c1b29bd0551d5ce22
Opcode Fuzzy Hash: 5a9f374e846b13def46fd236402283cbce8c9179e96ee39bcc8b17d8c8c9dabc
Instruction Fuzzy Hash: F3F0F631A807287AE71076644D02FFF76186B80F15F15426EFE04BA2C2EAFD691606E9

Uniqueness

Uniqueness Score: -1.00%

Function 004082B3, Relevance: 1.5, APIs: 1, Instructions: 41threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 17a38464d72613c1942b7b43a1cc9293874683b177593362508ebfcb078e09f7
Instruction ID: 04c9ba4c817a4b39796bfa22603aea6b38b32933f0f46f205ba64fe2c064927a
Opcode Fuzzy Hash: 17a38464d72613c1942b7b43a1cc9293874683b177593362508ebfcb078e09f7
Instruction Fuzzy Hash: 25F08231B806243AE62065955D43FBF66186B80F15F15412EFF04FA2C1EAFD291606EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A381, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: dae679a2c8e472f8eba74482c5ff138022dd817cd9814bccb7c796c2c0c9fc86
Instruction ID: f81da64547fe679c07cba3092e1a56531ae0b8d8bfc0ede6110c9ce11a4a5771
Opcode Fuzzy Hash: dae679a2c8e472f8eba74482c5ff138022dd817cd9814bccb7c796c2c0c9fc86
Instruction Fuzzy Hash: 09E06DB1200218BBCA10EF99DC80EDB37AA9F84724F108566FA086B741C934F850CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A230, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 9eb97300d5e10087c94d33d02e30a743291ab6cce32cf35ae9b88dc6f9268b02
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 0EE01AB12002046BD714DF59DC45EA777ADAF88754F014559BA0857241C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A390, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: bf4187e38ed515452a76a24d05e88418ebf87a1f9c5c0c5d517d21230e680a96
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DEE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A405, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A3C0

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5da8310e1d07f192b56cb8cba9071fc35e5510fd99ef5d8f3cf2f35ea9e925c3
Instruction ID: c16ce2f19ca2d23fbb7dae673e92ec723c1f6492d3f47f4ff7a76828f41699ed
Opcode Fuzzy Hash: 5da8310e1d07f192b56cb8cba9071fc35e5510fd99ef5d8f3cf2f35ea9e925c3
Instruction Fuzzy Hash: F3E08CB4104285EBC700EF28E890CEBBB2ADF852143108047F80983202C334E930CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0041A270, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A298

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 654422823446a6dc42c61fec1171b68ac592b5503343b56bfda4b4a103558910
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 1FD017726042187BD620EB99DC85FD777ADDF487A4F0180AABA1C6B242C531BA10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A234, Relevance: 1.5, APIs: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A25D

Memory Dump Source

Source File: 00000001.00000002.714949083.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 407736451d95f8e1ab8699c3872c8790593c26f10a37ddf22fb502eee4eedece
Instruction ID: fcb3eeebfb7adec86ef2b62e20fe7d7f81c34a93cc2729fa91ca5bbf877f4bee
Opcode Fuzzy Hash: 407736451d95f8e1ab8699c3872c8790593c26f10a37ddf22fb502eee4eedece
Instruction Fuzzy Hash: EAD02BB81042845BDB10EF69E8C089B37D5BF803187108A4BFC5C47303C130E869CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0151967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01519694

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d093b95bdabade9245981aec209fce9a94892cd2e036e304996a8908ac3ef710
Instruction ID: 464aa9e1f91d0331aabafe1aacb60773aa293d48df35639d53a1eb87655e6882
Opcode Fuzzy Hash: d093b95bdabade9245981aec209fce9a94892cd2e036e304996a8908ac3ef710
Instruction Fuzzy Hash: A0B09B729415D5C5E612D7A4460871B795077D1755F26C451D2020B45F4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0158B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

write to, xrefs: 0158B4A6
*** Resource timeout (%p) in %ws:%s, xrefs: 0158B352
The resource is owned shared by %d threads, xrefs: 0158B37E
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0158B484
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0158B2DC
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0158B38F
a NULL pointer, xrefs: 0158B4E0
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0158B53F
The instruction at %p tried to %s , xrefs: 0158B4B6
The resource is owned exclusively by thread %p, xrefs: 0158B374
The instruction at %p referenced memory at %p., xrefs: 0158B432
Go determine why that thread has not released the critical section., xrefs: 0158B3C5
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0158B3D6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0158B47D
<unknown>, xrefs: 0158B27E, 0158B2D1, 0158B350, 0158B399, 0158B417, 0158B48E
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0158B314
The critical section is owned by thread %p., xrefs: 0158B3B9
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0158B323
This failed because of error %Ix., xrefs: 0158B446
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0158B476
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0158B39B
*** then kb to get the faulting stack, xrefs: 0158B51C
*** enter .exr %p for the exception record, xrefs: 0158B4F1
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0158B305
*** Inpage error in %ws:%s, xrefs: 0158B418
read from, xrefs: 0158B4AD, 0158B4B2
*** An Access Violation occurred in %ws:%s, xrefs: 0158B48F
*** enter .cxr %p for the context, xrefs: 0158B50D
an invalid address, %p, xrefs: 0158B4CF
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0158B2F3

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 12be4aada026a1af60d7d3041c6a2cf8af332a670e7ed6b442a7b08c896e4f98
Instruction ID: 07dcf05759df0acd86fd6fa6ebaeb9b94b487e49e22c20e17798c60a091f328a
Opcode Fuzzy Hash: 12be4aada026a1af60d7d3041c6a2cf8af332a670e7ed6b442a7b08c896e4f98
Instruction Fuzzy Hash: BC81E079A40212FFDB216A4A8C56D6E3F2EBF96AA1F40005DF5043F132E7798551CAF2

Uniqueness

Uniqueness Score: -1.00%

Function 01591C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01591C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x14b48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E014DB150();
				} else {
					E014DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x15c589c);
				E014DB150("Heap error detected at %p (heap handle %p)\n",  *0x15c58a0);
				_t27 =  *0x15c5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01591E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E014DB150();
				} else {
					E014DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E014DB150("Error code: %d - %s\n",  *0x15c5898);
				_t113 =  *0x15c58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E014DB150();
					} else {
						E014DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E014DB150("Parameter1: %p\n",  *0x15c58a4);
				}
				_t115 =  *0x15c58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E014DB150();
					} else {
						E014DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E014DB150("Parameter2: %p\n",  *0x15c58a8);
				}
				_t117 =  *0x15c58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E014DB150();
					} else {
						E014DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E014DB150("Parameter3: %p\n",  *0x15c58ac);
				}
				_t119 =  *0x15c58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E014DB150();
					} else {
						E014DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x15c58b4);
					E014DB150("Last known valid blocks: before - %p, after - %p\n",  *0x15c58b0);
				} else {
					_t120 =  *0x15c58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E014DB150();
				} else {
					E014DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E014DB150("Stack trace available at %p\n", 0x15c58c0);
			}

0x01591c10
0x01591c16
0x01591c1e
0x01591c3d
0x01591c3e
0x01591c20
0x01591c35
0x01591c3a
0x01591c44
0x01591c55
0x01591c5a
0x01591c65
0x01591c67
0x00000000
0x01591c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01591c67
0x01591cdc
0x01591ce5
0x01591d04
0x01591d05
0x01591ce7
0x01591cfc
0x01591d01
0x01591d0b
0x01591d17
0x01591d1f
0x01591d25
0x01591d30
0x01591d4f
0x01591d50
0x01591d32
0x01591d47
0x01591d4c
0x01591d61
0x01591d67
0x01591d68
0x01591d6e
0x01591d79
0x01591d98
0x01591d99
0x01591d7b
0x01591d90
0x01591d95
0x01591daa
0x01591db0
0x01591db1
0x01591db7
0x01591dc2
0x01591de1
0x01591de2
0x01591dc4
0x01591dd9
0x01591dde
0x01591df3
0x01591df9
0x01591dfa
0x01591e00
0x01591e0a
0x01591e13
0x01591e32
0x01591e33
0x01591e15
0x01591e2a
0x01591e2f
0x01591e39
0x01591e4a
0x01591e02
0x01591e02
0x01591e08
0x00000000
0x00000000
0x01591e08
0x01591e5b
0x01591e7a
0x01591e7b
0x01591e5d
0x01591e72
0x01591e77
0x01591e95

Strings

heap_failure_invalid_allocation_type, xrefs: 01591CB4
HEAP: , xrefs: 01591C16, 01591C3D, 01591D04, 01591D4F, 01591D98, 01591DE1, 01591E32, 01591E7A
heap_failure_virtual_block_corruption, xrefs: 01591C91
heap_failure_cross_heap_operation, xrefs: 01591CC2
heap_failure_lfh_bitmap_mismatch, xrefs: 01591CD7
heap_failure_multiple_entries_corruption, xrefs: 01591C8A
heap_failure_buffer_overrun, xrefs: 01591C98
Heap error detected at %p (heap handle %p), xrefs: 01591C50
heap_failure_block_not_busy, xrefs: 01591CA6
heap_failure_freelists_corruption, xrefs: 01591CC9
Parameter2: %p, xrefs: 01591DA5
heap_failure_internal, xrefs: 01591C6E
heap_failure_unknown, xrefs: 01591C75
heap_failure_invalid_argument, xrefs: 01591CAD
heap_failure_listentry_corruption, xrefs: 01591CD0
heap_failure_entry_corruption, xrefs: 01591C83
Last known valid blocks: before - %p, after - %p, xrefs: 01591E45
Stack trace available at %p, xrefs: 01591E86
heap_failure_generic, xrefs: 01591C7C
Error code: %d - %s, xrefs: 01591D12
Parameter1: %p, xrefs: 01591D5C
heap_failure_usage_after_free, xrefs: 01591CBB
heap_failure_buffer_underrun, xrefs: 01591C9F
HEAP[%wZ]: , xrefs: 01591C30, 01591CF7, 01591D42, 01591D8B, 01591DD4, 01591E25, 01591E6D
Parameter3: %p, xrefs: 01591DEE

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 147ee031601f2c989723ce167174ff51c9e853a6aa71cd1b4bb3f53c6f6bfd8a
Instruction ID: 1170444fa4db126e90f60d875f72c0858801f6afa49f2b4ad3e2bdaaeeb6701f
Opcode Fuzzy Hash: 147ee031601f2c989723ce167174ff51c9e853a6aa71cd1b4bb3f53c6f6bfd8a
Instruction Fuzzy Hash: 1961F43A620993CFDF51AB9AD4D992977E4FB15D71B1A802FF40A6F320D73498408B1B

Uniqueness

Uniqueness Score: -1.00%

Function 014E3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E014E3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E014E1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E014E1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E014E1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E014E1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E014E1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L014F4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0151F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01521370(_t276, 0x14b4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0151BB40(0,  &_v68, _t170);
									if(L014E43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0151BB40(_t257,  &_v68, _t243);
								if(L014E43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01521370(_t278, 0x14b4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L014F4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0151F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01521370(_v16, 0x14b4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0151BB40(_t262,  &_v68, _t244);
								if(L014E43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01521370(_t282, 0x14b4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0151BB40(_t262,  &_v68, _t201);
							if(L014E43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L014F4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0151F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01521370(_t280, 0x14b4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0151BB40(_t267,  &_v68, _t245);
							if(L014E43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01521370(_t284, 0x14b4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0151BB40(_t267,  &_v68, _t224);
						if(L014E43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x014e3d3c
0x014e3d42
0x014e3d44
0x014e3d46
0x014e3d49
0x014e3d4c
0x014e3d4f
0x014e3d52
0x014e3d55
0x014e3d58
0x014e3d5b
0x014e3d5f
0x014e3d61
0x014e3d66
0x01538213
0x01538218
0x014e4085
0x014e4088
0x014e408e
0x014e4094
0x014e409a
0x014e40a0
0x014e40a6
0x014e40a9
0x014e40af
0x014e40b6
0x014e40bd
0x014e40bd
0x014e3d83
0x0153821f
0x01538229
0x01538238
0x01538238
0x0153823d
0x0153823d
0x014e3da0
0x014e3daf
0x014e3db5
0x014e3dba
0x014e3dba
0x014e3dd4
0x014e3e94
0x014e3eab
0x014e3f6d
0x014e3f84
0x014e406b
0x014e406b
0x014e406e
0x014e406e
0x014e4070
0x014e4074
0x01538351
0x01538351
0x014e407a
0x014e407f
0x0153835d
0x01538370
0x01538377
0x01538379
0x0153837c
0x0153837c
0x0153835d
0x00000000
0x014e407f
0x014e3f8a
0x014e3f8d
0x014e3f90
0x014e3f95
0x0153830d
0x0153830f
0x014e3f9b
0x014e3fac
0x014e3fae
0x014e3fb1
0x014e3fb1
0x014e3fb6
0x01538317
0x0153831a
0x00000000
0x014e3fbc
0x014e3fc1
0x014e3fc9
0x014e3fd7
0x014e3fda
0x014e3fdd
0x014e4021
0x014e4021
0x014e4029
0x014e4030
0x014e4044
0x014e4046
0x014e4046
0x014e4044
0x014e4049
0x01538327
0x01538334
0x01538339
0x0153833c
0x014e404f
0x014e404f
0x014e404f
0x014e4051
0x014e4056
0x014e4063
0x014e4063
0x014e4068
0x00000000
0x014e4068
0x014e3fdf
0x014e3fe2
0x014e3fe4
0x014e3fe7
0x014e3fef
0x014e4003
0x014e4005
0x014e4005
0x014e400c
0x014e4013
0x014e4016
0x014e4017
0x014e401b
0x014e401e
0x00000000
0x014e401e
0x014e3fb6
0x014e3eb1
0x014e3eb4
0x014e3eb7
0x014e3ebc
0x015382a9
0x015382ab
0x014e3ec2
0x014e3ed3
0x014e3ed5
0x014e3ed8
0x014e3ed8
0x014e3edd
0x015382b3
0x015382b6
0x00000000
0x014e3ee3
0x014e3ee8
0x014e3eed
0x014e3ef0
0x014e3ef3
0x014e3f02
0x014e3f05
0x014e3f08
0x015382c0
0x015382c3
0x015382c5
0x015382c8
0x015382d0
0x015382e4
0x015382e6
0x015382e6
0x015382ed
0x015382f4
0x015382f7
0x015382f8
0x015382fc
0x015382ff
0x015382ff
0x014e3f0e
0x014e3f11
0x014e3f16
0x014e3f1d
0x014e3f31
0x01538307
0x01538307
0x014e3f31
0x014e3f39
0x014e3f48
0x014e3f4d
0x014e3f50
0x014e3f50
0x014e3f53
0x014e3f58
0x014e3f65
0x014e3f65
0x014e3f6a
0x00000000
0x014e3f6a
0x014e3edd
0x014e3dda
0x014e3ddd
0x014e3de0
0x014e3de5
0x01538245
0x014e3deb
0x014e3df7
0x014e3dfc
0x014e3dfe
0x014e3e01
0x014e3e01
0x014e3e06
0x0153824d
0x0153824f
0x01538254
0x00000000
0x014e3e0c
0x014e3e11
0x014e3e16
0x014e3e19
0x014e3e29
0x014e3e2c
0x014e3e2f
0x0153825c
0x0153825f
0x01538261
0x01538264
0x0153826c
0x01538280
0x01538282
0x01538282
0x01538289
0x01538290
0x01538293
0x01538294
0x01538298
0x0153829b
0x0153829b
0x014e3e35
0x014e3e38
0x014e3e3d
0x014e3e44
0x014e3e58
0x015382a3
0x015382a3
0x014e3e58
0x014e3e60
0x014e3e6f
0x014e3e74
0x014e3e77
0x014e3e77
0x014e3e7a
0x014e3e7f
0x014e3e8c
0x014e3e8c
0x014e3e91
0x00000000
0x014e3e91

Strings

Kernel-MUI-Language-SKU, xrefs: 014E3F70
Kernel-MUI-Number-Allowed, xrefs: 014E3D8C
Kernel-MUI-Language-Allowed, xrefs: 014E3DC0
WindowsExcludedProcs, xrefs: 014E3D6F
Kernel-MUI-Language-Disallowed, xrefs: 014E3E97

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 27e499f83cf2109aaaa30a4b1b427c1fb0384fb2e8c6637b82e456ad6b42b5d1
Instruction ID: 0c42c304431116694bc5482756596a76b8e4d2bb10a98b5f00acd70c4871ddb0
Opcode Fuzzy Hash: 27e499f83cf2109aaaa30a4b1b427c1fb0384fb2e8c6637b82e456ad6b42b5d1
Instruction Fuzzy Hash: 2BF14F72D00619EFCB16DF99C984AEEBBF9FF58650F14016AE505E7221D7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014D40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E014D40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E014DB150();
					} else {
						E014DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E014DB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E014DB150(", passed to %s", _t29);
					}
					_push("\n");
					E014DB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x15c6378 = 1;
						asm("int3");
						 *0x15c6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x014d40e6
0x014d40e8
0x014d40f1
0x0153042d
0x0153044c
0x01530451
0x0153042f
0x01530444
0x01530449
0x0153045d
0x01530466
0x0153046e
0x01530474
0x01530475
0x0153047a
0x0153048a
0x0153048c
0x01530493
0x01530494
0x01530494
0x00000000
0x0153049b
0x00000000

Strings

RtlAllocateHeap, xrefs: 01530468
HEAP: , xrefs: 0153044C
, passed to %s, xrefs: 01530469
Invalid heap signature for heap at %p, xrefs: 01530458
HEAP[%wZ]: , xrefs: 0153043F

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: a757a431bcfec56be7202a96ad281a03868b819c486b2a879751026032e20ab0
Instruction ID: aa58e49c67cce7f8fa7a7edb2450ad8b9c1e02836ab84077117da5ef5e66b738
Opcode Fuzzy Hash: a757a431bcfec56be7202a96ad281a03868b819c486b2a879751026032e20ab0
Instruction Fuzzy Hash: 270128321046529ED6299B7AA46DF9A77F4EB52F70F2BC02FF0084B6A1CAB49440C221

Uniqueness

Uniqueness Score: -1.00%

Function 01508E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01508E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x15cd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x15c8464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x15c5780 & 0x00000003) != 0) {
							E01555510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x15c5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0151B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x15c7984; // 0x1072b08
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x15c8464; // 0x73b80110
					 *0x15cb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01509B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x15c5780 & 0x00000005) != 0) {
						_push(_t49);
						E01555510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01508e0f
0x01508e16
0x01508e19
0x01508e1b
0x01508e21
0x01508e7f
0x01508e85
0x01549354
0x0154936c
0x01549371
0x0154937b
0x01549381
0x01549381
0x0154937b
0x01508e9d
0x01508e9d
0x01508e29
0x01508e2c
0x01508e38
0x01508e3e
0x01508e43
0x01508eb5
0x01508eb9
0x015492aa
0x015492af
0x015492e8
0x015492e8
0x015492af
0x01508eb9
0x01508e45
0x01508e53
0x01508e5b
0x01508e5f
0x01508e78
0x01508e78
0x01508e7d
0x01508ec3
0x01508ecd
0x01508ed2
0x01508ed2
0x01508ec5
0x01508ec5
0x00000000
0x01508e7d
0x01508e67
0x01508ea4
0x0154931a
0x00000000
0x00000000
0x01549320
0x01508ea4
0x01508e70
0x01549325
0x01549340
0x01549345
0x01549345
0x01508e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 01549357
minkernel\ntdll\ldrsnap.c, xrefs: 0154933B, 01549367
LdrpFindDllActivationContext, xrefs: 01549331, 0154935D
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0154932A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 7a8928196f548c39df16cd10e66de6ad049175707b5112763c165bde744349f3
Instruction ID: b29f2e9c6f0e19290b5999d876e0e98f492b2e9c6635eb4a46aefc45e1326c90
Opcode Fuzzy Hash: 7a8928196f548c39df16cd10e66de6ad049175707b5112763c165bde744349f3
Instruction Fuzzy Hash: D1410931E007159FEB37AADC888DF7EBBB4BB44258F06456AD9145F1D2E7706C808791

Uniqueness

Uniqueness Score: -1.00%

Function 015949A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01594A61
HEAP: , xrefs: 01594A4A, 01594A5D, 01594A5F, 01594AC4
HEAP[%wZ]: , xrefs: 01594A3D, 01594AB7
This is located in the %s field of the heap header., xrefs: 01594AD6

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 6fc1fe8393705dc8d6bb05afa9b87a135b671df0e9fa3b385560e6351cd0cfed
Instruction ID: 16da6093f1aac3603ccbb1ed2e9c50a938268d9d12e7058203195c496bf09a7c
Opcode Fuzzy Hash: 6fc1fe8393705dc8d6bb05afa9b87a135b671df0e9fa3b385560e6351cd0cfed
Instruction Fuzzy Hash: 74312331100101EFDB20DB6AC988F6B73EAFB05A60F25855EF405CF260D6B8AC41C66A

Uniqueness

Uniqueness Score: -1.00%

Function 014E8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E014E8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E014E934A() != 0) {
								_t159 = E0155A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x15c5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01555510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x15c5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E014E849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E014E8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E014E8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x15c5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x15c5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E014F2280(_t92, 0x15c86cc);
															_t94 = E015A9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E015061A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x15c5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E014E8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x15c5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x15c5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0151F380(_t136, 0x14b1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E014F2280(_t108, 0x15c86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E015061A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E015A9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E014EFFB0(_t118, _t156, 0x15c86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01519A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x014e8799
0x014e879d
0x014e87a1
0x014e87a3
0x014e87a8
0x014e87c3
0x014e87c3
0x014e87c8
0x014e87d1
0x014e87d4
0x014e87d8
0x014e87e5
0x014e87ec
0x01539bfe
0x01539c00
0x01539c02
0x01539c08
0x01539c0d
0x01539c0f
0x01539c14
0x01539c2d
0x01539c32
0x01539c37
0x01539c3a
0x01539c3c
0x01539c42
0x01539c42
0x01539c3c
0x01539c02
0x014e87da
0x014e87df
0x014e87e3
0x00000000
0x00000000
0x014e87e3
0x014e87f2
0x00000000
0x014e87fb
0x014e87fd
0x014e87fe
0x014e880e
0x014e880f
0x014e8810
0x014e8814
0x014e881a
0x014e881c
0x014e881f
0x014e8821
0x014e8822
0x014e8824
0x014e8826
0x014e882c
0x014e882e
0x01539c48
0x01539c48
0x014e8834
0x014e8834
0x014e8837
0x00000000
0x00000000
0x014e8837
0x014e882e
0x014e883d
0x014e8840
0x014e8843
0x014e8846
0x014e8849
0x014e884c
0x014e884e
0x014e8850
0x014e8852
0x014e8854
0x014e8857
0x014e88b4
0x014e88b6
0x014e88b6
0x014e8859
0x014e8859
0x014e8859
0x014e8861
0x014e8866
0x014e886a
0x014e893d
0x014e8941
0x00000000
0x014e8947
0x014e8947
0x014e894a
0x014e894c
0x00000000
0x014e8952
0x014e8955
0x014e895a
0x014e895d
0x014e895d
0x014e895f
0x014e8961
0x014e8961
0x014e8968
0x00000000
0x00000000
0x014e896a
0x014e896b
0x014e896e
0x00000000
0x014e8970
0x014e8970
0x014e8970
0x014e8970
0x014e8972
0x014e8972
0x014e8974
0x00000000
0x014e897a
0x014e897a
0x014e897d
0x00000000
0x014e8983
0x01539c65
0x01539c6d
0x01539c72
0x01539c75
0x01539c75
0x01539c82
0x01539c86
0x01539c87
0x01539c88
0x01539c89
0x01539c8c
0x01539c90
0x01539c95
0x01539c97
0x01539ca0
0x01539ca3
0x01539ca9
0x01539ca9
0x00000000
0x01539ca9
0x01539ca3
0x00000000
0x01539c97
0x014e897d
0x00000000
0x014e8974
0x014e8988
0x014e8992
0x014e8996
0x00000000
0x014e8996
0x014e894c
0x00000000
0x014e8870
0x014e887b
0x014e887d
0x014e887f
0x014e8881
0x014e8884
0x014e8884
0x014e8886
0x014e8889
0x014e888c
0x014e888e
0x014e8891
0x014e8891
0x014e8898
0x00000000
0x00000000
0x014e889a
0x014e889b
0x014e889e
0x00000000
0x00000000
0x014e88a0
0x014e88a8
0x014e88b0
0x014e88b2
0x014e88d3
0x014e88d5
0x00000000
0x014e88d7
0x014e88db
0x014e88dc
0x014e88e0
0x014e88e8
0x014e88ee
0x014e88f0
0x014e88f3
0x014e88fc
0x014e8901
0x014e8906
0x014e890c
0x014e890c
0x014e890f
0x014e8916
0x014e8917
0x014e8918
0x014e8919
0x014e891a
0x014e891f
0x014e8921
0x01539c52
0x01539c55
0x01539c5b
0x01539cac
0x01539cc0
0x01539cc0
0x01539c55
0x014e8927
0x014e8927
0x014e892f
0x014e8933
0x00000000
0x014e88f5
0x014e88f5
0x00000000
0x014e88f7
0x014e88f7
0x014e88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x014e88fa
0x014e88f5
0x014e88f3
0x00000000
0x014e88d5
0x00000000
0x014e88b2
0x014e88c9
0x00000000
0x014e88c9
0x014e887f
0x014e886a
0x014e8857
0x014e8852
0x014e88bf
0x014e88bf
0x014e87aa
0x014e87ad
0x014e87ae
0x014e87b4
0x014e87b5
0x014e87b6
0x014e87b8
0x014e87bd
0x014e87c1
0x014e87f4
0x014e87fa
0x00000000
0x00000000
0x00000000
0x014e87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01539C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01539C18
LdrpDoPostSnapWork, xrefs: 01539C1E

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: d97c5c86424732ac9cc2e5739da8c850e87bac2a7c3d181038deb7e0b1d99851
Instruction ID: bff1b4d13eed1723518961b707faa74124819f31de85f69b670f9e444b3b354f
Opcode Fuzzy Hash: d97c5c86424732ac9cc2e5739da8c850e87bac2a7c3d181038deb7e0b1d99851
Instruction Fuzzy Hash: D4912271A0020B9FEF19CF99D8849BAB7F5FF94306B05416BDD01AB261E770E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E014E7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E014ECEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E014DC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x15c5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01555510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x15c5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E014F7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E014F7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01557016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E014F7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E014F7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01557016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0150A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E014DB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x014e7e4c
0x014e7e50
0x014e7e55
0x014e7e58
0x014e7e5d
0x014e7e71
0x014e7f33
0x014e7e77
0x014e7e77
0x014e7e79
0x014e7e79
0x014e7e7e
0x014e7f45
0x01539848
0x00000000
0x01539848
0x014e7f4e
0x014e7f53
0x014e7f5a
0x00000000
0x00000000
0x0153985a
0x01539862
0x01539866
0x00000000
0x0153986c
0x00000000
0x0153986c
0x014e7e84
0x014e7e84
0x014e7e8d
0x01539871
0x014e7eb8
0x014e7ec0
0x014e7ec0
0x014e7e9a
0x0153987e
0x00000000
0x00000000
0x01539884
0x0153988b
0x015398a7
0x015398ac
0x015398b1
0x015398b6
0x015398b8
0x015398b8
0x015398b9
0x00000000
0x015398b9
0x014e7ea0
0x014e7ea7
0x00000000
0x00000000
0x014e7eac
0x014e7eb1
0x014e7ec6
0x014e7ed0
0x015398cc
0x014e7ed6
0x014e7ed6
0x014e7ed6
0x014e7ede
0x014e7ee3
0x015398e3
0x015398f0
0x01539902
0x015398f2
0x015398fb
0x015398fb
0x01539907
0x0153991d
0x0153991d
0x01539907
0x015398e3
0x014e7ef0
0x014e7f14
0x014e7f14
0x014e7f1e
0x01539946
0x014e7f24
0x014e7f24
0x014e7f24
0x014e7f2c
0x0153996a
0x01539975
0x01539975
0x0153997e
0x01539993
0x01539993
0x0153997e
0x00000000
0x014e7ef2
0x014e7efc
0x014e7f0a
0x014e7f0e
0x01539933
0x00000000
0x01539933
0x00000000
0x014e7f0e
0x00000000
0x00000000
0x00000000
0x014e7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 015398A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01539891
LdrpCompleteMapModule, xrefs: 01539898

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: f6eb87d8d560118bd7ac6c92bad98289b8bff0172156e8ebfbe6e8e34e7b28d6
Instruction ID: 78f9dfd6800d38b1585a10eb1406ad0ff68bf8c119c34e10368bea762ce112a8
Opcode Fuzzy Hash: f6eb87d8d560118bd7ac6c92bad98289b8bff0172156e8ebfbe6e8e34e7b28d6
Instruction Fuzzy Hash: 1F51D0716007469BEB21CB6CC988B6ABBE4FB80736F14059AE9519B3E1D774E901CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 014DE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E014DE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E014DF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E015195D0();
						}
						if(_t78 != 0) {
							L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0151FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0151BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01519600();
					if(_t97 < 0) {
						goto L6;
					}
					E0151BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L014DF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0151BB40(_t83, _t102 + 0x24, _t78);
								if(L014E43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0151BB40(_t84, _t102 + 0x24, _t94);
									if(L014E43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x014de620
0x014de628
0x014de62f
0x014de631
0x014de635
0x014de637
0x014de63e
0x01535503
0x01535503
0x014de64c
0x014de64c
0x014de651
0x00000000
0x00000000
0x014de661
0x014de665
0x0153542a
0x014de715
0x014de71a
0x014de71c
0x014de720
0x014de720
0x014de727
0x014de736
0x014de736
0x014de743
0x014de743
0x014de673
0x014de678
0x014de67d
0x014de682
0x014de685
0x014de692
0x014de69b
0x014de6a3
0x014de6ad
0x014de6b1
0x014de6b2
0x014de6bb
0x014de6bf
0x014de6c0
0x014de6c8
0x014de6cc
0x014de6d5
0x014de6d9
0x00000000
0x00000000
0x014de6e5
0x014de6ea
0x014de6f9
0x014de70b
0x014de70f
0x01535439
0x0153545e
0x0153545e
0x00000000
0x0153545e
0x0153543b
0x0153543e
0x01535440
0x01535445
0x01535472
0x01535475
0x0153548d
0x01535493
0x015354a9
0x00000000
0x00000000
0x015354ab
0x015354b4
0x015354bc
0x015354c8
0x015354de
0x015354fb
0x015354e0
0x015354e6
0x015354eb
0x015354eb
0x015354de
0x00000000
0x015354bc
0x01535477
0x0153547a
0x01535480
0x01535483
0x01535486
0x0153548b
0x00000000
0x00000000
0x00000000
0x0153548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01535447
0x01535447
0x01535447
0x01535447
0x0153544e
0x00000000
0x00000000
0x01535450
0x01535452
0x01535455
0x0153545a
0x00000000
0x00000000
0x00000000
0x0153545c
0x0153546a
0x0153546d
0x0153546f
0x00000000
0x0153546f
0x014de70f

Strings

InstallLanguageFallback, xrefs: 014DE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 014DE68C
@, xrefs: 014DE6C0

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: fd53f8a3ff7c6730e6b82e925e8d188c98876f669ed68578c31a50c8e7eae9cb
Instruction ID: aadf418b15a03e117bf4c3d5d5793f2da40c5d666d0b72d73447dac1d97d455b
Opcode Fuzzy Hash: fd53f8a3ff7c6730e6b82e925e8d188c98876f669ed68578c31a50c8e7eae9cb
Instruction Fuzzy Hash: 3D51D3726183069BDB25DF28C450A6FB7E8BFD8614F05092EF989EB250F735D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0159E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0159E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0159BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0159BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0159AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01519730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0159A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0159A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01519730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0159A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0159A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E014F2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E014EB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E014EFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E014F7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0158FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0159e547
0x0159e549
0x0159e54f
0x0159e553
0x0159e557
0x0159e55a
0x0159e55c
0x0159e55f
0x0159e561
0x0159e567
0x0159e56b
0x0159e7e2
0x00000000
0x0159e571
0x0159e575
0x0159e577
0x0159e57b
0x0159e57c
0x0159e57d
0x0159e57e
0x0159e57f
0x0159e588
0x0159e58f
0x0159e591
0x0159e592
0x0159e592
0x0159e596
0x0159e59e
0x0159e5a0
0x0159e5a6
0x0159e61d
0x0159e61d
0x0159e621
0x0159e623
0x0159e630
0x0159e630
0x0159e7e6
0x0159e7eb
0x0159e7ed
0x0159e7f4
0x0159e7fa
0x0159e7ff
0x0159e7ff
0x0159e80a
0x0159e812
0x0159e812
0x0159e5ab
0x0159e5b4
0x0159e5b9
0x0159e5be
0x0159e5c0
0x0159e5c2
0x0159e5c8
0x0159e5c9
0x0159e5cb
0x0159e5cc
0x0159e5d5
0x0159e5e4
0x0159e5f1
0x0159e5f8
0x0159e5f8
0x0159e5d5
0x0159e602
0x0159e616
0x0159e63d
0x0159e644
0x0159e64d
0x0159e652
0x0159e657
0x0159e659
0x0159e65b
0x0159e661
0x0159e662
0x0159e664
0x0159e665
0x0159e66e
0x0159e67d
0x0159e68a
0x0159e691
0x0159e691
0x0159e66e
0x0159e6b0
0x00000000
0x0159e6b6
0x0159e6bd
0x0159e6c7
0x0159e6d7
0x0159e6d9
0x0159e6db
0x0159e6de
0x0159e6e3
0x0159e6f3
0x0159e6fc
0x0159e700
0x0159e700
0x0159e704
0x0159e70a
0x0159e70a
0x0159e713
0x0159e716
0x0159e719
0x0159e720
0x0159e761
0x0159e76b
0x0159e774
0x0159e77a
0x0159e77a
0x0159e78a
0x0159e791
0x0159e799
0x0159e79b
0x0159e79f
0x0159e7aa
0x0159e7c0
0x0159e7ac
0x0159e7b2
0x0159e7b9
0x0159e7b9
0x0159e7c7
0x0159e806
0x00000000
0x0159e7c9
0x0159e7d1
0x0159e7d8
0x00000000
0x0159e7d8
0x00000000
0x00000000
0x0159e722
0x0159e72e
0x0159e748
0x0159e74c
0x0159e754
0x0159e756
0x0159e75c
0x0159e75c
0x00000000
0x0159e75c
0x0159e758
0x0159e758
0x00000000
0x0159e758
0x0159e750
0x00000000
0x00000000
0x0159e752
0x00000000
0x0159e752
0x0159e730
0x0159e735
0x0159e73d
0x0159e73f
0x00000000
0x00000000
0x0159e741
0x0159e741
0x00000000
0x0159e741
0x0159e739
0x00000000
0x00000000
0x0159e73b
0x00000000
0x0159e73b
0x0159e722
0x0159e720
0x0159e6b0
0x0159e618
0x00000000
0x0159e618

Strings

`, xrefs: 0159E5D7
`, xrefs: 0159E670

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 764c53da9709b230bca8fdfd1693154e680bf866dea14316edd37ab8766e9800
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 6A915C312043429BEB25CF29C942B5BBBE5FF84714F14892DF695CA290E774E904CB93

Uniqueness

Uniqueness Score: -1.00%

Function 015551BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E015551BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x15b05f0);
				E0152D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E014EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E015553CA(0);
						return E0152D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0151F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E014F3690(1, _t117, 0x14b1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0151AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L014F4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0151AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0155500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01519860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x015551be
0x015551c3
0x015551c8
0x015551cd
0x015551d0
0x015551d3
0x015551d8
0x015551db
0x015551de
0x015551e0
0x015551e3
0x015551e6
0x015551e8
0x01555342
0x01555351
0x01555356
0x0155535a
0x01555360
0x01555363
0x01555366
0x01555369
0x01555369
0x0155536b
0x0155536b
0x01555370
0x015553a3
0x015553a4
0x015553a6
0x015553ab
0x015553ab
0x015553ae
0x015553ae
0x015553b5
0x015553bf
0x015553bf
0x01555375
0x01555396
0x015553a0
0x015553a0
0x00000000
0x01555396
0x01555377
0x01555379
0x0155537f
0x0155538c
0x01555390
0x00000000
0x01555390
0x015551ee
0x015551f1
0x01555301
0x01555310
0x01555315
0x01555318
0x0155531b
0x01555320
0x0155532e
0x01555331
0x00000000
0x01555331
0x01555328
0x01555329
0x00000000
0x01555329
0x015551fa
0x01555235
0x01555236
0x01555239
0x0155523f
0x01555240
0x01555241
0x01555242
0x01555246
0x01555247
0x0155524e
0x01555251
0x01555267
0x01555269
0x0155526e
0x0155527d
0x0155527e
0x01555281
0x01555282
0x01555287
0x01555288
0x0155528a
0x0155528f
0x01555294
0x00000000
0x00000000
0x0155529a
0x0155529c
0x0155529e
0x0155529e
0x015552a4
0x015552b0
0x00000000
0x00000000
0x015552ba
0x015552bc
0x015552bc
0x015552d4
0x015552d9
0x015552dc
0x015552e1
0x00000000
0x00000000
0x015552e7
0x015552f4
0x00000000
0x015552f4
0x01555270
0x00000000
0x01555270
0x015551fc
0x015551fd
0x01555202
0x01555203
0x01555205
0x0155520a
0x0155520f
0x00000000
0x00000000
0x0155521b
0x01555226
0x0155522b
0x0155521d
0x0155521d
0x01555222
0x01555222
0x0155522d
0x00000000

Strings

UEFI, xrefs: 0155521D
Legacy, xrefs: 01555226

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: ef30659ee5ee88ba8f3e94f97cf1fc51052b4d38fab278472f96bd9a9e03519f
Instruction ID: 3d023af478b1314f81d10162a3dd89613cc8c4e6c0a5b3d9415eef282ed44ed2
Opcode Fuzzy Hash: ef30659ee5ee88ba8f3e94f97cf1fc51052b4d38fab278472f96bd9a9e03519f
Instruction Fuzzy Hash: C5517F71E106099FDB65DFA8C890AADBBF4FF48740F15442EEA49EF252E6709940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 014FB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E014FB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x15cd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E014F7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E015A8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01519E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0151B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0151CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E014F7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E015A8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0151AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x15c8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x15c862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x15c8628; // 0x0
							_t116 =  *0x15c862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x014fb94c
0x014fb956
0x014fb95c
0x014fb95e
0x014fb964
0x014fb969
0x014fb96d
0x014fb96d
0x014fb970
0x014fb974
0x014fb97a
0x014fbadf
0x014fbadf
0x014fbae2
0x014fbae4
0x014fbae6
0x014fbaf0
0x01542cb8
0x014fbaf6
0x014fbaf6
0x014fbaf6
0x014fbafd
0x014fbb1f
0x014fbb1f
0x014fbaff
0x014fbb00
0x014fbb00
0x014fbb03
0x014fbb03
0x014fbacb
0x014fbacf
0x014fbad0
0x014fbad1
0x014fbadc
0x014fbadc
0x014fb980
0x014fb980
0x014fb988
0x014fb98b
0x014fb98d
0x014fb990
0x014fb993
0x014fb999
0x014fb99b
0x014fb9a1
0x014fb9a5
0x014fb9aa
0x014fb9b0
0x014fb9bb
0x014fb9c0
0x014fb9c3
0x014fb9ca
0x014fb9cc
0x014fb9cf
0x014fb9d3
0x014fb9d7
0x014fba94
0x014fba94
0x014fba98
0x014fbaa3
0x01542ccb
0x014fbaa9
0x014fbaa9
0x014fbaa9
0x014fbab1
0x01542cd5
0x01542cdd
0x01542cdd
0x014fbabb
0x014fbabc
0x014fbac2
0x014fbac3
0x014fbac3
0x014fbac6
0x00000000
0x014fb9dd
0x014fb9dd
0x014fb9e7
0x014fb9e7
0x014fb9ec
0x014fb9ec
0x014fb9f1
0x014fb9f5
0x014fb9fa
0x014fba00
0x014fba0c
0x014fba10
0x014fba10
0x014fba12
0x014fba18
0x00000000
0x00000000
0x014fbb26
0x014fbb26
0x014fba1e
0x014fba1e
0x014fba23
0x014fba25
0x014fba2c
0x014fba30
0x014fba35
0x014fba35
0x014fba41
0x014fba46
0x014fba4c
0x014fba50
0x014fba54
0x014fba6a
0x014fba6e
0x014fba70
0x014fba74
0x014fba78
0x014fba7a
0x014fba7c
0x014fba8e
0x014fba90
0x014fba92
0x014fbb14
0x014fbb14
0x014fbb16
0x014fbb16
0x00000000
0x014fba7c
0x014fbb0a
0x014fbb0d
0x00000000
0x00000000
0x00000000
0x014fbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014FB9A5

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 807acfe2e5e9f958e44f0fc0dbc599bff4d993b2f5e617727798964175f00f37
Instruction ID: 37593465320ceff35a141676457a82decc94bcb97cf288692797a7f68c6b5c04
Opcode Fuzzy Hash: 807acfe2e5e9f958e44f0fc0dbc599bff4d993b2f5e617727798964175f00f37
Instruction Fuzzy Hash: B2516671A08741CFC721CF29C48092BBBF5FB89600F15896EFA958B365D730E848CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014DB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E014DB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x15af7a8);
				E0152D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0152D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0151D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0151F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0152DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0151B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0151B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0151E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0151A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x014db171
0x014db171
0x014db171
0x014db171
0x014db171
0x014db176
0x014db17b
0x014db180
0x014db186
0x014db18f
0x014db198
0x014db1a4
0x014db1aa
0x01534802
0x01534802
0x01534805
0x0153480c
0x0153480e
0x014db1d1
0x014db1d3
0x014db1de
0x014db1de
0x01534817
0x0153481e
0x01534820
0x01534822
0x01534822
0x01534824
0x01534824
0x0153482a
0x00000000
0x00000000
0x01534835
0x0153483a
0x0153483d
0x0153483f
0x01534842
0x01534842
0x01534842
0x01534846
0x0153484c
0x0153484e
0x01534851
0x01534851
0x01534853
0x01534854
0x01534854
0x01534858
0x0153485a
0x0153485a
0x0153485d
0x0153485f
0x01534861
0x01534861
0x01534866
0x0153486b
0x0153486e
0x01534871
0x01534876
0x01534876
0x01534878
0x0153487b
0x01534884
0x01534884
0x00000000
0x0153487d
0x0153487d
0x01534882
0x01534889
0x01534889
0x0153488f
0x01534891
0x015348e0
0x015348e2
0x015348e4
0x015348e4
0x015348e7
0x015348e7
0x015348ed
0x015348f4
0x015348f6
0x01534951
0x01534951
0x01534953
0x01534953
0x01534956
0x01534956
0x01534958
0x01534959
0x01534959
0x0153495d
0x0153495d
0x0153495f
0x0153495f
0x01534965
0x01534969
0x015349ba
0x015349ba
0x015349c1
0x015349c5
0x015349cc
0x015349d4
0x015349d7
0x015349da
0x015349e4
0x015349e5
0x015349f3
0x01534a02
0x00000000
0x01534a02
0x01534972
0x01534974
0x00000000
0x00000000
0x01534976
0x01534979
0x01534982
0x01534983
0x01534984
0x0153498b
0x0153498d
0x01534991
0x01534993
0x01534999
0x0153499d
0x015349a2
0x015349a2
0x015349a2
0x01534999
0x015349ac
0x00000000
0x015349b3
0x015348f8
0x015348fe
0x00000000
0x00000000
0x00000000
0x015348fe
0x01534895
0x0153489c
0x015348ad
0x015348b2
0x015348b5
0x015348b7
0x015348ba
0x015348bc
0x015348c6
0x015348c6
0x015348cb
0x015348d1
0x015348d4
0x015348d8
0x015348d8
0x00000000
0x015348d8
0x015348be
0x015348c0
0x00000000
0x00000000
0x015348c2
0x00000000
0x00000000
0x00000000
0x015348c4
0x00000000
0x01534882
0x0153487b
0x01534904
0x01534906
0x00000000
0x00000000
0x01534908
0x0153490e
0x00000000
0x00000000
0x01534910
0x01534917
0x01534917
0x00000000
0x01534917
0x014db1ba
0x015347f9
0x015347fc
0x00000000
0x00000000
0x00000000
0x015347fc
0x014db1c0
0x014db1c0
0x014db1c3
0x014db1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 015348AD

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: d5f0c9f6ed77d0ef20f932a78e8a0f239f0f1118b7ae48b07dbdfa73a1484108
Instruction ID: 78b6519e53094ae8d7552509c089b5a4d1b822d7cd5b0904a00f51f2cd188c02
Opcode Fuzzy Hash: d5f0c9f6ed77d0ef20f932a78e8a0f239f0f1118b7ae48b07dbdfa73a1484108
Instruction Fuzzy Hash: B451D072D0025A8EEF32CF68C844BAEBBB0FF85710F1041ADD859AF292D7744985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01502581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E01502581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200396, char _a1546912076) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t243;
				signed int _t247;
				char* _t248;
				signed int _t252;
				signed int _t254;
				intOrPtr _t256;
				signed int _t259;
				signed int _t266;
				signed int _t269;
				signed int _t277;
				intOrPtr _t283;
				signed int _t285;
				signed int _t287;
				void* _t288;
				void* _t289;
				signed int _t290;
				unsigned int _t293;
				signed int _t297;
				void* _t298;
				signed int _t299;
				signed int _t303;
				intOrPtr _t315;
				signed int _t324;
				signed int _t326;
				signed int _t327;
				signed int _t331;
				signed int _t332;
				intOrPtr* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				void* _t342;
				void* _t344;

				_t338 = _t341;
				_t342 = _t341 - 0x4c;
				_v8 =  *0x15cd360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t331 = 0x15cb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t293 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t283 = 0x48;
				_t313 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t324 = 0;
				_v37 = _t313;
				if(_v48 <= 0) {
					L16:
					_t45 = _t283 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t332 = 0xc0000106;
						goto L32;
					} else {
						_t331 = L014F4620(_t293,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t283);
						_v52 = _t331;
						__eflags = _t331;
						if(_t331 == 0) {
							_t332 = 0xc0000017;
							goto L32;
						} else {
							 *(_t331 + 0x44) =  *(_t331 + 0x44) & 0x00000000;
							_t50 = _t331 + 0x48; // 0x48
							_t326 = _t50;
							_t313 = _v32;
							 *((intOrPtr*)(_t331 + 0x3c)) = _t283;
							_t285 = 0;
							 *((short*)(_t331 + 0x30)) = _v48;
							__eflags = _t313;
							if(_t313 != 0) {
								 *(_t331 + 0x18) = _t326;
								__eflags = _t313 - 0x15c8478;
								 *_t331 = ((0 | _t313 == 0x015c8478) - 0x00000001 & 0xfffffffb) + 7;
								E0151F3E0(_t326,  *((intOrPtr*)(_t313 + 4)),  *_t313 & 0x0000ffff);
								_t313 = _v32;
								_t342 = _t342 + 0xc;
								_t285 = 1;
								__eflags = _a8;
								_t326 = _t326 + (( *_t313 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t277 = E015639F2(_t326);
									_t313 = _v32;
									_t326 = _t277;
								}
							}
							_t297 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t332 = _v68;
								__eflags = 0;
								 *((short*)(_t326 - 2)) = 0;
								goto L32;
							} else {
								_t287 = _t331 + _t285 * 4;
								_v56 = _t287;
								do {
									__eflags = _t313;
									if(_t313 != 0) {
										_t243 =  *(_v60 + _t297 * 4);
										__eflags = _t243;
										if(_t243 == 0) {
											goto L30;
										} else {
											__eflags = _t243 == 5;
											if(_t243 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t287 =  *(_v60 + _t297 * 4);
										 *(_t287 + 0x18) = _t326;
										_t247 =  *(_v60 + _t297 * 4);
										__eflags = _t247 - 8;
										if(_t247 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t247 * 4 +  &M01502959))) {
												case 0:
													__ax =  *0x15c8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0151F3E0(__edi,  *0x15c848c, __ax & 0x0000ffff);
														__eax =  *0x15c8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0151F3E0(_t326, _v80, _v64);
													_t272 = _v64;
													goto L26;
												case 2:
													 *0x15c8480 & 0x0000ffff = E0151F3E0(__edi,  *0x15c8484,  *0x15c8480 & 0x0000ffff);
													__eax =  *0x15c8480 & 0x0000ffff;
													__eax = ( *0x15c8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0151F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0151F3E0(_t326, _v76, _v36);
														_t272 = _v36;
													}
													L26:
													_t342 = _t342 + 0xc;
													_t326 = _t326 + (_t272 >> 1) * 2 + 2;
													__eflags = _t326;
													L27:
													_push(0x3b);
													_pop(_t274);
													 *((short*)(_t326 - 2)) = _t274;
													goto L28;
												case 6:
													__ebx =  *0x15c575c;
													__eflags = __ebx - 0x15c575c;
													if(__ebx != 0x15c575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0151F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x15c575c;
														} while (__ebx != 0x15c575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x15c8478 & 0x0000ffff = E0151F3E0(__edi,  *0x15c847c,  *0x15c8478 & 0x0000ffff);
													__eax =  *0x15c8478 & 0x0000ffff;
													__eax = ( *0x15c8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E015639F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x15c6e58 & 0x0000ffff = E0151F3E0(__edi,  *0x15c6e5c,  *0x15c6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x15c6e58 & 0x0000ffff;
													__eax = ( *0x15c6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t297 = _v16;
													_t313 = _v32;
													L29:
													_t287 = _t287 + 4;
													__eflags = _t287;
													_v56 = _t287;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t297 = _t297 + 1;
									_v16 = _t297;
									__eflags = _t297 - _v48;
								} while (_t297 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t247 =  *(_v60 + _t324 * 4);
						if(_t247 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t247 * 4 +  &M01502935))) {
							case 0:
								__ax =  *0x15c8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t313 =  &_v64;
								_v80 = E01502E3E(0,  &_v64);
								_t283 = _t283 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x15c8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x15c8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E014EEEF0(0x15c79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E014EEB70(__ecx, 0x15c79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t221 = _v72;
											__eflags = _t221;
											if(_t221 != 0) {
												L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t221);
											}
											_t222 = _v52;
											__eflags = _t222;
											if(_t222 != 0) {
												__eflags = _t332;
												if(_t332 < 0) {
													L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t222);
													_t222 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t293 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x15c7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L014F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E014EEB70(__ecx, 0x15c79a0);
										__eax = _v52;
										L36:
										_pop(_t325);
										_pop(_t333);
										__eflags = _v8 ^ _t338;
										_pop(_t284);
										return E0151B640(_t222, _t284, _v8 ^ _t338, _t313, _t325, _t333);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t279 = _v56;
								if(_v56 != 0) {
									_t313 =  &_v36;
									_t281 = E01502E3E(_t279,  &_v36);
									_t293 = _v36;
									_v76 = _t281;
								}
								if(_t293 == 0) {
									goto L44;
								} else {
									_t283 = _t283 + 2 + _t293;
								}
								goto L14;
							case 6:
								__eax =  *0x15c5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x15c8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x15c8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x15c6e58 & 0x0000ffff;
								__eax = ( *0x15c6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t324 = _t324 + 1;
								if(_t324 >= _v48) {
									goto L16;
								} else {
									_t313 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t298 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					_push(_t247);
					 *((intOrPtr*)(_t331 + 0x28)) =  *((intOrPtr*)(_t331 + 0x28)) + _t342;
					_push(_t247);
					_t248 = _t247 + _t342;
					asm("daa");
					_push(_t248);
					 *_t331 =  *_t331 + _t338;
					_push(_t248);
					 *((intOrPtr*)(_t331 + 0x28)) =  *((intOrPtr*)(_t331 + 0x28)) + _t248;
					 *0x1f015026 =  *0x1f015026 + _t248;
					_t288 = _t248;
					_push(_t342);
					 *((intOrPtr*)(_t248 +  &_a1530200396)) =  *((intOrPtr*)(_t248 +  &_a1530200396)) + _t313;
					_push(_t342);
					 *_t313 =  *_t313 + _t248;
					 *((intOrPtr*)(_t248 + 1)) =  *((intOrPtr*)(_t248 + 1)) - _t313;
					 *_t248 =  *_t248 - 0x50;
					_t334 = _t331 + _t331;
					asm("daa");
					_push(_t248);
					 *_t334 =  *_t334 + _t288;
					 *((intOrPtr*)(_t248 + 1)) =  *((intOrPtr*)(_t248 + 1)) - _t313;
					_t335 = _t334 - 1;
					 *((intOrPtr*)(_t248 + 1)) =  *((intOrPtr*)(_t248 + 1)) - _t313;
					asm("daa");
					_t289 = _t248;
					_push(_t342);
					 *((intOrPtr*)(_t248 + _t288 +  &_a1546912076)) =  *((intOrPtr*)(_t248 + _t288 +  &_a1546912076)) + _t334 - 1;
					_push(_t342);
					_t344 = _t342 + _t298;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x15aff00);
					E0152D08C(_t289, _t326, _t335);
					_v44 =  *[fs:0x18];
					_t327 = 0;
					 *_a24 = 0;
					_t290 = _a12;
					__eflags = _t290;
					if(_t290 == 0) {
						_t252 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t254 = 4;
						while(1) {
							_v40 = _t254;
							__eflags = _t254;
							if(_t254 == 0) {
								break;
							}
							_t303 = _t254 * 0xc;
							_v48 = _t303;
							__eflags = _t290 -  *((intOrPtr*)(_t303 + 0x14b1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t269 = E0151E5C0(_a8,  *((intOrPtr*)(_t303 + 0x14b1668)), _t290);
									_t344 = _t344 + 0xc;
									__eflags = _t269;
									if(__eflags == 0) {
										_t336 = E015551BE(_t290,  *((intOrPtr*)(_v48 + 0x14b166c)), _a16, _t327, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t254 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t254 = _t254 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t299 = _a4;
								__eflags = _t299;
								if(_t299 != 0) {
									_v36 = _t299;
									__eflags =  *_t299 - _t327;
									if( *_t299 == _t327) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t315 =  *((intOrPtr*)(_v44 + 0x30));
										_t256 =  *((intOrPtr*)(_t315 + 0x10));
										__eflags =  *((intOrPtr*)(_t256 + 0x48)) - _t299;
										if( *((intOrPtr*)(_t256 + 0x48)) == _t299) {
											__eflags =  *(_t315 + 0x1c);
											if( *(_t315 + 0x1c) == 0) {
												L106:
												_t336 = E01502AE4( &_v36, _a8, _t290, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t327 = 1;
													_t299 = _v36;
													goto L75;
												}
											} else {
												_t259 = E014E6600( *(_t315 + 0x1c));
												__eflags = _t259;
												if(_t259 != 0) {
													goto L106;
												} else {
													_t299 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E01502C50(_t299, _a8, _t290, _a16, _a20, _a24, _t327);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E014EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t266 = E01502AE4( &_v36, _a8, _t290, _a16, _a20, _t336);
									_v32 = _t266;
									__eflags = _t266 - 0xc0000100;
									if(_t266 == 0xc0000100) {
										_v32 = E01502C50(_v36, _a8, _t290, _a16, _a20, _t336, 1);
									}
									_v8 = _t327;
									E01502ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t252 = _t336;
					}
					L70:
					return E0152D0D1(_t252);
				}
				L108:
			}

0x01502584
0x01502586
0x01502590
0x01502596
0x01502597
0x01502598
0x01502599
0x0150259e
0x015025a4
0x015025a9
0x015025ac
0x015025ae
0x015025b1
0x015025b2
0x015025b5
0x015025b8
0x015025bb
0x015025bc
0x015025bf
0x015025c2
0x015025c5
0x015025c6
0x015025cb
0x015025ce
0x015025d8
0x015025dd
0x015025de
0x015025e1
0x015025e3
0x015025e9
0x015026da
0x015026da
0x015026dd
0x015026e2
0x01545b56
0x00000000
0x015026e8
0x015026f9
0x015026fb
0x015026fe
0x01502700
0x01545b60
0x00000000
0x01502706
0x01502706
0x0150270a
0x0150270a
0x0150270d
0x01502713
0x01502716
0x01502718
0x0150271c
0x0150271e
0x01545b6c
0x01545b6f
0x01545b7f
0x01545b89
0x01545b8e
0x01545b93
0x01545b96
0x01545b9c
0x01545ba0
0x01545ba3
0x01545bab
0x01545bb0
0x01545bb3
0x01545bb3
0x01545ba3
0x01502724
0x01502726
0x01502729
0x0150272c
0x0150279d
0x0150279d
0x015027a0
0x015027a2
0x00000000
0x0150272e
0x0150272e
0x01502731
0x01502734
0x01502734
0x01502736
0x01545bc1
0x01545bc1
0x01545bc4
0x00000000
0x01545bca
0x01545bca
0x01545bcd
0x00000000
0x01545bd3
0x00000000
0x01545bd3
0x01545bcd
0x0150273c
0x0150273c
0x01502742
0x01502747
0x0150274a
0x0150274d
0x01502750
0x00000000
0x01502756
0x01502756
0x00000000
0x01502902
0x01502908
0x0150290b
0x00000000
0x01502911
0x0150291c
0x01502921
0x00000000
0x01502921
0x00000000
0x00000000
0x01502880
0x01502887
0x0150288c
0x00000000
0x00000000
0x01502805
0x0150280a
0x01502814
0x01502816
0x00000000
0x00000000
0x0150281e
0x01502821
0x01502823
0x00000000
0x01502829
0x01502829
0x01502831
0x0150283c
0x0150283e
0x00000000
0x0150283e
0x00000000
0x00000000
0x0150284e
0x01502850
0x01502851
0x01502854
0x01502857
0x0150285a
0x0150285c
0x0150285d
0x00000000
0x00000000
0x0150275d
0x01502761
0x00000000
0x01502767
0x0150276e
0x01502773
0x01502773
0x01502776
0x01502778
0x0150277e
0x0150277e
0x01502781
0x01502781
0x01502783
0x01502784
0x00000000
0x00000000
0x01545bd8
0x01545bde
0x01545be4
0x01545be6
0x01545be8
0x01545be9
0x01545bee
0x01545bf8
0x01545bff
0x01545c01
0x01545c04
0x01545c07
0x01545c0b
0x01545c0d
0x01545c0d
0x01545c15
0x01545c18
0x01545c1b
0x01545c1b
0x01545c1e
0x00000000
0x00000000
0x015028c3
0x015028c8
0x015028d2
0x015028d4
0x015028d8
0x015028db
0x01545c26
0x01545c28
0x01545c2d
0x01545c2d
0x00000000
0x00000000
0x01545c34
0x01545c36
0x01545c49
0x01545c4e
0x01545c54
0x01545c5b
0x01545c5d
0x01545c60
0x01502788
0x01502788
0x0150278b
0x0150278e
0x0150278e
0x0150278e
0x01502791
0x00000000
0x00000000
0x01502756
0x01502750
0x00000000
0x01502794
0x01502794
0x01502795
0x01502798
0x01502798
0x00000000
0x01502734
0x0150272c
0x01502700
0x015025ef
0x015025ef
0x015025ef
0x015025f2
0x015025f8
0x00000000
0x00000000
0x015025fe
0x00000000
0x015028e6
0x015028ec
0x015028ef
0x015028f5
0x015028f8
0x015028f8
0x00000000
0x015028f8
0x00000000
0x00000000
0x01502866
0x01502866
0x01502876
0x01502879
0x00000000
0x00000000
0x015027e0
0x015027e7
0x015027e9
0x015027eb
0x01545afd
0x00000000
0x01545afd
0x00000000
0x00000000
0x01502633
0x01502638
0x0150263b
0x0150263c
0x0150263e
0x01502640
0x01502642
0x01502647
0x01502649
0x0150264e
0x01502650
0x01502653
0x01502659
0x015026a2
0x015026a7
0x015026ac
0x015026b2
0x01545b11
0x01545b15
0x01545b17
0x00000000
0x015026b8
0x015026b8
0x015026ba
0x015027a6
0x015027a6
0x015027a9
0x015027ab
0x015027b9
0x015027b9
0x015027be
0x015027c1
0x015027c3
0x015027c5
0x015027c7
0x01545c74
0x01545c79
0x01545c79
0x015027c7
0x00000000
0x015026c0
0x015026c0
0x015026c3
0x015026c6
0x015026c6
0x015026c9
0x015026c9
0x00000000
0x015026c9
0x015026ba
0x0150265b
0x0150265b
0x0150265e
0x01502667
0x0150266d
0x01502677
0x0150267c
0x0150267f
0x01502681
0x01545b49
0x01545b4e
0x015027cd
0x015027d0
0x015027d1
0x015027d2
0x015027d4
0x015027dd
0x01502687
0x01502687
0x0150268a
0x0150268b
0x0150268e
0x0150268f
0x01502691
0x01502696
0x01502698
0x0150269d
0x0150269f
0x00000000
0x0150269f
0x01502681
0x00000000
0x00000000
0x01502846
0x00000000
0x00000000
0x01502605
0x0150260a
0x0150260c
0x01502611
0x01502616
0x01502619
0x01502619
0x0150261e
0x00000000
0x01502624
0x01502627
0x01502627
0x00000000
0x00000000
0x01545b1f
0x00000000
0x00000000
0x01502894
0x0150289b
0x0150289d
0x015028a1
0x01545b2b
0x01545b2e
0x01545b2e
0x015028a7
0x015028a9
0x01545b04
0x01545b09
0x01545b09
0x01545b09
0x00000000
0x00000000
0x01545b35
0x01545b3c
0x015028fb
0x015028fb
0x015026cc
0x015026cc
0x015026d0
0x00000000
0x015026d2
0x015026d2
0x00000000
0x015026d2
0x00000000
0x00000000
0x015025fe
0x0150292d
0x0150292f
0x01502930
0x01502935
0x01502937
0x01502938
0x0150293b
0x0150293c
0x0150293e
0x0150293f
0x01502940
0x01502942
0x01502944
0x01502948
0x0150294e
0x0150294f
0x01502950
0x01502957
0x01502958
0x0150295a
0x0150295d
0x01502960
0x01502962
0x01502963
0x01502964
0x01502966
0x01502969
0x0150296a
0x0150296e
0x01502972
0x01502973
0x01502974
0x0150297b
0x0150297c
0x0150297e
0x0150297f
0x01502980
0x01502981
0x01502982
0x01502983
0x01502984
0x01502985
0x01502986
0x01502987
0x01502988
0x01502989
0x0150298a
0x0150298b
0x0150298c
0x0150298d
0x0150298e
0x0150298f
0x01502990
0x01502992
0x01502997
0x015029a3
0x015029a6
0x015029ab
0x015029ad
0x015029b0
0x015029b2
0x01545c80
0x015029b8
0x015029b8
0x015029bb
0x015029c0
0x015029c5
0x015029c6
0x015029c6
0x015029c9
0x015029cb
0x00000000
0x00000000
0x015029cd
0x015029d0
0x015029d9
0x015029db
0x015029dd
0x01502a7f
0x01502a84
0x01502a87
0x01502a89
0x01545ca1
0x01545ca3
0x00000000
0x01502a8f
0x01502a8f
0x00000000
0x01502a8f
0x00000000
0x015029e3
0x015029e3
0x015029e3
0x00000000
0x015029e3
0x015029dd
0x00000000
0x015029db
0x015029e6
0x015029e9
0x015029eb
0x015029ed
0x015029f3
0x015029f5
0x015029f8
0x015029fa
0x01502a97
0x01502a9a
0x01502a9d
0x01502add
0x00000000
0x01502a9f
0x01502aa2
0x01502aa5
0x01502aa8
0x01502aab
0x01545cab
0x01545caf
0x01545cc5
0x01545cda
0x01545cdc
0x01545cdf
0x01545ce5
0x00000000
0x01545ceb
0x01545ced
0x01545cee
0x00000000
0x01545cee
0x01545cb1
0x01545cb4
0x01545cb9
0x01545cbb
0x00000000
0x01545cbd
0x01545cbd
0x00000000
0x01545cbd
0x01545cbb
0x01502ab1
0x01502ab1
0x01502ac4
0x01502ac6
0x01502ac6
0x00000000
0x01502ac6
0x01502aab
0x00000000
0x01502a00
0x01502a09
0x01502a0e
0x01502a21
0x01502a24
0x01502a35
0x01502a3a
0x01502a3d
0x01502a42
0x01502a59
0x01502a59
0x01502a5c
0x01502a5f
0x01502a5f
0x015029fa
0x015029f3
0x01502a64
0x01502a64
0x01502a6b
0x01502a6b
0x01502a6d
0x01502a72
0x01502a72
0x00000000

Strings

PATH, xrefs: 01502642, 01502691

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 700642d8b6c2b69d950cc4acdef1e0730083e0d456589de5435fabf97630cd5f
Instruction ID: a9d3254c120e6a73cd813b4e99c01b04e8b70d01cdc5b8ac51149302586a1ce2
Opcode Fuzzy Hash: 700642d8b6c2b69d950cc4acdef1e0730083e0d456589de5435fabf97630cd5f
Instruction Fuzzy Hash: 38C1AE71D0021ADFDB26DF99C884ABEBBF5FF48700F18442AE505AF290E734A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0150FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0150FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E014EEEF0(0x15c7b60);
					_t134 =  *0x15c7b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x15c7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x15c7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E014E6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E014E76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01578938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E014DB150();
													}
													_t116 = E01576D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E014E75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x15c8638; // 0x0
																	_t122 = L014E38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E014E76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E014E76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0150FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L014E70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0150FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0150FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0150FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0150FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0150FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x15c7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x15c7b84 = _t75;
						_t73 = E014EEB70(_t134, 0x15c7b60);
						if( *0x15c7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E014EFF60( *0x15c7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0150fab0
0x0150fab2
0x0150fab3
0x0150fab4
0x0150fabc
0x0150fac0
0x0150fb14
0x0150fb17
0x0150fac2
0x0150fac8
0x0150facd
0x0150fad3
0x0150fad3
0x0150fadd
0x0150fb18
0x0150fb1b
0x0150fb1d
0x0150fb1e
0x0150fb1f
0x0150fb20
0x0150fb21
0x0150fb22
0x0150fb23
0x0150fb24
0x0150fb25
0x0150fb26
0x0150fb27
0x0150fb28
0x0150fb29
0x0150fb2a
0x0150fb2b
0x0150fb2c
0x0150fb2d
0x0150fb2e
0x0150fb2f
0x0150fb3a
0x0150fb3b
0x0150fb3e
0x0150fb41
0x0150fb44
0x0150fb47
0x0150fb4a
0x0150fb4d
0x0150fb53
0x0154bdcb
0x0154bdcb
0x0150fb59
0x0150fb5b
0x0150fb5b
0x0150fb5e
0x0154bdd5
0x0154bdd8
0x00000000
0x0154bdda
0x00000000
0x0154bdda
0x0150fb64
0x0150fb64
0x0150fb64
0x0150fb67
0x0150fb6e
0x0150fb70
0x0150fb72
0x00000000
0x0150fb78
0x0150fb7a
0x0150fb7a
0x0150fb7d
0x0150fb80
0x0154bddf
0x0154bde1
0x00000000
0x0154bde3
0x00000000
0x0154bde3
0x0150fb86
0x0150fb86
0x0150fb86
0x0150fb8b
0x0150fb90
0x0150fb92
0x0150fb94
0x0150fb9a
0x0150fb9b
0x0150fba1
0x0154bde8
0x0154bdeb
0x0154bded
0x0154beb5
0x0154beb5
0x0154bebb
0x0154bebd
0x0154bec3
0x0154bed2
0x0154bedd
0x0154bedd
0x0154beed
0x00000000
0x0154bdf3
0x0154bdfe
0x0154be06
0x0154be0b
0x0154be0d
0x0154be0f
0x0154be14
0x0154be19
0x0154be20
0x0154be25
0x0154be27
0x0154be35
0x0154be39
0x0154be46
0x0154be4f
0x0154be54
0x0154be56
0x0154bef8
0x0154bef8
0x00000000
0x0154be5c
0x0154be5c
0x0154be60
0x00000000
0x0154be66
0x0154be66
0x0154be7f
0x0154be84
0x0154be87
0x0154be89
0x0154be8b
0x0154be99
0x0154be9d
0x0154bea0
0x0154beac
0x0154beaf
0x0154beb1
0x0154beb3
0x0154beb3
0x00000000
0x0154bea2
0x0154bea2
0x00000000
0x0154bea2
0x0154be8d
0x0154be8d
0x0154be92
0x00000000
0x0154be92
0x0154be8b
0x0154be60
0x0154be3b
0x0154be3b
0x0154be3e
0x00000000
0x0154be40
0x0154be40
0x0154be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0154be44
0x0154be3e
0x0154be29
0x0154be29
0x00000000
0x0154be29
0x0154be27
0x00000000
0x0150fba7
0x0150fba7
0x0150fbab
0x0154bf02
0x0150fbb1
0x0150fbb1
0x0150fbb8
0x0150fbbd
0x0150fbbd
0x0150fbbf
0x0150fbbf
0x0150fbc5
0x0150fbcb
0x0150fbf8
0x0150fbf8
0x0150fbfa
0x00000000
0x0150fc00
0x0150fc00
0x0150fc03
0x00000000
0x0150fc09
0x0150fc09
0x0150fc0f
0x0150fc15
0x0150fc23
0x0150fc23
0x0150fc25
0x0150fc27
0x0150fc75
0x0150fc7c
0x0150fc84
0x00000000
0x0150fc29
0x0150fc29
0x0150fc2d
0x0150fc30
0x0154bf0f
0x00000000
0x0150fc36
0x0150fc38
0x0150fc3b
0x0150fc41
0x0154bf17
0x0154bf19
0x0154bf48
0x0154bf4b
0x00000000
0x0154bf1b
0x0154bf22
0x0154bf24
0x0154bf26
0x00000000
0x0154bf2c
0x0154bf37
0x0154bf39
0x0154bf3b
0x00000000
0x0154bf41
0x0154bf41
0x0154bf41
0x0154bf41
0x0154bf45
0x00000000
0x0154bf45
0x0154bf3b
0x0154bf26
0x00000000
0x0150fc47
0x0150fc47
0x0150fc49
0x0150fcb2
0x0150fcb4
0x0150fcb6
0x0150fcdc
0x0150fcdc
0x00000000
0x0150fcb8
0x0150fcc3
0x0150fcc5
0x0150fcc7
0x00000000
0x0150fcc9
0x0150fcc9
0x0150fccd
0x00000000
0x0150fccd
0x0150fcc7
0x00000000
0x0150fc4b
0x0150fc4b
0x0150fc4e
0x0150fc4e
0x0150fc51
0x0150fc51
0x0150fc54
0x0150fc5a
0x0150fc5c
0x0150fc5f
0x0150fc61
0x0150fc63
0x0150fc65
0x0150fc67
0x0150fc6e
0x0150fc72
0x0150fc72
0x0150fc72
0x0150fc72
0x0150fc67
0x0150fc61
0x00000000
0x0150fc5a
0x0150fc49
0x0150fc41
0x0150fc30
0x0150fc27
0x0150fc03
0x0150fbcd
0x0150fbd3
0x0150fbd9
0x0150fbdc
0x0150fbde
0x0150fc99
0x0150fc9b
0x0150fc9d
0x0150fcd5
0x0150fcd5
0x0150fc89
0x0150fc89
0x00000000
0x0150fc9f
0x0150fc9f
0x0150fca3
0x00000000
0x0150fca3
0x00000000
0x0150fbe4
0x0150fbe4
0x0150fbe4
0x0150fbe4
0x0150fbe9
0x0150fbf2
0x00000000
0x0150fbf2
0x0150fbde
0x0150fbcb
0x0150fbab
0x0150fc8b
0x0150fc8b
0x0150fc8c
0x0150fb80
0x0150fb72
0x0150fb5e
0x0150fc8d
0x0150fc91
0x0150fadf
0x0150fadf
0x0150fae1
0x0150fae4
0x0150fae7
0x0150faec
0x0150faf8
0x0150fb00
0x0150fb07
0x0150fb0f
0x0150fb0f
0x0150fb07
0x00000000
0x0150faf8
0x0150fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0154BE0F

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 41d08f2b26ceeb3efed5c4a7b151db6e11083ff66a9dbbce502f4492095b203d
Instruction ID: 307ed415eedc9e5273c214e27b8dd8c52215d96facef7024fef7ef343a08129f
Opcode Fuzzy Hash: 41d08f2b26ceeb3efed5c4a7b151db6e11083ff66a9dbbce502f4492095b203d
Instruction Fuzzy Hash: 60A1F171A04A069FEB36CFA9C455B7EB7E4BF88724F04456EE9468F6D0DB30D8418B90

Uniqueness

Uniqueness Score: -1.00%

Function 014D2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E014D2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x15c5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x15c7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E015197C0();
				}
				if( *0x15c79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x15c79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01501624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E014F7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0156FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01519520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0150E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0152DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x15c6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x15c6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01519980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E015195D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E014F7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E014F7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01557016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0156FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x15c5350;
							if(_t109 != 0x15c5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0156FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01565720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x014d2d8a
0x014d2d8a
0x014d2d92
0x014d2d96
0x014d2d9e
0x014d2da0
0x014d2da3
0x014d2da5
0x014d2da8
0x014d2dab
0x014d2db2
0x0152f9aa
0x0152f9ab
0x0152f9ae
0x0152f9ae
0x014d2db8
0x014d2dc2
0x0152f9b9
0x0152f9be
0x0152f9bf
0x0152f9bf
0x014d2dcf
0x0152f9c9
0x014d2dd5
0x014d2dd5
0x014d2dd5
0x014d2dde
0x014d2de1
0x014d2e70
0x014d2e72
0x014d2e72
0x014d2de7
0x014d2deb
0x014d2e7c
0x014d2e83
0x014d2e85
0x014d2e8b
0x014d2e8d
0x014d2e92
0x014d2e92
0x014d2e85
0x014d2df1
0x014d2df7
0x014d2df9
0x014d2df9
0x014d2dfc
0x014d2dff
0x014d2e02
0x00000000
0x014d2e05
0x014d2e0c
0x0152f9d9
0x014d2e12
0x014d2e12
0x014d2e12
0x014d2e1a
0x0152f9e3
0x0152f9e9
0x0152f9f0
0x0152f9f6
0x0152f9f8
0x0152f9f8
0x0152f9f0
0x014d2e23
0x0152fa02
0x0152fa03
0x0152fa05
0x0152fa06
0x00000000
0x014d2e29
0x014d2e29
0x014d2e2e
0x014d2e34
0x014d2e3e
0x00000000
0x00000000
0x014d2e44
0x014d2e47
0x014d2e4d
0x00000000
0x00000000
0x014d2e4f
0x014d2e54
0x00000000
0x00000000
0x014d2e5a
0x014d2e5f
0x014d2e9a
0x014d2ea4
0x014d2ea5
0x014d2ea8
0x014d2eaf
0x014d2eb2
0x014d2eb5
0x0152fae9
0x0152faeb
0x0152faed
0x0152faef
0x0152faf7
0x0152faf8
0x0152fafd
0x0152faff
0x0152fb04
0x0152fb04
0x0152faff
0x014d2ec0
0x014d2ec4
0x014d2ec6
0x014d2ec8
0x0152fb14
0x0152fb18
0x0152fb1e
0x0152fb21
0x0152fb21
0x014d2ece
0x014d2ece
0x014d2ece
0x014d2ed7
0x014d2e61
0x014d2e63
0x0152fa6b
0x0152fa71
0x0152fa76
0x0152fa78
0x0152fa8a
0x0152fa7a
0x0152fa83
0x0152fa83
0x0152fa8f
0x0152fa91
0x0152fa97
0x0152fa9d
0x0152faa4
0x0152faaa
0x0152faaf
0x0152fab1
0x0152fac3
0x0152fab3
0x0152fabc
0x0152fabc
0x0152fac8
0x0152facb
0x0152fadf
0x0152fadf
0x0152facb
0x0152faa4
0x0152fa91
0x014d2e6f
0x014d2e6f
0x014d2e5f
0x0152fa13
0x0152fa15
0x0152fa17
0x0152fa1f
0x0152fa21
0x0152fa22
0x0152fa25
0x0152fa28
0x0152fa2f
0x0152fa2f
0x0152fa2a
0x0152fa2a
0x0152fa2a
0x0152fa31
0x0152fa34
0x0152fa36
0x0152fa3c
0x0152fa3e
0x0152fa41
0x0152fa43
0x0152fa45
0x0152fa45
0x0152fa41
0x0152fa3c
0x0152fa4a
0x0152fa4f
0x0152fa51
0x0152fa53
0x0152fa56
0x0152fa5b
0x0152fa5e
0x00000000
0x0152fa5e
0x014d2e23

Strings

RTL: Re-Waiting, xrefs: 0152FA4A

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: a9890a74c02c3ccf649a9d33e2f3d0ee04f85fcd74a9345ccb5fe10452e77394
Instruction ID: c3887e0c85ff74f1384e5f71a103ff35a80a22c95a2be64e14e63b68b42f6570
Opcode Fuzzy Hash: a9890a74c02c3ccf649a9d33e2f3d0ee04f85fcd74a9345ccb5fe10452e77394
Instruction Fuzzy Hash: 19615332A006119FEB22CF6CD860B7EBBB4FB46720F14066BD9119B2E1C7B499028781

Uniqueness

Uniqueness Score: -1.00%

Function 015A0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E015A0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0159FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E015A1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01519730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0159A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0159A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x15c8b04 >> 0x14) + (_v44 -  *0x15c8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E014F7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0159138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E014F7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0158FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x15c8724 & 0x00000008) != 0) {
						E015952F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E015A15B5(0x15c8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x015a0eb7
0x015a0eb9
0x015a0ec0
0x015a0ec2
0x015a0ecd
0x015a105b
0x015a105b
0x015a1061
0x015a1066
0x015a1066
0x015a106b
0x015a1073
0x015a1073
0x015a0ed3
0x015a0ed6
0x015a0edc
0x015a0ee0
0x015a0ee7
0x015a0ef0
0x015a0ef5
0x015a0efa
0x015a0efc
0x015a0efd
0x015a0f03
0x015a0f04
0x015a0f06
0x015a0f07
0x015a0f09
0x015a0f0e
0x015a0f14
0x015a0f23
0x015a0f2d
0x015a0f34
0x015a0f34
0x015a0f14
0x015a0f52
0x00000000
0x00000000
0x015a0f58
0x015a0f73
0x015a0f74
0x015a0f79
0x015a0f7d
0x015a0f80
0x015a0f86
0x015a0fab
0x015a0fb5
0x015a0fc6
0x015a0fd1
0x015a0fe3
0x015a0fd3
0x015a0fdc
0x015a0fdc
0x015a0feb
0x015a1009
0x015a1009
0x015a1015
0x015a1027
0x015a1017
0x015a1020
0x015a1020
0x015a102f
0x015a103c
0x015a103c
0x015a1048
0x015a1050
0x015a1050
0x015a1055
0x00000000
0x015a1055
0x015a0f88
0x015a0f9e
0x015a0fa2
0x015a0fa9
0x00000000
0x00000000
0x00000000
0x015a0fa9
0x00000000

Strings

`, xrefs: 015A0F16

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: f167bea6ec8b7667d7b6bcdf4703654b2ff3335e73d84e00c69d1d363f522c4c
Instruction ID: ed0b825f285020f853ec256b26bcfb9af6d9ee9f0f9a654e8cc23568c30de934
Opcode Fuzzy Hash: f167bea6ec8b7667d7b6bcdf4703654b2ff3335e73d84e00c69d1d363f522c4c
Instruction Fuzzy Hash: ED51BA702847428FE725DF28D9C0B1FBBE9FBC4214F44092DFA929B290D670E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0150F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0150F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E014F4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01519830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01519990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E015195D0();
							goto L11;
						} else {
							_t109 = L014F4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0151F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E015195D0();
										L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0150f0d3
0x0150f0d9
0x0150f0e0
0x0150f0e7
0x0150f0f2
0x0150f0f4
0x0150f0f8
0x0150f100
0x0150f108
0x0150f10d
0x0150f115
0x0150f116
0x0150f11f
0x0150f123
0x0150f124
0x0150f12c
0x0150f130
0x0150f134
0x0150f13d
0x0150f144
0x0150f14b
0x0150f152
0x0154bab0
0x0154bab0
0x0150f158
0x0150f158
0x0150f15a
0x0150f160
0x0150f165
0x0150f166
0x0150f16f
0x0150f173
0x0154baa7
0x0154baa7
0x0154baab
0x00000000
0x0150f179
0x0150f18d
0x0150f191
0x0154baa2
0x00000000
0x0150f197
0x0150f19b
0x0150f1a2
0x0150f1a9
0x0150f1af
0x0150f1b2
0x0150f1b6
0x0150f1b9
0x0150f1c4
0x0150f1d8
0x0150f1df
0x0150f1e3
0x0150f1eb
0x0150f1ee
0x0150f1f4
0x0150f20f
0x0154bab7
0x0154babb
0x0154bacc
0x0154bad1
0x0150f215
0x0150f218
0x0150f226
0x0150f22b
0x00000000
0x0150f22b
0x0150f1f6
0x0150f1f6
0x0150f1f9
0x0150f1fb
0x0150f1fb
0x0150f1f4
0x0150f191
0x0150f173
0x0150f152
0x0150f203

Strings

@, xrefs: 0150F124

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: e1b1142abe78e198a8aa89f64fe67ecca10c031f19dc684c07995e1f5670ee9d
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: A251B071104711AFD321DF59C841A6BBBF8FF98714F00892EFA959B6A0E7B4E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01553540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01553540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x15cd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01510BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01553706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0151FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01553540;
						E0151FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0152DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01560C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E015197C0();
					}
					return E0151B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01553971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01553884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0151FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01519650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01553787(_a4,  &_v352, _t80);
						}
					}
					L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E015195D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01553552
0x0155355a
0x0155355d
0x01553566
0x01553567
0x0155357e
0x0155358f
0x015535a1
0x015535a5
0x0155366b
0x0155366b
0x0155366d
0x01553672
0x01553679
0x01553685
0x0155368d
0x0155369d
0x015536a7
0x015536b8
0x015536c6
0x015536c7
0x015536dc
0x015536e1
0x015536e7
0x015536e9
0x015536e9
0x01553703
0x01553703
0x015535b5
0x015535c0
0x015535c4
0x00000000
0x00000000
0x015535ca
0x015535d7
0x015535e2
0x015535e6
0x015535e8
0x015535f5
0x015535fa
0x01553603
0x01553604
0x01553609
0x0155360a
0x01553612
0x01553613
0x0155361e
0x01553622
0x01553628
0x0155362f
0x0155362f
0x01553636
0x01553638
0x0155363b
0x01553642
0x01553642
0x01553636
0x01553657
0x01553657
0x0155365c
0x01553662
0x01553669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0155358F

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 7c4763ecb9c2393cad8b1e59847cfa9c16bb63acacfdfbd0fabc867e26e6726d
Instruction ID: 91f10ea3b0a7d0b9dab60e5dd5b1711f62f82f2a6b7fdbe1ba87d9715135fc52
Opcode Fuzzy Hash: 7c4763ecb9c2393cad8b1e59847cfa9c16bb63acacfdfbd0fabc867e26e6726d
Instruction Fuzzy Hash: 3B4135B2D0052E9BDB619A50CC90FDEB77CBB54754F0045A6EA09AF240DB309E88CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 015A05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E015A05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E015A07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01519730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0159A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0159A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E015A1293(_t79, _v40, E015A07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E014F7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0159138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x015a05c5
0x015a05ca
0x015a05d3
0x015a06db
0x015a06db
0x015a06dd
0x015a06e3
0x015a06e3
0x015a05dd
0x015a05e7
0x015a05f6
0x015a0600
0x015a0607
0x015a0610
0x015a0615
0x015a061a
0x015a061c
0x015a061e
0x015a0624
0x015a0625
0x015a0627
0x015a0628
0x015a0631
0x015a0640
0x015a064d
0x015a0654
0x015a0654
0x015a0631
0x015a066d
0x015a0674
0x00000000
0x00000000
0x015a0692
0x015a069e
0x015a06b0
0x015a06a0
0x015a06a9
0x015a06a9
0x015a06b8
0x015a06d6
0x015a06d6
0x00000000

Strings

`, xrefs: 015A0633

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: ce6ec432aeac0f4a9b41bd1bab38f2855ca4375f6d5396730793753dafd4e02a
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 18310E32640716ABE720DE28CD84F9E7BD9BBC4758F144229FA489F2C0D670E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01553884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01553884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01519650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L014F4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01519650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01553893
0x01553896
0x01553899
0x0155389f
0x015538a0
0x015538a4
0x015538a9
0x015538ac
0x015538ad
0x015538ae
0x015538af
0x015538b1
0x015538b4
0x015538bb
0x015538bc
0x015538bd
0x015538c4
0x015538c8
0x015538ca
0x015538ca
0x015538d5
0x0155393e
0x01553940
0x01553942
0x01553952
0x01553954
0x01553961
0x01553961
0x01553967
0x0155396e
0x0155396e
0x01553947
0x0155394c
0x00000000
0x0155394c
0x015538ea
0x015538ee
0x015538f8
0x015538f9
0x015538ff
0x01553900
0x01553902
0x01553903
0x0155390b
0x0155390f
0x01553950
0x00000000
0x01553950
0x01553915
0x0155391d
0x0155391d
0x01553922
0x01553926
0x00000000
0x01553928
0x0155392b
0x0155392b
0x01553935
0x01553937
0x01553937
0x00000000
0x01553935
0x01553926
0x015538f0
0x00000000

Strings

BinaryName, xrefs: 015538B4

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 8e0255805761fba50bc9c0f043a8f9c40ba95cddd3f72371536b2b457a805924
Instruction ID: e1ac0b2867d0565a4095fad223b9b0b238b215d6f0bb30f404735834bdc4f6fd
Opcode Fuzzy Hash: 8e0255805761fba50bc9c0f043a8f9c40ba95cddd3f72371536b2b457a805924
Instruction Fuzzy Hash: DE31E5B290151AAFEB95DE59C965D6FFBB4FF80B60F01416AED18AB250D7309E00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0150D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0150D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x15cd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E014F4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0151B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E015198D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E015195D0();
					L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0150d29c
0x0150d2a6
0x0150d2b1
0x0150d2b5
0x0150d2b6
0x0150d2bc
0x0150d2bd
0x0150d2be
0x0150d2bf
0x0150d2c2
0x0150d2c4
0x0150d2cc
0x0150d384
0x0150d34b
0x0150d34f
0x0150d350
0x0150d351
0x0150d35c
0x0150d35c
0x0150d2d6
0x0150d2da
0x0150d2e1
0x0150d361
0x0150d369
0x0150d36d
0x0150d2e3
0x0150d2e3
0x0150d2e3
0x0150d2e5
0x0150d2ed
0x0150d2f5
0x0150d2fa
0x0150d302
0x0150d303
0x0150d30b
0x0150d30f
0x0150d313
0x0150d318
0x0150d31c
0x0150d320
0x0150d379
0x0150d37d
0x00000000
0x00000000
0x0154affe
0x0154b001
0x0154b011
0x00000000
0x0150d322
0x0150d322
0x0150d330
0x0150d337
0x0150d35d
0x0150d339
0x0150d33f
0x0150d38c
0x0150d38c
0x0150d33f
0x0150d349
0x00000000
0x0150d349

Strings

@, xrefs: 0150D303

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ea7222e29f9242ef361af52f441ced161f99fa01f5835f8bee2512032076cbe9
Instruction ID: 991d5a2a5e92e00f6ee4f2daa71da9fe9dbe221670d1579f371a67f7a193e10f
Opcode Fuzzy Hash: ea7222e29f9242ef361af52f441ced161f99fa01f5835f8bee2512032076cbe9
Instruction Fuzzy Hash: A9318FB55083069FD312DFE8C9809AFBBF8FB95654F00092EF9958B290D634DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014E1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E014E1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0151BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0151A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0151A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L014F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L014F4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x014e1b8f
0x014e1b9a
0x014e1b9c
0x014e1b9e
0x014e1ba3
0x01537010
0x01537010
0x00000000
0x014e1ba9
0x014e1ba9
0x014e1bae
0x00000000
0x014e1bc5
0x014e1bca
0x014e1bcf
0x014e1bd0
0x014e1bd1
0x014e1bd2
0x014e1bd6
0x014e1bdc
0x014e1be0
0x01536ffc
0x01537000
0x00000000
0x01537006
0x01537009
0x01537009
0x014e1be6
0x014e1bec
0x014e1c0b
0x014e1c0b
0x014e1c0c
0x014e1c11
0x014e1c12
0x014e1c15
0x014e1c1b
0x014e1c1f
0x014e1c31
0x014e1c33
0x01537026
0x01537026
0x014e1c21
0x014e1c24
0x014e1c24
0x014e1bee
0x014e1bee
0x014e1bf2
0x014e1c3a
0x014e1bf4
0x014e1bf4
0x014e1c05
0x014e1c05
0x014e1c09
0x014e1c3e
0x00000000
0x00000000
0x00000000
0x014e1c09
0x014e1bec
0x014e1be0
0x014e1bae
0x014e1c2e

Strings

WindowsExcludedProcs, xrefs: 014E1BC5

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 3f4210f4da820a37baade45f814012b802e79b1b73c6fe87b6f78db4d9d5b71d
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 8421287A941519ABEB329A598944F6FBBEDFF84A51F050466FA04CF210D630DD11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014FF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E014FF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x014ff71d
0x014ff722
0x014ff726
0x01544770
0x014ff765
0x014ff769
0x014ff769
0x014ff732
0x0154477a
0x00000000
0x0154477a
0x014ff738
0x014ff73a
0x014ff73c
0x014ff73f
0x014ff746
0x014ff778
0x014ff7a9
0x014ff7a9
0x014ff754
0x014ff75a
0x014ff75d
0x014ff75f
0x014ff761
0x014ff76f
0x014ff771
0x014ff771
0x014ff76f
0x014ff763
0x00000000
0x014ff763
0x014ff77d
0x014ff7a3
0x014ff7a5
0x00000000
0x014ff7a5
0x014ff77f
0x014ff782
0x014ff784
0x014ff786
0x00000000
0x00000000
0x00000000
0x014ff788
0x014ff748
0x014ff74d
0x014ff78d
0x014ff793
0x014ff7b7
0x014ff7bc
0x00000000
0x014ff7bc
0x014ff798
0x00000000
0x00000000
0x014ff79d
0x014ff7b0
0x00000000
0x014ff7b0
0x014ff79f
0x00000000
0x014ff74f
0x014ff74f
0x00000000
0x014ff74f

Strings

Actx , xrefs: 014FF73F

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: b476e098644264e9ddd7ab25c0bf2d464a81ad77f83a5ce4e0f6ead38cf0b9b6
Instruction ID: e6f195d14102da669731bcbf292e5ee680c4373d4f7b1d4a08bd40a237fd031f
Opcode Fuzzy Hash: b476e098644264e9ddd7ab25c0bf2d464a81ad77f83a5ce4e0f6ead38cf0b9b6
Instruction Fuzzy Hash: 7011B23B3046428BEB254E1D8490737F6D5AB85624F28452FE761DB3B1DB70D84A8341

Uniqueness

Uniqueness Score: -1.00%

Function 01588DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01588DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x15b0d50);
				E0152D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01565720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0152DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0152DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0152D130(_t34, _t39, _t40);
			}

0x01588df1
0x01588df1
0x01588df1
0x01588df1
0x01588df1
0x01588df1
0x01588df3
0x01588df8
0x01588dfd
0x01588e00
0x01588e0e
0x01588e2a
0x01588e36
0x01588e38
0x01588e3c
0x01588e46
0x01588e46
0x01588e36
0x01588e50
0x01588e56
0x01588e59
0x01588e5c
0x01588e60
0x01588e67
0x01588e6d
0x01588e73
0x01588e74
0x01588eb1
0x01588ebd

Strings

Critical error detected %lx, xrefs: 01588E21

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 68406f9a085415b29e089c55c4302a50ded78de32ca1799bc4b9304f28250df9
Instruction ID: 3f6d497f6b9e062edfe97fb29905e27f2ec1e182e459317ca2963a38779f8ead
Opcode Fuzzy Hash: 68406f9a085415b29e089c55c4302a50ded78de32ca1799bc4b9304f28250df9
Instruction Fuzzy Hash: BF114272D10349DEDB28DFA8850579CBBB0BB55310F20426EE568AF2D2C3340602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0156FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0156FF60

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: dd1f0a37d9878191992ed58028afe19ecf928452116c1515e62ad1ec4e94c51f
Instruction ID: a94acbd10f73f5794c78024e8e1fc2228dc0f501a9976664e174a9e981a32f7a
Opcode Fuzzy Hash: dd1f0a37d9878191992ed58028afe19ecf928452116c1515e62ad1ec4e94c51f
Instruction Fuzzy Hash: 0F110072910185EFEB26EF94C849F9CBBB1FF49B04F248048E5086F6A1C7399940DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015A5BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ba4cba3e072ae0f4cb1c22605bd46f72c7ea723324a9651a28d4fb93717af3
Instruction ID: 153b95e6c54d2471a1983ea52e81b7c9c36ffac669645878727c3bb62c9b6142
Opcode Fuzzy Hash: 17ba4cba3e072ae0f4cb1c22605bd46f72c7ea723324a9651a28d4fb93717af3
Instruction Fuzzy Hash: 8D426A75950229CFDB20CF68C880BADBBF1FF45304F5981AAD95DAB242E7309A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014F4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148e7fdef3ae6466c9fc20d5dceeac663c831b2df479aded4ac15b8274354c83
Instruction ID: 94111b48208b59669b76a384bc1bc7de7ed91e23fb080373caf7dce5c8360270
Opcode Fuzzy Hash: 148e7fdef3ae6466c9fc20d5dceeac663c831b2df479aded4ac15b8274354c83
Instruction Fuzzy Hash: 94F17A746082118BD724CF59C481A7BB7E1FF98754F09492EF686CB3A1EB34D886CB52

Uniqueness

Uniqueness Score: -1.00%

Function 015020A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b14d38f2cfc25002c2925af386b89b35502050834d3b60f0185f5d6ff5076dd
Instruction ID: 9ba502e68fe2682ef4f5d706cd10f3e729a68c4563f8442f630a4e9933fbf348
Opcode Fuzzy Hash: 6b14d38f2cfc25002c2925af386b89b35502050834d3b60f0185f5d6ff5076dd
Instruction Fuzzy Hash: ECF1D0356083429FEB27CFA8C44476E7BE1BB95728F08891DE9958F281E774D845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 014ED5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554a716109fd9d65ebd0c2b24163ef179955fe87ca1d56361b4b366c54554d2f
Instruction ID: 4cf289a60c3d349afa3c616885798905c75af49575dab7d11eba0e90057a27ca
Opcode Fuzzy Hash: 554a716109fd9d65ebd0c2b24163ef179955fe87ca1d56361b4b366c54554d2f
Instruction Fuzzy Hash: B9E1C134E0075A8FEB35CF68C888B6AB7F2BF85305F05019AD9199B3A1D734A985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 014E849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49633816037948054e3bab46b0ab1233d54ff52b3081f15e17fa440203796e1e
Instruction ID: 822d4cb4d59edb9fc61af09fa684593c03b44c91392999e1e3864cab74f9ee0d
Opcode Fuzzy Hash: 49633816037948054e3bab46b0ab1233d54ff52b3081f15e17fa440203796e1e
Instruction Fuzzy Hash: D3B159B0E0020ADFDF15CFA9C984AADBBF5BF98304F10412AE515AB355D770A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0150513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b397f2d9472e5f038fead1eb41e2aa2f9899abbee16e45102b367bc68e20acde
Instruction ID: 29eaaf0c30a62fb01c91e3f8473e7578877319e9f96a24d949dbe9c7ad620dc3
Opcode Fuzzy Hash: b397f2d9472e5f038fead1eb41e2aa2f9899abbee16e45102b367bc68e20acde
Instruction Fuzzy Hash: E5C112755083819FD355CF28C480A5AFBF1BF89308F184A6EF9998B392D771E985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 015003E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd934b0ebfb4131e920435ea7518a06fc95437602490afdcf65086eeccce9bd8
Instruction ID: 7ffa33f70ce70a445051a0ff23fef2717cd09bf4bf4885f2ef1c849d3580c2b2
Opcode Fuzzy Hash: fd934b0ebfb4131e920435ea7518a06fc95437602490afdcf65086eeccce9bd8
Instruction Fuzzy Hash: CF914631E40656AFEB329BACC848BAD7BF4BB05768F060265FA50AF2D1D7749D00C785

Uniqueness

Uniqueness Score: -1.00%

Function 014DC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41af7c20008c12b071f5309b34e0eb4fb6e98988b60c5323f2d58f6c84a07b0
Instruction ID: 140eba336441b736e6070399607a185e6e9123f3d84cb680aa7a9b48c4aedb85
Opcode Fuzzy Hash: b41af7c20008c12b071f5309b34e0eb4fb6e98988b60c5323f2d58f6c84a07b0
Instruction Fuzzy Hash: 4A81AE756442428FDB26CE59C880A6EB7E4FF88258F14482EEE459F241E330ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0156B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99774c32799e2b862f76b9ff78e57b72b49ea9e08ed56c7dbf263ae082e7b302
Instruction ID: 9d965590f4d1d5dc37f0c3fc0051b6a80c7e92719397e020d836f166d89f9e78
Opcode Fuzzy Hash: 99774c32799e2b862f76b9ff78e57b72b49ea9e08ed56c7dbf263ae082e7b302
Instruction Fuzzy Hash: 9771FF32300702AFE7329F19C844F6ABBE9FB44724F154928E655CF6A0DBB4E940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01556DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 76be4db07eddbe1d762abe0dd300fd49f53d5cf506f53105ca65895ac45e62d8
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 6171607190021AEFDB11DFA5C954EDEBBB9FF98710F50406AE905AB250DB34EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706760c6d49ef10352dc60ed51fdb9c3745a94146a71ab5b66f621ab6f0670ac
Instruction ID: d6c80eb0544cf03bfd4454b28bb77a96b034ac83651dcce8b0c0112693771b74
Opcode Fuzzy Hash: 706760c6d49ef10352dc60ed51fdb9c3745a94146a71ab5b66f621ab6f0670ac
Instruction Fuzzy Hash: 0951D0312057429FD722DF69C844B2BBBE4FFA4710F10091EF4959B6A1EB70E804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01502AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2479856c4bd52568ba96afbb7cc3cb6a67c555a18e5c620fe7982f383da0339e
Instruction ID: f24955860bdf634242faf4461d5cb9e43b69e9c466a9cf0a26e0243eaa466a36
Opcode Fuzzy Hash: 2479856c4bd52568ba96afbb7cc3cb6a67c555a18e5c620fe7982f383da0339e
Instruction Fuzzy Hash: CD51D376A00525CFCB16CF9CC4889BDB7F1FB88700B1A845AE8569F395D734EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0159AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d92b3a40eee752b632bdfc8413b983993094465d2cf2b2fc2ef94589efa04e6
Instruction ID: f0d1cebb52de0b97c2ffb3ae1c2077664f81bbe48f0d3e9f7cc15d9b93da517c
Opcode Fuzzy Hash: 2d92b3a40eee752b632bdfc8413b983993094465d2cf2b2fc2ef94589efa04e6
Instruction Fuzzy Hash: 1841B3B57006525FDF269A29C894B3FB799FFD4620F044619F9268F6D0DB34D801C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 014FDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e8c283e56cfd9e8f106a078c6b2b444f1c1f9894357dc9da9d67440065ba5a
Instruction ID: bc390086ef598a42872e29651383562fc00ae2c34fa2d9ef3e9c9e53a38493ca
Opcode Fuzzy Hash: 90e8c283e56cfd9e8f106a078c6b2b444f1c1f9894357dc9da9d67440065ba5a
Instruction Fuzzy Hash: E051AA71E01616CFCB14CFA8C490BAEBBF1BB58310F25815EDA55AB3A4DB70A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014EEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: e3316eabbdd482096dd841ffc0010263f392a1fa40aab4d231d7b61a807e3419
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: A1512470E04245EFEB25CB68C0A87AEBFF1AF45315F1881AAC545673A2C375A98AC741

Uniqueness

Uniqueness Score: -1.00%

Function 015A740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 4ec4fd98c3cc055f25c6eae9b093d9adc91d0022c85505eeaa4afef3291fa311
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: DF518F71640646EFDB16CF58C480A5AFBF5FF49304F58C1AAE9089F212E772E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01502990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e92a0bcfd5d78f62c04b045a0c7c5ac6e1a1b89b2b7d3970ea9251ff782c38
Instruction ID: c9e4afd2e035d0b9daa9586dc7395d22e27ef1682056eee47d4d2edd7ccb3aad
Opcode Fuzzy Hash: c2e92a0bcfd5d78f62c04b045a0c7c5ac6e1a1b89b2b7d3970ea9251ff782c38
Instruction Fuzzy Hash: D5518C3190021ADFDF26CF99C888ADEBBB5BF58310F148115E904AF2A0D7B58D92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01504BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683609ee3cc7df3f9c1a6e6ec41fb14a71bfc451818df1015dd4041eadbfd93e
Instruction ID: 4c130d78f176b885fbc3c3b4b98988e3bff94caa1d07bcdd29472c09b740f0b7
Opcode Fuzzy Hash: 683609ee3cc7df3f9c1a6e6ec41fb14a71bfc451818df1015dd4041eadbfd93e
Instruction Fuzzy Hash: 5A418435A002299BDB22DF68C944BEE77F4FF55710F0104AAEA08AF251DB74DE85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01504D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3471d273b61d6f64bc09406901f8d6d8b5760ab014ededd19615166ac02511
Instruction ID: b63451b9ecc232e55d548291da7d8a488fccb0486f14cfe4de23f3dd18c473e8
Opcode Fuzzy Hash: 0b3471d273b61d6f64bc09406901f8d6d8b5760ab014ededd19615166ac02511
Instruction Fuzzy Hash: CC41D371A403189FEB32DF58CC80FAAB7B9FB55610F04009AEA459F281D774ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014E8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efd0b2d69a17a31ac74b8c575d0219c5dbc717670736cc3677a2c21297d88f7
Instruction ID: 910bdf89599eea39bea733d54b05a92398d662c3fc98a2068cb03af9d8367f2a
Opcode Fuzzy Hash: 6efd0b2d69a17a31ac74b8c575d0219c5dbc717670736cc3677a2c21297d88f7
Instruction Fuzzy Hash: 314160B0A0022A9FDF24DF59D888AAAB7F4FB54301F1045EAE91997362D7709E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0159AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: beafaee28b4aa757418f3e376b929b198d4b98afff18e7ff581a1366c1b43950
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: DE31D332F001566BEF169B69CC45BBFFBBBFF84210F094469E905AB291DB749D00C661

Uniqueness

Uniqueness Score: -1.00%

Function 0159FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: eb975a3757844069fbc68ec85aae3606258ee12ed3d8d67b1e7dcc2409676f81
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 3731D2322006416FDB229B68C844F6ABFEAFBC5650F18445AE546CF782DB74DC41C762

Uniqueness

Uniqueness Score: -1.00%

Function 0159EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 80bfccefd7a792c2d7671f1cb8ff7064e2ae7979dbaf7f404e25385c6cc47780
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: A931E8326047069BCB15DF28C885A5BB7EAFFD0210F04492EF5528B751DF35E805C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 015569A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f87c6f529bd662fc0f10ff38c587227df1d7bff3c361c94b72b38d97a4ed25
Instruction ID: 7e1aa8d3fde9e7ffc45a9b361e7cd6914c514b187fe3fe61f704988d50c64652
Opcode Fuzzy Hash: b8f87c6f529bd662fc0f10ff38c587227df1d7bff3c361c94b72b38d97a4ed25
Instruction Fuzzy Hash: AE417CB1D00609AFEB25CFAAC850BEEBBF4FF48714F14812EE914AB250DB719905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014D5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4001527d6290b516d87e04481f69badcf5dfb2d81aae244f2184b2178e78cb7b
Instruction ID: 5a737b67c31dfaec2e30446bb3f30f69ccdf7120b8a2b174b7b37551b7c8b5c6
Opcode Fuzzy Hash: 4001527d6290b516d87e04481f69badcf5dfb2d81aae244f2184b2178e78cb7b
Instruction Fuzzy Hash: BB310331641702ABCB229F18C895B6A77F5FFA0761F114A1EF5165F6E0DB30F804CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01513D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bfb76b0e8f52ba9c3ef0226280447551253173cf73c24525042cf63655107e
Instruction ID: 88e1b46ff9c5000f171bdf2a04d3328ba21d29aee3165637c20b6f57f0d4d39d
Opcode Fuzzy Hash: 59bfb76b0e8f52ba9c3ef0226280447551253173cf73c24525042cf63655107e
Instruction Fuzzy Hash: 2831CF31A00611DFE766CF2EC452A6ABBE4FF55760705846EE945CF364E634D841C790

Uniqueness

Uniqueness Score: -1.00%

Function 0150A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d0ace0c0d1a0051bd305a27601794f3790f7c6bd588640a843f36827eeb6e1
Instruction ID: c47ae734a9ae439baae57856b022d6f138b6a9fe65d0aa6951fb3dd574d47617
Opcode Fuzzy Hash: 39d0ace0c0d1a0051bd305a27601794f3790f7c6bd588640a843f36827eeb6e1
Instruction Fuzzy Hash: 0E416A75A00305DFCB15CF98C880B9EBBF1BB99308F1581A9E915AF384D778A901CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014FC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 462ff26f7967abee03a9bf869baa8e6bb965a333ae6a26e30664e9e41ff22c37
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 16311472A0154BAAD705EBB5C490FEAFB94FFA2204F04415FD61C4B311DB346A1ACBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01557016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5cdacd1e87a5d8d52a0fc75f9507f2c675700a1a94ebb8ba333c43222d3c5b
Instruction ID: fdd4d78e9449a667dd612e81eef7867ae0412d16cfaff2d6ebf2b072656f452d
Opcode Fuzzy Hash: 4a5cdacd1e87a5d8d52a0fc75f9507f2c675700a1a94ebb8ba333c43222d3c5b
Instruction Fuzzy Hash: D631A3726047529FD321DF28C850A6AB7E5FFD8600F444A2EFD958B790E730E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01583D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858cecfaca24e30f04d5acb46642c3e9bed3a2de6383cdfbd13633e5a2e7bbf5
Instruction ID: 626e394cc3b18c808f193c67e71f480405b9f0a1c6af94c24c6e683ba0df04a1
Opcode Fuzzy Hash: 858cecfaca24e30f04d5acb46642c3e9bed3a2de6383cdfbd13633e5a2e7bbf5
Instruction Fuzzy Hash: FA318A71609302DFC710EF58C98095ABBE1FF85A11F05496EE498AF291D730ED08CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0150A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132356f889ddbf9cb080f3e1c627d042fdac5ee0fce2df2273e3bddd729e1fe2
Instruction ID: b3217e9fe42b3c30f29e5940b9958eb282cd1463dcc9579fb81debff5e200690
Opcode Fuzzy Hash: 132356f889ddbf9cb080f3e1c627d042fdac5ee0fce2df2273e3bddd729e1fe2
Instruction Fuzzy Hash: 4831E4B16006019FD722CF58D880F59BBF9FB88718F15495AE226CFA84E770A905DF91

Uniqueness

Uniqueness Score: -1.00%

Function 015061A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5715f0b81a5822e27059d1edfc9e39788f07f5773dee894ab2b0db7b055c99
Instruction ID: e067302bcb210bce3f9905397f0293888997b8ecec1b6ecbeda68e9d907da28e
Opcode Fuzzy Hash: 3f5715f0b81a5822e27059d1edfc9e39788f07f5773dee894ab2b0db7b055c99
Instruction Fuzzy Hash: 53318F716057028FE321CF5DC840B2ABBE5FB88B04F05496DE9959B391E7B0D804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014DAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3809e2f676bde25e53332beb588a2078bd0b4bf2f68a910238749177358b650
Instruction ID: 26c034a704c8136538fc8d297350d6a1fa43cd332d93bacde8d09498c391b016
Opcode Fuzzy Hash: e3809e2f676bde25e53332beb588a2078bd0b4bf2f68a910238749177358b650
Instruction Fuzzy Hash: 3831F471A0051AABCF119F69CD81ABFB7B8FF54700F15406AF901DB250E7749911DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01514A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4e2be61a4c710211219f6a053bebb0a3b0e53745616b2375a3c2af2d211596
Instruction ID: 8c595815c7cd43873cac5501c9cc51e572313b7fb49a826da4a865950a0df9d1
Opcode Fuzzy Hash: ec4e2be61a4c710211219f6a053bebb0a3b0e53745616b2375a3c2af2d211596
Instruction Fuzzy Hash: F53132322053519FE7229F59C944B2EBBE6FFD0B10F02182EE9120F254CBB0E844CB89

Uniqueness

Uniqueness Score: -1.00%

Function 01518EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814c48dd1d0aaae70fe5938a07207a423735d283e3ad0f4b4ae1e30dbccc8903
Instruction ID: fa3f5fbf4a2aa55b096d5f5d7fc896314598096c57316e844395cb179f8949a6
Opcode Fuzzy Hash: 814c48dd1d0aaae70fe5938a07207a423735d283e3ad0f4b4ae1e30dbccc8903
Instruction Fuzzy Hash: E741B3B1D003199FDB20CFAAD980AADFBF4FB48710F5041AEE519AB244E7709A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0150E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7319653f52808e3000b8423a00961b7b28a8a1da5d88dee642798477eb66e88
Instruction ID: 89b34dcdb404cfe871ea288b2553489493dff9788b9ef32a40aaac94bcfbcd55
Opcode Fuzzy Hash: b7319653f52808e3000b8423a00961b7b28a8a1da5d88dee642798477eb66e88
Instruction Fuzzy Hash: 88318D75A14249EFD745CF58C841F9ABBE8FB09314F24865AFA18CB381D631ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0150BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22f83f1544b4cbc80ebcb5209d84175d5a49ff888f4a5b85f550a234dd2d432
Instruction ID: df423ed528541b16754424e401cd4edddde323882b2c4dc4dc316a26438dba50
Opcode Fuzzy Hash: a22f83f1544b4cbc80ebcb5209d84175d5a49ff888f4a5b85f550a234dd2d432
Instruction Fuzzy Hash: 4C31F13A600A069FCB22DF98D4C07AA73B4FB28311F050479E914EF385E674DA09CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014D9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0d14e8c67e9147e7a3d179402191571fb318345917bd955a6f57dd953b231b
Instruction ID: 0c2097fce182121804e2c432290dc06fa960221612c7aabcd8375fcacf2b4e8e
Opcode Fuzzy Hash: 8d0d14e8c67e9147e7a3d179402191571fb318345917bd955a6f57dd953b231b
Instruction Fuzzy Hash: C1319175A006469FEF26DF6CC0587ADBBB1BB99318F18814EC515AB361C374A980C751

Uniqueness

Uniqueness Score: -1.00%

Function 01501DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 1cf4374a08b8a1bf875e7f41f6c47524a9baa9830c6739019e1ef45d7a2fded2
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 7E218232600619EFD712CF99C880E6EBFB9FF95744F154069E6059B250D634ED41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 014F0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3542ac085ca4438c65de8feb0a3271b2971e1bfa01f4a996e430b776597629d0
Instruction ID: 0d37ae35b4ab52bad1cb5b39e4747f4791cfe75e56eaee1efa79e9a0200cdd52
Opcode Fuzzy Hash: 3542ac085ca4438c65de8feb0a3271b2971e1bfa01f4a996e430b776597629d0
Instruction Fuzzy Hash: FE319C71201A058FD722CF28D844B5AB3E6FBC9714F14456EE59A8B7A1DA35A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01556C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23e847c40d8e1e44a6f44d1bf7ba436734b325da8028712d9d5001efdeff7c3
Instruction ID: de6047d73fe24f98357ca1389f2b16c3b59348e1fc49bf50aa2099928b6dac12
Opcode Fuzzy Hash: a23e847c40d8e1e44a6f44d1bf7ba436734b325da8028712d9d5001efdeff7c3
Instruction Fuzzy Hash: D121BF71A00645AFD711DF69D850F6AB7B8FF58700F14006AFA08CB7A1D638ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 015190AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 13d85eef5564b347179cc8cbe2afb96f7597c01ea85c07402a8067ab65cc2d62
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: FC217171A40205EFEB22DF59C494E5AFBF8FB54354F14886AE9499B250D370AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01503B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf39ff206cde1fb5210e6913cee4d61022f94f1a0d3ecf2ce5ecdc03e382bace
Instruction ID: cf479557b8a08e297df9cae6628fb5d49426821a9ef71be93946dfee40c6662e
Opcode Fuzzy Hash: cf39ff206cde1fb5210e6913cee4d61022f94f1a0d3ecf2ce5ecdc03e382bace
Instruction Fuzzy Hash: 7B219F72A00609AFD711DF98CD81B6ABBBDFB44718F190069EA08EF251D771ED05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01556CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba102ad57cdc84c5528f0f1dcfeb6d5f5a068ad408f917f0be98a96f21b352c7
Instruction ID: 9fe7cc0af38ee19fe7576b36df653986e4579783939d47444458fbe56925d4cf
Opcode Fuzzy Hash: ba102ad57cdc84c5528f0f1dcfeb6d5f5a068ad408f917f0be98a96f21b352c7
Instruction Fuzzy Hash: 5821F5725002869BE711DF69C954F6BBBECBF91640F44096BFE40CB2A1D734C549C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 015A070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 61eb6b7147cad98e90cf8dc676dba92651f7a3cc77d1b1845d45ed2a3d16c0b1
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 7C21DE36204201AFD715DF28C880A6EBBA5FBD4250F048669F9958F381DA30D90ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01557794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d5632dbcefce42c1be10f5a0f4380c80a8152092ce56044407e93b9a5730b5
Instruction ID: ef77eeb34ce5ae1ff0343c79fbbea58b9215e2a249b5c9822e5c85e1247e56f9
Opcode Fuzzy Hash: 79d5632dbcefce42c1be10f5a0f4380c80a8152092ce56044407e93b9a5730b5
Instruction Fuzzy Hash: D4219F72500604AFC725DF69D890E6BBBA8FF4C340F10056EEA0ACB750D634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 014FAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 127e4a87ca415e43658cd07d54a0cd2b63bf9a5128f62814f43835e7a9e19dee
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: DC21F6326016919FE716DF2DD944B297BE8FF54394F1900AAEE088F7A2DB38DC41C690

Uniqueness

Uniqueness Score: -1.00%

Function 0150FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 1d61bec09d9d68da309bf2297daaf6fa0b5829347cd05c5c0a0c9d91233e450e
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 18217C72600641DFD732CF8EC540A6AB7E5FB94B10F24856FE9498B661D730AD00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0150B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40fff24b2ba25518e472ea3d086d1a92a37f81cb0d651f4a13754df39a271951
Instruction ID: ed0d8bf460be5acb98296ac4162a7120a01efd902f18fa4f90bbf3a40056b8e9
Opcode Fuzzy Hash: 40fff24b2ba25518e472ea3d086d1a92a37f81cb0d651f4a13754df39a271951
Instruction Fuzzy Hash: BE1148373051209FCB1A8A999D81AAF7397FBD5630B35452DDE168F3D0DE31AC02C694

Uniqueness

Uniqueness Score: -1.00%

Function 014D9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 010c5571e5f37c69cbd8d19240712c2ff56516d96a359441172f4292f5691b55
Instruction ID: 5a776ba6bc349947cd0b7c3a0aca00064151d1eac15f27b1bf89768deb0d7816
Opcode Fuzzy Hash: 010c5571e5f37c69cbd8d19240712c2ff56516d96a359441172f4292f5691b55
Instruction Fuzzy Hash: EA215C31051A02DFCB22EF69CA50F5AB7F9FF28708F05456DE1099A6B1CB34E941DB44

Uniqueness

Uniqueness Score: -1.00%

Function 01564257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4610fb7bc781946131c6d0d2a2dbb160ae1e6fa7c8be23bfc611f9d148136a
Instruction ID: c005b4f578e5b19ef7842e9f29c171c790e1b368939a120bae8d2078d4fbfee7
Opcode Fuzzy Hash: 3b4610fb7bc781946131c6d0d2a2dbb160ae1e6fa7c8be23bfc611f9d148136a
Instruction Fuzzy Hash: 1B21A270601B02CFCB29EF68D0046187BF5FB95315F21826EC1258F2A9E736D495DF80

Uniqueness

Uniqueness Score: -1.00%

Function 01502397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b64196516668f1969c8bedd6cbc46ef8c9e61faca66cb2c4d07293d4b5373c
Instruction ID: 9d7c8f8734154038562aa7a5804b5744fb523be5797ffcb1b75b9dc751fe740d
Opcode Fuzzy Hash: 71b64196516668f1969c8bedd6cbc46ef8c9e61faca66cb2c4d07293d4b5373c
Instruction Fuzzy Hash: 20112B727047016BE7329E6AAC84B59B7D8BBB0610F15442FFB06EF2D1C6B0E8498754

Uniqueness

Uniqueness Score: -1.00%

Function 015546A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 7916dd2d87e8933b8818837f4ce7c61282f70955410750803707ab63cea2a13c
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 42112572504209BBCB069F9DD8808BEB7B9FFA5300F10806EF944CB351DA319D55C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 014DC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9352824fbeb98a82f3c46213b8c51b0036349acef28108b0927400274e9050d4
Instruction ID: f71001c48421b7bee1cf0656141a5deeb2ae27d97d998758f6cadf04c94ca337
Opcode Fuzzy Hash: 9352824fbeb98a82f3c46213b8c51b0036349acef28108b0927400274e9050d4
Instruction Fuzzy Hash: 4E11E131300A079FCB21AF6DCC95A2B77F5BB9C614B00092EE951ABA61DB30EC14CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 015137F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe32edc552686a3dc26675e7263bf6ae998e71fe27ca651dab74875570929d20
Instruction ID: 6b64f901a2e776967a053ed3b02da40a1084efb913e55e2091faf5feba1a0ada
Opcode Fuzzy Hash: fe32edc552686a3dc26675e7263bf6ae998e71fe27ca651dab74875570929d20
Instruction Fuzzy Hash: B80108B1902511ABE3779B1E9520E2ABFE6FF95A70715406EED098F319D730D801C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0150002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: f208f9ed38bf3e5d9a5aec2ea38d3b2892642b9daa64fad916fbc185248709dc
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: A211E1326416828FEB23D76DC954B393BD4BB40799F0900A4EE048F7E2D738C841C260

Uniqueness

Uniqueness Score: -1.00%

Function 014E766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 8c47cfd5f086a029b770b64ce7205dd6faa7cf4d7f840f160b5263cfc6440b8d
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 56018D3270011AABD7219E6EDD45E577BEDEB94676B184525BB0CCB260DA30DD0187E0

Uniqueness

Uniqueness Score: -1.00%

Function 014D9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3df6da3d2288f768a1558ada5460fd1fa78bc9909ee1a22de165b2d0be8110
Instruction ID: aad6fea2cb625004acd346c3f8037ae69fdd73a83e19332d543d834029647467
Opcode Fuzzy Hash: 8c3df6da3d2288f768a1558ada5460fd1fa78bc9909ee1a22de165b2d0be8110
Instruction Fuzzy Hash: 2201F4B26116019FC7268F08E850B127BE9FB95724F26402BE601CF7A1D374EC41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0156C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: c0cfabddb46f9980982f9fc667d3a31519731639a9c8e1033bc8b6d4111b563b
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 26019675140506BFE711AF69CC90E66FB6DFFA4396F014529F2545B560CB32ACA0C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 015A4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8d02b7dfd78271e5e52200733c8da719b6c561fb780289f2eb78a96975cffd
Instruction ID: 06d59a6b64a23b71510f58f44051485e6fb0e862822b636c5ecb2f602a3cd041
Opcode Fuzzy Hash: 1f8d02b7dfd78271e5e52200733c8da719b6c561fb780289f2eb78a96975cffd
Instruction Fuzzy Hash: 2901D4712415467FC221AF7ACD80E57B7ECFB75650B00022FB60887A21CB74EC11C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0159138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5675f2d99813b748d904bc7c0d6711cffea9d3b57bbe842894d798975f2b4516
Instruction ID: 34ee33f93e7279c5fbe5716dd7697d823a1a42264368eb41584d0e5589c7ab84
Opcode Fuzzy Hash: 5675f2d99813b748d904bc7c0d6711cffea9d3b57bbe842894d798975f2b4516
Instruction Fuzzy Hash: D2019271A00219AFDB10DFA9D881EAEBBB8FF54710F40406AB904EF380D6749A05C795

Uniqueness

Uniqueness Score: -1.00%

Function 015914FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22988ddcf54d3d3cfa605c17d78acd82d812ccb824635d2411938a99ca4560d
Instruction ID: fdadc1c980d6921f41278b57fa292083834888c8d55c3d5bcbb7efb2d1291c8d
Opcode Fuzzy Hash: c22988ddcf54d3d3cfa605c17d78acd82d812ccb824635d2411938a99ca4560d
Instruction Fuzzy Hash: D5019E71A00259AFDB10DFA9D841EAEBBB8FF94710F40406AF915EF380DA74DA05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014D58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a1e51343343d4005bfc8316937a444605c571faa36301bcf89bc6d7427bce3
Instruction ID: 04259d3328e5a6b8fbbc7258a17c9e4735b4bc015f7c5ad815c954e40f07adc1
Opcode Fuzzy Hash: d2a1e51343343d4005bfc8316937a444605c571faa36301bcf89bc6d7427bce3
Instruction Fuzzy Hash: 7D018431B005059FDB14EE69D8609AF77B8FB95530F9500AB99059F364EE31DD068690

Uniqueness

Uniqueness Score: -1.00%

Function 015A1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469c44dcae4ad394d83712475defc8ca76310b77e59d887aad7dbc718d67bc5a
Instruction ID: b6289963066e7fcc3ee7fac853227ebd83ba74ea18b4db663be795ba957fdd13
Opcode Fuzzy Hash: 469c44dcae4ad394d83712475defc8ca76310b77e59d887aad7dbc718d67bc5a
Instruction Fuzzy Hash: 55012872644B429FC710EF68C940B1E7BD5BBD4314F448919F9858B6D0DE34D540CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014EB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 7504fd3a880b6d37f37d83a0c03e22ed7fb65386792f747de2528fa1cc98593c
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: DB0184726055849FE322C75DC948F667BE8FB85751F0940A6FA15CB671D638EC41C620

Uniqueness

Uniqueness Score: -1.00%

Function 0158FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef45a74e790544ee10d50eb86a29203b13c4cc5279ea5798ab300ce4b485e3a9
Instruction ID: f2385f1a669749ac9e73f9f2d9d4ba436ea4b48e6d4100ab1cb6ac57e27850d1
Opcode Fuzzy Hash: ef45a74e790544ee10d50eb86a29203b13c4cc5279ea5798ab300ce4b485e3a9
Instruction Fuzzy Hash: 49018471A00209AFDB14EFA9D845FAEBBB8FF94B10F00406AB900EF391DA749901C795

Uniqueness

Uniqueness Score: -1.00%

Function 0158FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae82ab06a289aba8ae8446dfc89a624aecc2ab47b76b7dcbac2be19ce36bee05
Instruction ID: 21917e4be04811cabeb477c05fa00a3c0a93524cb53eb0b3f2e1f548cf70c54a
Opcode Fuzzy Hash: ae82ab06a289aba8ae8446dfc89a624aecc2ab47b76b7dcbac2be19ce36bee05
Instruction Fuzzy Hash: 7001D871A00209AFDB15EFA9D845FAEB7B8FF54700F00406AB900EF380D9749941C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 015A8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf93620a4dc2f86dd04aab66493bb1fcda936d97f6d3a82a3b14de2c83cfee6
Instruction ID: b5edeb1dadc2a141658411b0d7f07c61044dbfd2e731dfa6c3fd2a63d9cc9600
Opcode Fuzzy Hash: acf93620a4dc2f86dd04aab66493bb1fcda936d97f6d3a82a3b14de2c83cfee6
Instruction Fuzzy Hash: CA017CB1A0021DAFDB00DFA9D9419AEBBB8FF58310F50405AFA04EB340D674AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015A8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13d50ce6e7e096cdb91cbd0e9b7a18220bf154dedd939d7919fb0660b847c62
Instruction ID: 7a66a6078a0d84ec94f3583307cba3f6e5ce634ee0319a0fe0a4d36b00a846eb
Opcode Fuzzy Hash: d13d50ce6e7e096cdb91cbd0e9b7a18220bf154dedd939d7919fb0660b847c62
Instruction Fuzzy Hash: A3111E71A0020A9FDB04DFA9D441BAEBBF4FF18300F4442AAE919EB381E6349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014DDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 76eb368355fe1d1f479c82489384e2dce3caa4b6d1c67b66fcb84ef15c831a2c
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 98F0F2335415239BDB3256D944A0F57B6959FD2554F15003BF2055B3A4C9709C0247D0

Uniqueness

Uniqueness Score: -1.00%

Function 014DB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: df1acc6e8755d0ee34ab76dd9270dab06a7ad07da69974992becc1f3c764b28a
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: C80186332005809BD722975DC818F6A7BD9FF92754F0940A6FA148B7B1D679C841C615

Uniqueness

Uniqueness Score: -1.00%

Function 0156FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96198066877db77b488930aea09449f342134c74a7724dac8dc38ba3494fa94e
Instruction ID: 9ad5289bd4db07d2eb661206055d4dbe952a83a242b2ae52d9ea6c0b0bc39bc9
Opcode Fuzzy Hash: 96198066877db77b488930aea09449f342134c74a7724dac8dc38ba3494fa94e
Instruction Fuzzy Hash: 5E016271A00209AFCB14DFA8D551A6EBBF4FF18704F10456AA515DF382D635DD02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0159131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e226d1986b0e68578f28252fe0be979ce7b106d11f15b2b7f81c961bac87ea
Instruction ID: a975f95a645375dafd48c8961a2232635cfbb4917a8b13e7f706f6d4617cb276
Opcode Fuzzy Hash: b8e226d1986b0e68578f28252fe0be979ce7b106d11f15b2b7f81c961bac87ea
Instruction Fuzzy Hash: D5018C71A00609AFCB00EFA9D545AAEB7F4FF58700F40806AB905EB381E6349A00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015A8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa24a21254526e69ae41db79994e0a0c9f29ab7e31a156834af9bafc32771aa
Instruction ID: cb674116db6a1f8d475bf71b429f06b4641fe440f327e6d5883a5cb13d7bc903
Opcode Fuzzy Hash: 9fa24a21254526e69ae41db79994e0a0c9f29ab7e31a156834af9bafc32771aa
Instruction Fuzzy Hash: 46014475A4020DAFDB00DFA8D545AAEB7F4FF58300F504459B915EF380DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01591608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b897cb0db52ec0efa067b12941ae71e76944e89481e266de0a0e8bad8fccc22
Instruction ID: 5e986056827bc4813f6215f53f340caeaa832bcb84b997b505c25416d31f8c67
Opcode Fuzzy Hash: 9b897cb0db52ec0efa067b12941ae71e76944e89481e266de0a0e8bad8fccc22
Instruction Fuzzy Hash: B6F0CD71E00619EFDB00EFA8C445AAEBBF4FF28300F004069A902EF380EA349900CB84

Uniqueness

Uniqueness Score: -1.00%

Function 014FC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d98addce13e3f50ef322095ec2ea498459ad5cd2d58cd458cbedbf60602cedc
Instruction ID: e38fd186ff35f056e3e8888e318cc556c1d24d515b84d7fe6cee45de2e09fb12
Opcode Fuzzy Hash: 1d98addce13e3f50ef322095ec2ea498459ad5cd2d58cd458cbedbf60602cedc
Instruction Fuzzy Hash: A5F067B29156B9DAE726C668808CF227FE89B05760F44A86FD60687322C6B4D880C250

Uniqueness

Uniqueness Score: -1.00%

Function 01592073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7a9c5f2e3bf87c36e519c49135e71162e600628787e4928db1761b6c30b818
Instruction ID: eafe5a57d2b78465f9793f44535502eaa42a56f13f6291b330e55ea4f7afe2e4
Opcode Fuzzy Hash: fd7a9c5f2e3bf87c36e519c49135e71162e600628787e4928db1761b6c30b818
Instruction Fuzzy Hash: E9F0206A422A969EDF32AF2860002EA3BC2F795110F0A0486D4B02F209C5368897DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0151927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 5776da1e4e94816ccd39bb6b9cef1db65ce31def53da94b26e8522fe03788c4e
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 93E0E5322405016BF7229E0ACC80B473669EFD2724F04407DB5041E242CAE9D90887A0

Uniqueness

Uniqueness Score: -1.00%

Function 015A8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aade382dd7c61fc15ac307dad9adfc041cee670d3791729568e8d024007c0f4
Instruction ID: 7e145c7fd3604a544096fd1e95916a61e27d51634145325ce834c94c2d463e50
Opcode Fuzzy Hash: 9aade382dd7c61fc15ac307dad9adfc041cee670d3791729568e8d024007c0f4
Instruction Fuzzy Hash: 62F0B470A446099FDB14EFB8D441B6E77B4FF68700F5084A9E905EF390DA34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 015A8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b3ea8e9a5a315cf1c724aa6dd086b09aced507c3d974cc6ee3fdedd80ea434
Instruction ID: 90393e8df1094972ffe9b2d04451a4c2d42dee9f6a9e888ef65c73409be356ed
Opcode Fuzzy Hash: 66b3ea8e9a5a315cf1c724aa6dd086b09aced507c3d974cc6ee3fdedd80ea434
Instruction Fuzzy Hash: 0CF082B1A4425DAFEB10EBA8D906E6E77B4FF54700F440459BA15DF3D0EA74D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 014F746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaadf9cc34292f9e5c8d4b4fab637d0e01585c3148f5eff2a63da249dc326046
Instruction ID: 1573cdc161d43eb261033438d5d5381ac49a61c4a5efdf85816b8396224daa83
Opcode Fuzzy Hash: eaadf9cc34292f9e5c8d4b4fab637d0e01585c3148f5eff2a63da249dc326046
Instruction Fuzzy Hash: ABF0BE35900145AADF029BACC940FBABFA1BF54652F04026FDA51AB371E73C98028B96

Uniqueness

Uniqueness Score: -1.00%

Function 015A8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9330dafaad150102b5358b5b7babc6b59f92bc6494aa7d73684e0d7a331418bb
Instruction ID: 4192dceb016ec50f8ff6134b8f20196152f6cdf06a3552012a468846fa442311
Opcode Fuzzy Hash: 9330dafaad150102b5358b5b7babc6b59f92bc6494aa7d73684e0d7a331418bb
Instruction Fuzzy Hash: 66F0E270A04209AFDB00DBA8D845E6E77B4FF68200F500199E912EF3C0EA34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 014D4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabf6bd29efb210bcf27f58863870aa488d326f47dd66bcd804d1a96f0561325
Instruction ID: e2057e9b2869bce758c1547f81b30864a09d492194b0b9c4d0eb153b41ebe7e4
Opcode Fuzzy Hash: dabf6bd29efb210bcf27f58863870aa488d326f47dd66bcd804d1a96f0561325
Instruction Fuzzy Hash: 4FF0BE329257958FDB66CB1CC1A4B2EB7D4BB84678F445469E4058BAA2C734EC40C640

Uniqueness

Uniqueness Score: -1.00%

Function 0150A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5f141a5eb21b16e3fa10593c17f468780a2058cc1fa8b370d05f9f1db7e8cb
Instruction ID: bef68973eb2addc60830c70051fce0a755c821e915f967d9f6141c9ef0a88aa7
Opcode Fuzzy Hash: 9c5f141a5eb21b16e3fa10593c17f468780a2058cc1fa8b370d05f9f1db7e8cb
Instruction Fuzzy Hash: 1FE09272A41422ABE2225E58EC00F6773ADEBE4651F0A4439E608CB254DA68DD05C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 014DF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: e93bf53889467665e183897f14db7de265c0576e554635f1527c64115f2a354e
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: F6E0D832A40118FBDF3197D99D05F9BBFACDB54A60F050156FA04D7160D9749E00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 014EFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bf032526acd34d5d4fc3eb48e128716209113867397b5cc30e2e9413382a9a
Instruction ID: 3fde8e39207cd8951d18b6e822b50e51af7012b2ad9978a63e0fe88c80b8d138
Opcode Fuzzy Hash: 39bf032526acd34d5d4fc3eb48e128716209113867397b5cc30e2e9413382a9a
Instruction Fuzzy Hash: B2E0D8B01052459FD735D799E168F2637D89F5662BF19841FE0084BA22D631D845C295

Uniqueness

Uniqueness Score: -1.00%

Function 015641E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2d941c4a08a080c15627deeb9cc86d22bffa5cb35690148f39d9e39a2274ad
Instruction ID: 840f478144e183e8fa48ab17ab06a144b1eff6703d4dd664633724df3aadb510
Opcode Fuzzy Hash: 0e2d941c4a08a080c15627deeb9cc86d22bffa5cb35690148f39d9e39a2274ad
Instruction Fuzzy Hash: B2F06D79811B02CFCBB5EFA9D50471836F8F794721F12451AD0208F298F73645A9EF41

Uniqueness

Uniqueness Score: -1.00%

Function 0158D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: e6b161506d97ec43434140e455f3c0b5ace0b60d1d14b17f55eacd73d4f1dff8
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: A2E0CD31240245B7DB226E44CC00F6977A5EB607A1F104035FE046F7E0C975AC51D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0150A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c390c62acbbacd221d5e544c3cbbdbaf4066a7c9e7181d2bebba5c2608fcb0
Instruction ID: 1cd053096508baae105ea415c43de82ec5c75b024dc5f703d264438f8424f817
Opcode Fuzzy Hash: b3c390c62acbbacd221d5e544c3cbbdbaf4066a7c9e7181d2bebba5c2608fcb0
Instruction Fuzzy Hash: 85D012611611005EC62E5B919954B6626D2F7D8A50F244C0DF2064F7E5EB64D9D4D148

Uniqueness

Uniqueness Score: -1.00%

Function 015016E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5502ddc45a5886718bcd6d5f28190d0a966e705cccc1fe04da33b27b208c5808
Instruction ID: bda99aac1cf0f7db49e410e269d28430d10c6b8ff09b1ddd9454f60e0ba7edd5
Opcode Fuzzy Hash: 5502ddc45a5886718bcd6d5f28190d0a966e705cccc1fe04da33b27b208c5808
Instruction Fuzzy Hash: 1CD0A73110050196EE2E5B599C85B192691FBD0BC1F3C045CF30B4DDD0CFB4CD92E049

Uniqueness

Uniqueness Score: -1.00%

Function 015553CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 47b4423de5c8a50dcf1a9d8ebb35b8b1d28a4ee4677fa2cd73b11a5c819f334c
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 78E08C319106809FCF12DF49C660F4EBBF5FF54B00F150019A5086F631C638AC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014EAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 0b48316e768e4be2841584cf3e8df328a479cca138615445b545a2bb731da02e
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: F9D0E935352A80CFD617CB5DC558B1677A4BB44B45FD504D0E541CB762E63CD954CA00

Uniqueness

Uniqueness Score: -1.00%

Function 015035A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: e74e38bd229ad59f4fc501cbfbbc8c39932b07684b83fe6c46bd2caf76e5db8d
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 04D0A9318015829EEB83EB94C22876C3BB2BF02208F58206A80020E8F2C33B4A0AC600

Uniqueness

Uniqueness Score: -1.00%

Function 014DDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 08ff2d9de20cc3a396b9a524eec7de161c1f91ca6a504e7b11c5b08fb7e3b11f
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 5BC08C30280A41AAFF221F20CD01B023AA0BB20B05F4800A56300DA4F0DB7CD901E600

Uniqueness

Uniqueness Score: -1.00%

Function 0155A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: ab24f68cec9360c8dda0ea21061b2dc5cc3c0ab84bbbd65e9d8d85d9468c10ba
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 66C01232080648BBCB126E82CC00F067B2AEBA4B60F008019BA080A6708632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 014F3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 13b3b1bb3e6b93be9e77fcd23d4b27cfc58f71cda7c0061ec499ec2e7508f3b8
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: AEC04C32180648BBDB126E46DD01F167B69E7A4B60F154025B7080AA718976ED61D598

Uniqueness

Uniqueness Score: -1.00%

Function 014DAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: c59264af9c3d47c304c3774b7b6ff4dfa0515dc62f10583cbc711724e0d8f027
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 51C08C32080248BBC7126A46CD00F017B69E7A0B60F000025B6040A6718936F860D588

Uniqueness

Uniqueness Score: -1.00%

Function 015036CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: c2b4a2c903508a84f889f5331c1ff31c7378c19ea3488e35cd8a970b72eddfb9
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: F1C02B70150440FFEB161F70CD00F197254F720B21F68035C7320499F0D93C9C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 014E76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 2e1769acfda0dd0f5a552fd60201b8c8913fa5335b28c01c2aa1a3f1a4d93eac
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 16C080701511805AEB1E5B1CCD14B2135D06B1462FF44015D6705096B1C37CB402C544

Uniqueness

Uniqueness Score: -1.00%

Function 014F7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: dea1fd1850e58b2e4f2ecda49142d5fe48a997df71f03e9c7a8451a6c30aa049
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 8FB092353019408FCE16DF18C180B1633E4BB44A40B8400D4E400CBB21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01502ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: dd538bd30b636634281f934a40a9a4ee0e0cb66fb6a6f546a2e79e3dddf7a6f9
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: E7B01232C10441CFCF02EF40C610B197371FF10750F054495900137930C238AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01519950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b49e94ea7fa5a54f2ae05cd98951afb90d6b087466e37b548f01528e1503672
Instruction ID: fbd8aab3c9ef2cfa426df50ab26fa0d00e8fb8c71118d7950491c17ffa53c67e
Opcode Fuzzy Hash: 6b49e94ea7fa5a54f2ae05cd98951afb90d6b087466e37b548f01528e1503672
Instruction Fuzzy Hash: A69002A224141403D140659988046070055B7D1352F61C411E6055A59ECA698C517175

Uniqueness

Uniqueness Score: -1.00%

Function 015199D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f399678a1efa3d39108bcab06402789a14d5ab21634eba1c5cd799de8db1c41
Instruction ID: adf067b44059f9f2d3972b989b7b1a98b00c561916e0a72d1dc92ae9c51dd079
Opcode Fuzzy Hash: 5f399678a1efa3d39108bcab06402789a14d5ab21634eba1c5cd799de8db1c41
Instruction Fuzzy Hash: A99002A225101042D104619984047060095B7E2251F61C412E6145A58CC5698C616165

Uniqueness

Uniqueness Score: -1.00%

Function 0151B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7381f51f6a6c06c0d0a831b244a9fe49ee2166abc530df320789346b7984c04
Instruction ID: 4cd276c136bfcae9c71f6dfa2909086ff72edb1db00f009ea6a61924a2265754
Opcode Fuzzy Hash: f7381f51f6a6c06c0d0a831b244a9fe49ee2166abc530df320789346b7984c04
Instruction Fuzzy Hash: EB9002A2641150434540B19988044065065B7E23513A1C521E4445A64CC6A88855A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 01519820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6332263a852b0e17afe0c3bb32839ffeba766893583864148cfb8a51790393d6
Instruction ID: 0f6901c8084612f8684e39b55903e00128608cdfa46e35355d220afca5b34040
Opcode Fuzzy Hash: 6332263a852b0e17afe0c3bb32839ffeba766893583864148cfb8a51790393d6
Instruction Fuzzy Hash: 4F90027228101402D141719984046060059B7D1291FA1C412E4415A58EC6958A56BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 015198A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9aa1a6f5aa36ddb27afcd1bff1a28dd343339fa4bf8a3138ed8b67756c71de9
Instruction ID: e24013c023bc80448543f05db9f68985f488f960e5d519cab86272a90096d487
Opcode Fuzzy Hash: d9aa1a6f5aa36ddb27afcd1bff1a28dd343339fa4bf8a3138ed8b67756c71de9
Instruction Fuzzy Hash: 2290026234101402D102619984146060059F7D2395FA1C412E5415A59DC6658953B172

Uniqueness

Uniqueness Score: -1.00%

Function 01519B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d919c153e9c6dc52e618554f5da315d86d010d9d88e1cab2c261e9e1686a423e
Instruction ID: dcc3c0493ba6e273eea000ccd7db51242dca0114e807c9fe0c692af748e55776
Opcode Fuzzy Hash: d919c153e9c6dc52e618554f5da315d86d010d9d88e1cab2c261e9e1686a423e
Instruction Fuzzy Hash: BB90026228101802D1407199C4147070056F7D1651F61C411E4015A58DC656896576F1

Uniqueness

Uniqueness Score: -1.00%

Function 0151A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd815d0bb2eb8b824d693577efff2385400b1cd7e4f08f533fe19170d10acf1b
Instruction ID: 70d15979dbad7a2d5f7a6168cb10664b846090b3ebae6ce1bfca9529e6b41ffd
Opcode Fuzzy Hash: bd815d0bb2eb8b824d693577efff2385400b1cd7e4f08f533fe19170d10acf1b
Instruction Fuzzy Hash: D890027224145002D1407199C44460B5055B7E1351F61C811E4416A58CC6558856A261

Uniqueness

Uniqueness Score: -1.00%

Function 01519A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3f7ee1d425bbfc63f9022366f08a18aecdf2c33a799073d095a1416cbcb518
Instruction ID: c1baa4b1ad9240c19d3dd931183be0ecb7e2bcfd8259c1ab101d79a42f8acf38
Opcode Fuzzy Hash: 0f3f7ee1d425bbfc63f9022366f08a18aecdf2c33a799073d095a1416cbcb518
Instruction Fuzzy Hash: 8990027224141402D100619988087470055B7D1352F61C411E9155A59EC6A5C8917571

Uniqueness

Uniqueness Score: -1.00%

Function 01519A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9b5b6a53199d1734e1053251ecec8d7cc5c38014ad9d245d8fd006892fabd6
Instruction ID: 211aa87ef90991c04eab730b32d920c05b06b39937e6786d414ab7b5472d40d6
Opcode Fuzzy Hash: 7b9b5b6a53199d1734e1053251ecec8d7cc5c38014ad9d245d8fd006892fabd6
Instruction Fuzzy Hash: 7290026224145442D14062998804B0F4155B7E2252FA1C419E8147A58CC95588556761

Uniqueness

Uniqueness Score: -1.00%

Function 01519560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c375983a90c29aacf1a68d74a1b941ec02eafdef8a475ae5f4397cba7a5d732
Instruction ID: 364652b1d434ea89fa9eed2725a7e6fc25ab39832618553efe16a9f2dfbeff9b
Opcode Fuzzy Hash: 9c375983a90c29aacf1a68d74a1b941ec02eafdef8a475ae5f4397cba7a5d732
Instruction Fuzzy Hash: 74900266261010020145A599460450B0495B7D73A13A1C415F5407A94CC66188656361

Uniqueness

Uniqueness Score: -1.00%

Function 0151AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cac6109718580971e339cf7d3b9c0c5fb7cd3cdff38c6b016277565bcf0d9f8
Instruction ID: b81fadafa9cf46fbc8f781d0d1ba87be08753dfb264941eee101d695333cf3b5
Opcode Fuzzy Hash: 7cac6109718580971e339cf7d3b9c0c5fb7cd3cdff38c6b016277565bcf0d9f8
Instruction Fuzzy Hash: D9900272A45010129140719988146464056B7E1791B65C411E4505A58CC9948A5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01519520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee9ed21bf2a9f4d5e712dc664be359ad1ed637312f315df943c762ee4e633d5
Instruction ID: 1a3c64c78b4dbe706e6c9872d45b74eb431fcc9c20229207998275c5cbd02ec9
Opcode Fuzzy Hash: 4ee9ed21bf2a9f4d5e712dc664be359ad1ed637312f315df943c762ee4e633d5
Instruction Fuzzy Hash: B39002E2241150924500A299C404B0A4555B7E1251B61C416E5045A64CC5658851A175

Uniqueness

Uniqueness Score: -1.00%

Function 015195F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcc1188b17c760ebb7d380245d2f6e1b29efc1e5a26af6b98ad72d60f1d33bf
Instruction ID: dbda118e9fe53b06d7bdff8244658abd4768124bc87cd67792600663e0440012
Opcode Fuzzy Hash: cdcc1188b17c760ebb7d380245d2f6e1b29efc1e5a26af6b98ad72d60f1d33bf
Instruction Fuzzy Hash: 8890027224101802D104619988046860055B7D1351F61C411EA015B59ED6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 0151A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee3fef611e9d9ce11f7905101b85c1633b82a8ee593626395dd339290d8831a
Instruction ID: ba8d3ee529f644e086032ba319ab2048148638e72de864a92716a054d96ed204
Opcode Fuzzy Hash: 3ee3fef611e9d9ce11f7905101b85c1633b82a8ee593626395dd339290d8831a
Instruction Fuzzy Hash: C690027624505442D50065999804A870055B7D1355F61D811E4415A9CDC6948861B161

Uniqueness

Uniqueness Score: -1.00%

Function 01519770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef5d83eff81e28438127289e59816960f23dde6398d69a21ff87364ad44dfce
Instruction ID: 052c9b2a56948069cb09ab5bb7b0fc6028990ccbf90d6a5fd9649eed2ddffd4a
Opcode Fuzzy Hash: 3ef5d83eff81e28438127289e59816960f23dde6398d69a21ff87364ad44dfce
Instruction Fuzzy Hash: 5690026224505442D10065999408A060055B7D1255F61D411E5055A99DC6758851B171

Uniqueness

Uniqueness Score: -1.00%

Function 01519760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7b656aa5facc10583b74e53c06273c5e07f143ad92738732405b9e5cf3a940
Instruction ID: 5dbc6a2108bf910dbacab72e7e0569ec762a0b726d393233c47ef3465f52c847
Opcode Fuzzy Hash: 2d7b656aa5facc10583b74e53c06273c5e07f143ad92738732405b9e5cf3a940
Instruction Fuzzy Hash: 0790027224101403D100619995087070055B7D1251F61D811E4415A5CDD69688517161

Uniqueness

Uniqueness Score: -1.00%

Function 0151A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3e809b303c539fe228466bb56fe5dfce3c42b2ad72c6aa01e2e3832939542b
Instruction ID: 375d375decc97a40d032ea3fca8bcab8959b82e8763dd6c09bf734abc7294fc3
Opcode Fuzzy Hash: 7d3e809b303c539fe228466bb56fe5dfce3c42b2ad72c6aa01e2e3832939542b
Instruction Fuzzy Hash: A4900272341010529500A6D99804A4A4155B7F1351B61D415E8005A58CC59488616161

Uniqueness

Uniqueness Score: -1.00%

Function 01519730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ce3546571002652a32dfd0a5a4851880843b26efa63a3c86bef7dbb13ce290
Instruction ID: 6264cd7303395b14ddb3ba6704815ae7a7d5c9fdd7a5adcfe4d4c29181e807e3
Opcode Fuzzy Hash: c9ce3546571002652a32dfd0a5a4851880843b26efa63a3c86bef7dbb13ce290
Instruction Fuzzy Hash: 3090026264501402D140719994187060065B7D1251F61D411E4015A58DC6998A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01519FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e27ea1f874e579ad2f96ba386a053e52b690d8e735e74a621a092c14ce2ae98
Instruction ID: c31adba7ab39000a69aa5530baa20793567e3b3297392b6f60f46a8a42f1233c
Opcode Fuzzy Hash: 5e27ea1f874e579ad2f96ba386a053e52b690d8e735e74a621a092c14ce2ae98
Instruction Fuzzy Hash: 4690027235115402D1106199C4047060055B7D2251F61C811E4815A5CDC6D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 01519650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f2c29c211b1b82bc256937dd9bee86210f0953ffad89ab4ee469c77449b343
Instruction ID: d36e394631e5a3a1f3f35a77f76822c30094ce01249893445daa5ea73818d606
Opcode Fuzzy Hash: e3f2c29c211b1b82bc256937dd9bee86210f0953ffad89ab4ee469c77449b343
Instruction Fuzzy Hash: A590027224505842D14071998404A460065B7D1355F61C411E4055B98DD6658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01519610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f140611eb917530042ace110bf666750e22c8ede54fa758806037cdc4f64fa82
Instruction ID: f96c3864f2ff32237ff9c56d44891eeb018a9923475a8e7e61edccabe284b694
Opcode Fuzzy Hash: f140611eb917530042ace110bf666750e22c8ede54fa758806037cdc4f64fa82
Instruction Fuzzy Hash: DA90027264501802D150719984147460055B7D1351F61C411E4015B58DC7958A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 015196D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9875a42acf28304a391c93454f7a71a1aac601a20b129020e91ec2917f615bd3
Instruction ID: f4769a5a2d3251f1eac64d4da75f141b1e140418a092f6a21749a7119c40f95c
Opcode Fuzzy Hash: 9875a42acf28304a391c93454f7a71a1aac601a20b129020e91ec2917f615bd3
Instruction Fuzzy Hash: 4A90027224101842D10061998404B460055B7E1351F61C416E4115B58DC655C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 01519670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 69475cadf27ff3b54c9a0c09a3939687cb910d3e6f22070f8fa2e0bdd5b40ab5
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0156FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0156FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0151CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01565720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01565720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0156fdda
0x0156fde2
0x0156fde5
0x0156fdec
0x0156fdfa
0x0156fdff
0x0156fe0a
0x0156fe0f
0x0156fe17
0x0156fe1e
0x0156fe19
0x0156fe19
0x0156fe19
0x0156fe20
0x0156fe21
0x0156fe22
0x0156fe25
0x0156fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0156FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0156FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0156FE2B

Memory Dump Source

Source File: 00000001.00000002.716163299.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: f70fc36faff4db5ab8ca2340100ec664c037d29f894bf6982a54a8fc35931828
Instruction ID: bd1056a5e4b854268963cd4130b476993785db9130df086ebb106986c67264fe
Opcode Fuzzy Hash: f70fc36faff4db5ab8ca2340100ec664c037d29f894bf6982a54a8fc35931828
Instruction Fuzzy Hash: B8F0C8366406027FE6211A45DC01E237F5EEB84B70F240319F6245A5E1E9A2B82086E0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mstsc.exe PID: 6024 Parent PID: 3424 mstsc.exeCOMMON

Executed Functions

Function 00C89F20, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00C84B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00C84B77,007A002E,00000000,00000060,00000000,00000000), ref: 00C89F6D

Strings

.z`, xrefs: 00C89F5D, 00C89F68

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: e21f9556eca65c9adae96b79a4ab8e89ce3e310359c9ed5d8f1cb1da969664d2
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: A3F0BDB2200208ABCB08DF88DC95EEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C89FCA, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00C84D32,5EB6522D,FFFFFFFF,00C849F1,?,?,00C84D32,?,00C849F1,FFFFFFFF,5EB6522D,00C84D32,?,00000000), ref: 00C8A015

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 225399049edc95cb88fd6c43675bd67bb03fd26f44da2357de43c504009cf718
Instruction ID: 3135b847fc496bc449ff12084b191c85275eddc3f5cc0665c69f081c7c4550d2
Opcode Fuzzy Hash: 225399049edc95cb88fd6c43675bd67bb03fd26f44da2357de43c504009cf718
Instruction Fuzzy Hash: DBF0E2B2200108AFDB14DF99DC91EEB77A9AF8C354F158249BA4DA7241C630E812CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C89FD0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00C84D32,5EB6522D,FFFFFFFF,00C849F1,?,?,00C84D32,?,00C849F1,FFFFFFFF,5EB6522D,00C84D32,?,00000000), ref: 00C8A015

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: c70f40f6a031837e4b6949a421f6232a7ad07dc1e38e4c2b4b0a8aad026eb2f2
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 40F0A4B2200208ABDB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A100, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00C72D11,00002000,00003000,00000004), ref: 00C8A139

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 0a76e653feac45b0913a6d210947b1130b7c79ccb789f1ca5fb9eaaf7689219a
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 46F015B2200208ABDB14DF89DC81EAB77ADAF88754F118149BE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A050, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00C84D10,?,?,00C84D10,00000000,FFFFFFFF), ref: 00C8A075

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: f6718312c17f339a3d1b9da1e1863e5f93e4ddb7ce6f3fa7059674e27a6bfd99
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: B4D01776200214ABE710EB98DC85FA77BADEF48760F15449ABA189B242C630FA0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 05149540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0514954A

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd6c8a820c0e58b7a5925f469e2647d2b2dabc2adb2504d81e69753fd1de3331
Instruction ID: c1f579b432149e8407b572c7c1b3d6afd879e25ea0cb1fc7cc5e750f6d35807a
Opcode Fuzzy Hash: cd6c8a820c0e58b7a5925f469e2647d2b2dabc2adb2504d81e69753fd1de3331
Instruction Fuzzy Hash: 5B900265211000470106A55917445070056D7D53A1391C425F5106550CD77589A16261

Uniqueness

Uniqueness Score: -1.00%

Function 051495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051495DA

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f33c652107eeabf8b409e5056810fe79354a1f3157eaa0bdcb4966e5de2e49ea
Instruction ID: 1f94ca6fdb068b0643ab3500c87382d948b4b02b91ecdb5ca916f48dfc83872e
Opcode Fuzzy Hash: f33c652107eeabf8b409e5056810fe79354a1f3157eaa0bdcb4966e5de2e49ea
Instruction Fuzzy Hash: C19002A120200047410671595554616401AD7E0251B91C425E5105590DC67989D17265

Uniqueness

Uniqueness Score: -1.00%

Function 05149710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0514971A

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d78ca768daa82058e6a7e6e8332f2641ed1e2ca4ded6b1cee1336b82647b3478
Instruction ID: 6bddfe6b07cea1ace7f8c7db4f107d1854962bb7bf786c30d546a4f545c0831f
Opcode Fuzzy Hash: d78ca768daa82058e6a7e6e8332f2641ed1e2ca4ded6b1cee1336b82647b3478
Instruction Fuzzy Hash: 4A90027120100447D101659965486460015D7E0351F91D415A9115555EC7B989D17271

Uniqueness

Uniqueness Score: -1.00%

Function 05149780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0514978A

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f76c5b0da0016c002713ce080e6e6b822d2fec4c0d2f137ac1dc03a9e5f24ba3
Instruction ID: 309782421030b60c666f65b11d6dc56ec52d39fa429f97b134dd859154752155
Opcode Fuzzy Hash: f76c5b0da0016c002713ce080e6e6b822d2fec4c0d2f137ac1dc03a9e5f24ba3
Instruction Fuzzy Hash: F290026921300047D1817159654860A0015D7D1252FD1D819A4106558CCA6989A96361

Uniqueness

Uniqueness Score: -1.00%

Function 05149FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05149FEA

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3519980f4df3d647f82bb64d711573300ab5c3474aafe2de5e34c4c094c18d27
Instruction ID: 00c720f5e284b83826c72d9e32ab4c5ac9e934c00f9cc67ec35fb7b68b94aabd
Opcode Fuzzy Hash: 3519980f4df3d647f82bb64d711573300ab5c3474aafe2de5e34c4c094c18d27
Instruction Fuzzy Hash: F890027131114447D111615995447060015D7D1251F91C815A4915558D87E989D17262

Uniqueness

Uniqueness Score: -1.00%

Function 05149650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0514965A

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67249e7969a4027c2f9baf0da3839540766a136c07d74f010d78badd30164152
Instruction ID: cf2008197346dbef764e2e80783ec69142e62f9d4a08d1a12bac6eb80275b6cc
Opcode Fuzzy Hash: 67249e7969a4027c2f9baf0da3839540766a136c07d74f010d78badd30164152
Instruction Fuzzy Hash: 9690027120504887D14171595544A460025D7D0355F91C415A4155694D97798E95B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05149660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0514966A

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9e195072f06a8b11be5832781320a8f37a8d2f8e06e8229f91b4cfa0e7069c9
Instruction ID: c6984985057a62df5129c69c7f9e3b883978502aa424fb1d0cdbba12c9844b3e
Opcode Fuzzy Hash: d9e195072f06a8b11be5832781320a8f37a8d2f8e06e8229f91b4cfa0e7069c9
Instruction Fuzzy Hash: CD90027120100847D1817159554464A0015D7D1351FD1C419A4116654DCB698B9977E1

Uniqueness

Uniqueness Score: -1.00%

Function 051496D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051496DA

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1614c07f8a0138c3d82cfb1698fc001034b58ff68df6f4c1ee4cfc1932d78532
Instruction ID: d779a47e9c3ed73ff35e31c258e306410653ca502cab6361d4fa4d5bd0e2bd72
Opcode Fuzzy Hash: 1614c07f8a0138c3d82cfb1698fc001034b58ff68df6f4c1ee4cfc1932d78532
Instruction Fuzzy Hash: 2290027120100887D10161595544B460015D7E0351F91C41AA4215654D8769C9917661

Uniqueness

Uniqueness Score: -1.00%

Function 051496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051496EA

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b3609961d3d892618b836993e6d1a0c8fbfad87661d453297903e00f90da7ac
Instruction ID: 14eff53b321a553faa2f78af1dd23c512ed35f6826c5241596e00b352584e796
Opcode Fuzzy Hash: 9b3609961d3d892618b836993e6d1a0c8fbfad87661d453297903e00f90da7ac
Instruction Fuzzy Hash: D390027120108847D1116159954474A0015D7D0351F95C815A8515658D87E989D17261

Uniqueness

Uniqueness Score: -1.00%

Function 05149910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0514991A

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7484576bf5ace190381f8b6ed4dd7f04bec11f7cf460f4cd8a5eb8896a316a95
Instruction ID: eed173e79350b1918819fdb8882de17c15393fa6cd4bcfcb87d02df5a74437dc
Opcode Fuzzy Hash: 7484576bf5ace190381f8b6ed4dd7f04bec11f7cf460f4cd8a5eb8896a316a95
Instruction Fuzzy Hash: 179002B120100447D141715955447460015D7D0351F91C415A9155554E87AD8ED577A5

Uniqueness

Uniqueness Score: -1.00%

Function 051499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051499AA

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb676b6e62942599ec0cfdbd80a4f5d99cfb0cc2996bb31b399b28c3fbe6af5f
Instruction ID: 5bb40721f5b639faeea674fdbb182d9588aa8a485f9c96b529ae7705ff63a42e
Opcode Fuzzy Hash: bb676b6e62942599ec0cfdbd80a4f5d99cfb0cc2996bb31b399b28c3fbe6af5f
Instruction Fuzzy Hash: A69002A134100487D10161595554B060015D7E1351F91C419E5155554D876DCD927266

Uniqueness

Uniqueness Score: -1.00%

Function 05149840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0514984A

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6376d83e1ccb628ecfb3b0970c96ca93d1d951de3a6d23d2d617efe2467694d
Instruction ID: 9a109e09e30e86797eb4fb708b4a5a2bc56e45102ddf76b5ab808918d78e7fab
Opcode Fuzzy Hash: d6376d83e1ccb628ecfb3b0970c96ca93d1d951de3a6d23d2d617efe2467694d
Instruction Fuzzy Hash: C4900261242041975546B15955445074016E7E02917D1C416A5505950C867A9996E761

Uniqueness

Uniqueness Score: -1.00%

Function 05149860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0514986A

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a21310403c3907967aec583e10955e0398b76df231487d8371aa55ace88587f9
Instruction ID: d3c1e2d9f6191fd994f7654f151c30f04274e97f03393b97dabed9343f0223f8
Opcode Fuzzy Hash: a21310403c3907967aec583e10955e0398b76df231487d8371aa55ace88587f9
Instruction Fuzzy Hash: 3D90027120100457D112615956447070019D7D0291FD1C816A4515558D97AA8A92B261

Uniqueness

Uniqueness Score: -1.00%

Function 05149A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05149A5A

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f434ba95cabfe7b2ece7bbb32429fadee96cc6eb1a38507b704e818346a52e1
Instruction ID: ee91f8fe6e52c6c94992188c08d4605d3280420d0c3f2d6927872273142469ea
Opcode Fuzzy Hash: 4f434ba95cabfe7b2ece7bbb32429fadee96cc6eb1a38507b704e818346a52e1
Instruction Fuzzy Hash: DB90026121180087D20165695D54B070015D7D0353F91C519A4245554CCA6989A16661

Uniqueness

Uniqueness Score: -1.00%

Function 00C88C37, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00C88CE8

Strings

wininet.dll, xrefs: 00C88C9E, 00C88CA7
POST, xrefs: 00C88C1B, 00C88C1E, 00C88C1F, 00C88C26
net.dll, xrefs: 00C88CB1, 00C88D0F, 00C88D1B

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: POST$net.dll$wininet.dll
API String ID: 3472027048-3140911592
Opcode ID: 19e5cafbde50d5a2acba6adab32134b42f8fdcd586890e73a9645e83942fa644
Instruction ID: 8026ad2ec7e97c9940741ba2ab89a4d2a8f886823837743d9f3d444f10364808
Opcode Fuzzy Hash: 19e5cafbde50d5a2acba6adab32134b42f8fdcd586890e73a9645e83942fa644
Instruction Fuzzy Hash: 5F313672500204BBC710FF64D8C1BABB7B8FF44308F00801EF6295B281DB75AA54CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00C88C40, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00C88CE8

Strings

wininet.dll, xrefs: 00C88C9E, 00C88CA7
net.dll, xrefs: 00C88CB1, 00C88D37, 00C88D0F, 00C88D1B, 00C88D43

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: aea9cdf5c3cf684a5ed27cac189b3b7cf8a620f04be7c82bb44ac3457b940c6d
Instruction ID: 80396a80ae22c20b9e1bf141a202a22019deabc6b3a7138b320b358ee8d94e2f
Opcode Fuzzy Hash: aea9cdf5c3cf684a5ed27cac189b3b7cf8a620f04be7c82bb44ac3457b940c6d
Instruction Fuzzy Hash: B73192B2500645BBC724EF65C885FA7B7B8BB48705F10841EF6295B281DA31BA54CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A1B6, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00C73AF8), ref: 00C8A25D

Strings

.z`, xrefs: 00C8A24C, 00C8A258

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 6e06663a159574a26d939a7b98760d57520f624b921cfca2be9b09d2eaccb7d3
Instruction ID: 835d9f254991392190d55af3c6a5563f08a40f5f3328662dda09153e15f57544
Opcode Fuzzy Hash: 6e06663a159574a26d939a7b98760d57520f624b921cfca2be9b09d2eaccb7d3
Instruction Fuzzy Hash: 30017CB62002146BDB18EF98DC85EEB77ADEF84760F00845AFA185B241C630EA00CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A230, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00C73AF8), ref: 00C8A25D

Strings

.z`, xrefs: 00C8A24C, 00C8A258

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: e87f355037f251856554e86dcf2ad5f54a1a68c40b1fec93ab3b5bda626da095
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: E7E046B1200208ABDB18EF99DC49EA777ADEF88750F018559FE085B242C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A234, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00C73AF8), ref: 00C8A25D

Strings

.z`, xrefs: 00C8A24C, 00C8A258

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 6a59504d4e3b580197e0f7cceaea976dee2c66138c05c7347ccb5f4163336edb
Instruction ID: 2bb05481c8ece362ef546f23513681b4ecc21524d6a05e189880e11f566daf96
Opcode Fuzzy Hash: 6a59504d4e3b580197e0f7cceaea976dee2c66138c05c7347ccb5f4163336edb
Instruction Fuzzy Hash: F1D02BB81042845BEB10FF69E8C08AB37D5BF803147108A4BFC5C47303C230D8198BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A335, Relevance: 3.1, APIs: 2, Instructions: 61processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00C8A2F4
LookupPrivilegeValueW.ADVAPI32(00000000,?,00C7F192,00C7F192,?,00000000,?,?), ref: 00C8A3C0

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalLookupPrivilegeProcessValue
String ID:
API String ID: 65721159-0
Opcode ID: bf5667f67d52ab203080a25ff37d22c3e0e9d79f7a60f16617ad5373304358df
Instruction ID: 456fad35af6fb9005211f3ad96a9ef343efc2996ee9d7c8d84d362219b6c00e3
Opcode Fuzzy Hash: bf5667f67d52ab203080a25ff37d22c3e0e9d79f7a60f16617ad5373304358df
Instruction Fuzzy Hash: 58115EB52002086BDB14EF98EC41EEB73ADEF88754F11855AFE0D97241C634E9108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00C782E8, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00C7834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00C7836B

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3a7bb1324e8715b290bb8a69c47e07ffdb209dc7120a3213a94d8a3c3a2ebc31
Instruction ID: 9660ddcf22306c2bbc7da7a0671ed344e90913cb7e7cba915392ca45665577b5
Opcode Fuzzy Hash: 3a7bb1324e8715b290bb8a69c47e07ffdb209dc7120a3213a94d8a3c3a2ebc31
Instruction Fuzzy Hash: 34014032A802247BE721B6949C43FFE776C6F41B10F154009FB08BA1C1E7A56A0547F5

Uniqueness

Uniqueness Score: -1.00%

Function 00C782F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00C7834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00C7836B

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b787dc7f361a6b9a1be5d41666a0fcb395fc8200de606aeb91bc506f2692f0be
Instruction ID: e34902721feb1985ab259982b9144db84720867f556773bde9cfe591bf63eff7
Opcode Fuzzy Hash: b787dc7f361a6b9a1be5d41666a0fcb395fc8200de606aeb91bc506f2692f0be
Instruction Fuzzy Hash: F401F731A802287BE720B6989C43FFE772C6B40F50F044118FF08BA1C1E6A56A0553F6

Uniqueness

Uniqueness Score: -1.00%

Function 00C78373, Relevance: 3.0, APIs: 2, Instructions: 46threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00C7834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00C7836B

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3496425fb3d62959e62b5891b56c0ecc2ff8f45c61a5817011e9ef35c47b10d5
Instruction ID: 8d2fbc59f16f80758c982256acd25b290a743be86d025982d2033b60ad8f3b7d
Opcode Fuzzy Hash: 3496425fb3d62959e62b5891b56c0ecc2ff8f45c61a5817011e9ef35c47b10d5
Instruction Fuzzy Hash: D8F04631A806283AEB1076588C02FBE72186B80F21F058219FF08BA1C2E9E5690913E5

Uniqueness

Uniqueness Score: -1.00%

Function 00C782B3, Relevance: 3.0, APIs: 2, Instructions: 41threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00C7834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00C7836B

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: fb520fc88bc7d4ec1aa8feb3a1cc725a61589ff355fdc39e2db721367e153b52
Instruction ID: 8a55fc004edfb190beaa197c323421ce15cb1dae702abeba897e26cb5a1747b9
Opcode Fuzzy Hash: fb520fc88bc7d4ec1aa8feb3a1cc725a61589ff355fdc39e2db721367e153b52
Instruction Fuzzy Hash: 4EF0A731BC06243AE72165985C47FBE621C6B80F61F158119FF08FA1C5EAD5291A16F5

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A2A0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00C8A2F4

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: bd64d7ad36b27efc654902e4d1cb1aad586c77db639b28109fcc033856c9b279
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: A601AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A29E, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00C8A2F4

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 0a5e4659c1c7dea58745958aad34a6bf333a2b57697f7689caea92844f800d10
Instruction ID: 763440ae4342e7631b93341652743e3ea9dae814350be16898299343194a0a0c
Opcode Fuzzy Hash: 0a5e4659c1c7dea58745958aad34a6bf333a2b57697f7689caea92844f800d10
Instruction Fuzzy Hash: D101F2B2204148ABCB44DF98DC80DEB7BA9AF8C314F15825CFA5997201C630E841CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C88D70, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00C7F010,?,?,00000000), ref: 00C88DAC

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0492dd52497a697f2125d76e48c7ee170aee05726da811e9b98eccb8e968774a
Instruction ID: 9301b8f4dd961d3d215fbb7ca0dc592171cb1f8407eb3a8fc0da195242075b20
Opcode Fuzzy Hash: 0492dd52497a697f2125d76e48c7ee170aee05726da811e9b98eccb8e968774a
Instruction Fuzzy Hash: 0AE06D733803043AE3207599AC03FA7B29C9B91B25F550026FA4DEB6C1D995F80142A8

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A381, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00C7F192,00C7F192,?,00000000,?,?), ref: 00C8A3C0

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6a70caa816748f34c8a883363f56eee37c47f43847ac3f6b63186bcd1e073914
Instruction ID: ac23191dac920173f2e3c6188a47047fb2a58de58331f22e2c43c975ddd7a1e3
Opcode Fuzzy Hash: 6a70caa816748f34c8a883363f56eee37c47f43847ac3f6b63186bcd1e073914
Instruction Fuzzy Hash: A5E06DB1200218BBDA10EF99DC80EEB37A99F84710F108566FA086B741CA34E850CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A1F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00C844F6,?,00C84C6F,00C84C6F,?,00C844F6,?,?,?,?,?,00000000,00000000,?), ref: 00C8A21D

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 4b556ed5d9ee077838ad33c31ddf9201ac28abccff04404239f80e095cb9459d
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: F8E046B1200208ABDB14EF99DC41EA777ADEF88754F118559FE085B242C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A390, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00C7F192,00C7F192,?,00000000,?,?), ref: 00C8A3C0

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 9d8710ece2baddbcc52f617f5dc369516176ee25c3081f46c41231fbeeaaee04
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 1DE01AB12002086BDB10EF49DC85EE737ADAF88650F018155BA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A264, Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00C844F6,?,00C84C6F,00C84C6F,?,00C844F6,?,?,?,?,?,00000000,00000000,?), ref: 00C8A21D

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: da5d9a1859da918cda5ff183b287d6725098659595e67a65e4b3d82815f626b6
Instruction ID: 49ebf55611430f7cf229367da47c637446f4bd017948236b7ed896b63b80793c
Opcode Fuzzy Hash: da5d9a1859da918cda5ff183b287d6725098659595e67a65e4b3d82815f626b6
Instruction Fuzzy Hash: 49D012F52042449FE710EF65E8918EB7755AF88318730854AF85943702D735D92A9BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C8A405, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00C7F192,00C7F192,?,00000000,?,?), ref: 00C8A3C0

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d5f349ad2854dc30ac00c8f406a5ff6da6b15d06e944a748c7788ffefff8511d
Instruction ID: cdf410982dd8e9e37ed6958f622ee48ee8b56223baea24a37d267df7e9bd3e2b
Opcode Fuzzy Hash: d5f349ad2854dc30ac00c8f406a5ff6da6b15d06e944a748c7788ffefff8511d
Instruction Fuzzy Hash: E8E0C2B4104281EBC700EF38EC90CFBBB29DF852143108057F80983202C330E920CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00C78CF4,?), ref: 00C7F6BB

Memory Dump Source

Source File: 00000003.00000002.922790825.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction ID: 2eb766fd434f39b7ed78e01015e819c79b18624ba03b8c0b0ec886fed20ca778
Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction Fuzzy Hash: E0D0A7727903043BE610FAA4DC03F2672CC6B44B04F494074FA4CDB3C3E950E5014165

Uniqueness

Uniqueness Score: -1.00%

Function 0514967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05149694

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cce6caa33175c0ae00b5580a94d5c8cb97da8e00cb1e6d31086c350800e71ae1
Instruction ID: 74609b7190cd667236687018b0c4a7c9d43833c886ec592985590afd86a4a971
Opcode Fuzzy Hash: cce6caa33175c0ae00b5580a94d5c8cb97da8e00cb1e6d31086c350800e71ae1
Instruction Fuzzy Hash: 81B09BB19424C5CAD711D7605708B277911B7D0751F56C455D1120641A477CC1D1F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0519FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0519FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0514CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05195720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05195720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0519fdda
0x0519fde2
0x0519fde5
0x0519fdec
0x0519fdfa
0x0519fdff
0x0519fe0a
0x0519fe0f
0x0519fe17
0x0519fe1e
0x0519fe19
0x0519fe19
0x0519fe19
0x0519fe20
0x0519fe21
0x0519fe22
0x0519fe25
0x0519fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0519FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0519FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0519FE01

Memory Dump Source

Source File: 00000003.00000002.924270250.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: true

Associated: 00000003.00000002.924738741.00000000051FB000.00000040.00000001.sdmp Download File
Associated: 00000003.00000002.924756958.00000000051FF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 30c5ab16c0ffe4cb40e55f4091800bb6f3909bff7c48dd3d3650bfdfcfaa6e78
Instruction ID: bdde2abbcbb7d4929abf22018c194db192ad29f79d1eaca987ea0921d6452ed4
Opcode Fuzzy Hash: 30c5ab16c0ffe4cb40e55f4091800bb6f3909bff7c48dd3d3650bfdfcfaa6e78
Instruction Fuzzy Hash: CCF0F676240201BFDA291A45DC06F63BF5BEB44770F164314F6289A5D1DB62FD6097F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO98765.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules